The product
Each module is rate-limited, audit-logged, and safety-pinned. Together they answer one question: is your perimeter actually doing what you said it does?
Identify open ports, services, banners, OS fingerprints, and protocols across your authorized scope. Tools: Nmap, naabu, custom safe TCP/UDP probes.
Vendor-neutral rule parsing into a normalized intermediate representation. Detectors run over the normalized model — same logic across all vendors.
Verifies which services are externally reachable, and checks security posture without authentication attempts. Probes are HEAD/OPTIONS-only.
Multi-vantage TCP handshake probes prove allowed/denied paths between declared zones. Result: violation matrix against your policy.
WORM-locked, encrypted, hash-chained evidence. Every finding is replayable; every export is signed.
CVSS base score × business context multiplier. Each finding maps to MITRE ATT&CK techniques, CIS Controls, and your compliance frameworks.
Templated, signed, deliverable in five formats. Executive, technical, compliance, and remediation reports.
Claude-powered explanation, recommendation, and natural-language querying — strictly tenant-scoped, never the source of truth.
The platform
Each module is purpose-built and rate-limited. Together they answer the one question that matters: is the perimeter actually doing what we said it does?
Nmap, naabu, and custom safe probes map open ports, services, banners, and protocols across your authorized scope.
Parsers for Palo Alto, FortiGate, Cisco ASA, Check Point, pfSense, Juniper, SonicWall, Sophos. Detects any-any, shadow rules, missing egress.
Verifies which services are externally reachable. Flags exposed RDP, SMB, SNMP, Telnet, weak TLS, expired or default certificates.
Multi-vantage TCP handshake probes prove which zones can — and can't — talk. Violations against your declared policy are surfaced immediately.
Object-locked storage with a tamper-evident hash chain. Every finding is replayable for audit, with full chain-of-custody.
CVSS base score × business context. Mapped to MITRE ATT&CK, CIS Controls, PCI-DSS, ISO 27001, NIST CSF, GDPR, and DPDPA.
Executive, technical, and compliance reports in PDF, DOCX, JSON, CSV, or HTML — all cryptographically signed and verifiable.
Claude-powered explanations, natural-language queries over findings, and remediation guidance grounded in vendor docs and CIS benchmarks.
How it works
Your security lead authors a scope — CIDRs, domains, exclusions, validity window — and signs it with Ed25519. No scope, no scan.
Engineers create a scan request bound to the scope. Production-touching scans require dual approval and step-up MFA.
Workers run with a signed, compiled-in safety profile. Discovery, exposure, segmentation, and rule analysis — all non-destructive.
Findings are scored, mapped, and persisted with hash-chained evidence. Export signed reports — PDF, DOCX, JSON, or HTML.
Architecture
Stateless workers. Signed artifacts. Append-only audit. Tenant isolation in eight layers. Deployable as SaaS, dedicated, or on-prem (including air-gapped).
Edge
WAF · CDN · mTLS
API gateway
OIDC · RBAC · audit
Orchestrator
FSM · scope check
Workers
Go · safety-pinned
Data plane
Postgres · RLS · Redis
Evidence vault
WORM · hash chain
Tenant isolation
Token → app context → Postgres RLS → storage prefix → network policy.
Supply chain
Cosign-signed images. Admission verifies provenance. SLSA L3 target.
Observability
OpenTelemetry → Tempo. Loki for logs. Audit log → Kafka → WORM.
A 30-minute demo on real findings. We'll walk through scope signing, a live scan, and a signed compliance report — all on a customer-style sandbox.
No credit card. No agent install. Authorized-only by design.