87%

Compliance score ↑ +3% week DEMO DATA

31 assets monitored · 6 controls evaluated · last cycle 12 min ago

4

Critical findings

2

Open attack paths

1

Active JIT grants

⚡ Your next 3 actions

1

Remediate path: alice → BuildBot → AdminRole → prod-db

Risk score 8.4 · ~2 minutes · 4 systems involved

CRIT

2

Rotate stale NHI: nhi-legacy-importer

Last used 180 days ago · ~1 minute · auto-fix available

HIGH

3

Fix policy "MFA on Domain Admins"

Failing on 3 hosts · ~5 minutes · network adapters

HIGH

● Live activity

finding · stale_nhi detected — nhi-build-bot

2 min ago · daemon

jit · grant created — alice@x → ssh prod-db (4h)

8 min ago · alice@x

audit · policy "MFA on admins" approved

12 min ago · bob@x

automation · rule "auto-fix-stale" fired (1)

25 min ago · system

🤖

Inventory

31 assets across 5 sites · 3 NHIs

All (31)

Network (12)

Servers (8)

Identity (5)

NHIs (3)

Crown jewels (4)

Saved view: My queue ▾

●

dc-01.acme.local

microsoft · server · prod · DC1 · owner: ivan.devops

crown-jewel

grade C · 0 KEV

●

crm-prod-01.acme.local

cisco · network · prod · DC1

high

grade D · 3 KEV

●

nhi-build-bot

okta · service_account · owner: ivan.devops · 2 years old

never rotated

last used today

●

veeam-prod-01

veeam · backup · prod · DC1

healthy

grade B · 14d immutable

Findings

7 open · 4 critical · 2 high

All (7)

Critical (4)

High (2)

Assigned to me (3)

Saved view: My queue ▾

CRIT

Orphan service account: nhi-legacy-importer

Owner henry.former departed · provider: AD · created 3 years ago

auto-fix available

HIGH

NHI never rotated: nhi-build-bot

2 years since rotation · service_account · client_secret

auto-fix available

HIGH

Tenant has users without MFA: ad-acme-local

13 users in Domain Admins, none enrolled · provider: AD

requires review

MED

Over-privileged: alice.admin@acme.local

In 6 groups (threshold 5) — Domain Admins, Helpdesk, Engineering, …

manual review

Identity translator

Plain-English → unified policy → applied across 5 IdPs

1. Translate

2. Preview

3. Apply

Try also: "engineers can RDP staging with trusted device" · "rotate any AWS role unused 60 days"

Per-system change preview

🔐

Okta — group rule: sc-deny-contractors-no-mfa

moves matched users to SafeCadence-Quarantine · 1 op

ready

🌐

Cisco ISE — authz rule

profile=DenyAccess · scoped to Contractors group

ready

🪟

Active Directory — group membership change

add to SafeCadence-Quarantined · 13 principals affected

ready

☁️

Entra ID — Conditional Access policy

block grant control · enabled state

ready

🛜

ClearPass — enforcement profile + policy

RADIUS:Reject · scoped role

ready