Metadata-Version: 2.4
Name: safecadence-netrisk
Version: 3.0.0
Summary: Free, open-source network infrastructure risk auditing — local-first, multi-vendor, BYO-AI.
Project-URL: Homepage, https://safecadence.com/
Project-URL: Repository, https://github.com/safecadence/network-risk
Project-URL: Documentation, https://github.com/safecadence/network-risk#readme
Project-URL: Issues, https://github.com/safecadence/network-risk/issues
Project-URL: Changelog, https://github.com/safecadence/network-risk/blob/main/CHANGELOG.md
Author-email: SafeCadence <hello@safecadence.com>
License: MIT
License-File: LICENSE
Keywords: arista,aruba,audit,cisco,compliance,cve,firewall,infrastructure,network,security
Classifier: Development Status :: 4 - Beta
Classifier: Intended Audience :: Information Technology
Classifier: Intended Audience :: System Administrators
Classifier: License :: OSI Approved :: MIT License
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3 :: Only
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: Security
Classifier: Topic :: System :: Networking
Classifier: Topic :: System :: Networking :: Monitoring
Classifier: Topic :: System :: Systems Administration
Requires-Python: >=3.9
Requires-Dist: click>=8.1
Requires-Dist: pyyaml>=6.0
Requires-Dist: rich>=13.0
Provides-Extra: ai
Requires-Dist: httpx>=0.25; extra == 'ai'
Provides-Extra: all
Requires-Dist: safecadence-network-risk[ai,dev,server,ssh,vault]; extra == 'all'
Provides-Extra: dev
Requires-Dist: mypy>=1.0; extra == 'dev'
Requires-Dist: pytest-cov>=4.0; extra == 'dev'
Requires-Dist: pytest>=7.0; extra == 'dev'
Requires-Dist: ruff>=0.1; extra == 'dev'
Provides-Extra: server
Requires-Dist: bcrypt>=4.0; extra == 'server'
Requires-Dist: cryptography>=42.0; extra == 'server'
Requires-Dist: fastapi>=0.110; extra == 'server'
Requires-Dist: httpx>=0.25; extra == 'server'
Requires-Dist: psycopg2-binary>=2.9; extra == 'server'
Requires-Dist: python-jose[cryptography]>=3.3; extra == 'server'
Requires-Dist: python-multipart>=0.0.9; extra == 'server'
Requires-Dist: sqlalchemy>=2.0; extra == 'server'
Requires-Dist: uvicorn[standard]>=0.27; extra == 'server'
Provides-Extra: ssh
Requires-Dist: paramiko>=3.0; extra == 'ssh'
Provides-Extra: vault
Requires-Dist: cryptography>=42.0; extra == 'vault'
Description-Content-Type: text/markdown

<div align="center">

# SafeCadence Network Risk

**Free, open-source enterprise network risk auditing — local-first, multi-vendor, AI-augmented.**

The features of AlgoSec, Tufin, FireMon, Tenable, and Qualys — packaged into a single open-source CLI + local web UI you `pip install` in 30 seconds.

[![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)](LICENSE)
[![PyPI version](https://img.shields.io/pypi/v/safecadence-netrisk.svg)](https://pypi.org/project/safecadence-netrisk/)
[![PyPI downloads](https://img.shields.io/pypi/dm/safecadence-netrisk.svg)](https://pypi.org/project/safecadence-netrisk/)
[![Python 3.9+](https://img.shields.io/badge/python-3.9+-blue.svg)](https://www.python.org/downloads/)

</div>

```bash
pip install 'safecadence-netrisk[server]'
safecadence ui     # opens local web UI at http://127.0.0.1:8765
```

That's it. Discovery, identification, CVE matching, AI analysis, compliance reports, continuous monitoring — all running on your machine, no cloud, no signup, no telemetry.

---

## What it does

In a single tool:

- **Discovers every device on your LAN** — TCP probing + ARP cache + mDNS Bonjour + SNMP v2c. Finds devices that no other scanner sees (sleeping IoT, printers in standby).
- **Identifies vendor + OS + model + version** for each — bundled OUI database, banner-grab, SNMP sysDescr, TLS cert subject, HTTP page-title scrape.
- **Matches against the live CISA KEV catalog** — flags known-exploited vulnerabilities affecting your specific devices.
- **Scores risk per device** — 0-100 score with band (safe / low / medium / high / critical) + explicit findings + recommended actions.
- **Detects toxic combinations** — *"Telnet AND HTTP admin AND SNMP exposed = compound critical"* — the way breaches actually happen.
- **Audits configs** — 158 vendor-specific rules across 14 vendors (Cisco, Aruba, Arista, Juniper, Palo Alto, Fortinet, Linux, Windows, ESXi, AWS, Azure, GCP).
- **Bring-Your-Own-Key AI** — per-device deep-analyze, conversational chat with your fleet, attack-path tracing, network architect review, multi-LLM consensus. OpenAI / Anthropic / Ollama supported. **Your key never touches a SafeCadence server because there is no server.**
- **Generates compliance audit packs** — auditor-ready HTML evidence for SOC 2 / PCI-DSS / HIPAA / NIST 800-53 / CIS Controls v8.
- **Renders an exec-grade management report** — multi-section HTML with cover page, KPI grid, inline-SVG charts, per-device cards, top vulnerabilities, compliance mapping. Print to PDF for board meetings.
- **Continuously monitors** — `safecadence watch` runs in background, scans periodically, alerts via Slack / Teams / Webhooks / Email when something changes or a new KEV CVE matches.
- **Force-directed topology graph** — visualize your network with risk-colored nodes, double-click to drill into any device.
- **Persists everything** — server-side scan history, asset tags, owner assignments, criticality. Diff any two scans to see what changed.

```
Discovery → Identification → CVE Matching → Risk Scoring → Toxic Combos
   ↓
Per-device AI Analysis · Bulk Fleet Analysis · Attack Paths · Network Architect
   ↓
Continuous Monitoring · Slack/Teams/Email Alerts · CSV/HTML/PDF Reports
   ↓
Compliance Packs (SOC 2 · PCI · HIPAA · NIST · CIS) · Topology Map · Asset Inventory
```

---

## Three ways to install

| Method | Best for | One-liner |
|---|---|---|
| **pip** | Python users, devs | `pip install 'safecadence-netrisk[server]'` |
| **pipx** | Anyone wanting a global `safecadence` command | `brew install pipx && pipx install 'safecadence-netrisk[server]'` |
| **Docker** | Non-Python users, containerized environments | `docker run -p 8765:8765 ghcr.io/famousleads/safecadence-netrisk ui --host 0.0.0.0` |

---

## 60-second tour

```bash
# Discover every device on your LAN
safecadence discover 192.168.1.0/24

# Audit a config file
safecadence scan ~/configs/router.txt --html report.html

# Run all the things via local web UI
safecadence ui
# → opens http://127.0.0.1:8765 with 14 tabs:
#   Dashboard · Scan · Devices · History · Subnet sweep · Saved scans
#   Topology map · Assets & tags · CVEs · End-of-life · Threat hunting
#   Chat with fleet · AI explainer · AI architect · Compliance packs · Settings

# Continuous monitoring with Slack alerts
safecadence watch 192.168.1.0/24 \
  --interval 3600 \
  --slack-webhook https://hooks.slack.com/... \
  --alert-on changes
```

---

## What's in the box (full feature list)

### Discovery & Identification
- LAN deep scan: ARP cache + mDNS + TCP (27 management ports) + SNMP v2c sysDescr + TLS cert subject + HTTP page-title
- MAC OUI vendor lookup (bundled database)
- Heuristic device categorization: router, switch, firewall, AP, printer, camera, NAS, IoT, server, workstation, mobile
- Multi-mode: `quick`, `extended`, `lan_deep`
- Subnet sweep CIDR support, multi-threaded (configurable workers)

### Vulnerability & Risk
- 158 vendor-specific audit rules (Cisco IOS / IOS-XE / NX-OS / ASA, Aruba CX, Arista EOS, Juniper Junos, Palo Alto PAN-OS, Fortinet FortiOS, Linux, Windows, ESXi, AWS, Azure, GCP)
- Bundled CVE database with KEV-prioritization
- Live CISA Known Exploited Vulnerabilities feed integration
- 13 port-based heuristic risk rules
- 10 toxic-combination patterns (compound risks)
- Per-device 0-100 risk score + band + findings + recommended actions
- End-of-life (EOL/EOS) tracking via endoflife.date

### AI (Bring-Your-Own-Key)
- Per-device deep-analyze with grounded JSON output (no hallucinated CVEs)
- Conversational chat with fleet ("which devices have telnet open?")
- Bulk fleet analysis with cross-device pattern recognition
- Attack path analysis (multi-hop chains from initial access to objective)
- Network architect review (segmentation, zero-trust, lateral movement)
- Multi-LLM consensus (run same analysis through OpenAI + Anthropic, flag disagreements)
- Vendor-specific remediation playbooks (Markdown, copyable to runbook)
- BYO API keys: OpenAI, Anthropic, Ollama (localhost)

### Reports
- Inventory report (HTML)
- Management report (exec-grade HTML with inline-SVG charts, KPI grid, per-device cards, compliance mapping)
- Compliance audit packs: SOC 2 Type II, PCI-DSS v4.0, HIPAA Security Rule, NIST 800-53 Rev. 5, CIS Controls v8
- CSV export of fleet inventory
- All reports print-perfect (Cmd+P → Save as PDF)

### Operations
- `safecadence watch` continuous monitoring CLI with diff-based alerting
- Slack / Microsoft Teams / Generic webhook delivery
- Email digest (NEW in v2.10)
- Persistent server-side scan history (SQLite) — survives browser/server restarts
- Diff between any two scans (added/removed/changed devices, port + CVE deltas)
- Per-device asset tagging (tags, owner, criticality, notes)
- Crown-jewel assets auto-boost risk score for prioritization

### UI (the Dashboard)
- 14 tabs covering every feature
- Force-directed topology graph (click for quick info, double-click to drill into device)
- Single-file HTML+JS, no CDN dependencies (works air-gapped)
- localhost-only by default
- No authentication (single-user local mode)
- 100% local, zero telemetry

### Distribution
- `pip install safecadence-netrisk` (PyPI)
- `pipx install safecadence-netrisk[server]` (global)
- `docker run ghcr.io/famousleads/safecadence-netrisk` (containerized)
- GitHub Actions composite action (`uses: famousleads/safecadence-network-risk@v2.10.0`)
- SARIF output for GitHub Code Scanning integration

---

## Why this exists

Network configuration auditors — AlgoSec, Tufin, FireMon, Tenable Nessus, Qualys VMDR, Rapid7 InsightVM — share three properties: they cost upwards of $50,000/year per license, they take 1-2 weeks of professional services to deploy, and they want your configuration data to flow through their cloud.

For 90% of the value those tools deliver, the architecture is overkill. Most audits flag the same handful of things every time: any/any firewall rules, missing logging, default SNMP communities, telnet still enabled, operating systems years past end-of-life. These are pattern-matchable from a static configuration file. They do not need a SaaS backend or a $50,000 license.

`safecadence-netrisk` is the open-source version. It's MIT-licensed. It runs 100% on the auditor's machine. It supports 14 vendors out of the box. It's installable with one command. There is no telemetry, no cloud sync, no signup. And it does things the commercial tools don't — toxic combinations, AI attack-path tracing, conversational chat with your fleet, multi-LLM consensus.

---

## How it compares

| Capability | safecadence-netrisk v2.10 | Tenable Nessus | Qualys VMDR | Rapid7 InsightVM | AlgoSec |
|---|---|---|---|---|---|
| Discover everything on LAN | ✅ ARP+mDNS+TCP+SNMP | ✅ | ✅ | ✅ | ❌ |
| CVE matching per device | ✅ KEV-prioritized | ✅ | ✅ | ✅ | ❌ |
| Toxic-combination engine | ✅ 10 patterns | ❌ | ❌ | ❌ | ❌ |
| AI deep-analyze per device | ✅ BYOK, JSON-grounded | ❌ | Add-on $$ | Add-on $$ | ❌ |
| AI attack-path tracing | ✅ multi-hop chains | ❌ | ❌ | ❌ | ❌ |
| AI network architect review | ✅ | ❌ | ❌ | ❌ | ❌ |
| Conversational chat with fleet | ✅ | ❌ | ❌ | ❌ | ❌ |
| Multi-LLM consensus | ✅ OpenAI + Anthropic | ❌ | ❌ | ❌ | ❌ |
| Compliance packs (SOC 2/PCI/HIPAA/NIST/CIS) | ✅ all five | ✅ | ✅ | ✅ | ✅ |
| Continuous monitoring + alerts | ✅ Slack/Teams/Email | ✅ | ✅ | ✅ | ✅ |
| Topology map | ✅ force-directed | ❌ | Add-on | Add-on | ✅ |
| Force-directed graph drill-down | ✅ double-click | ❌ | ❌ | ❌ | ❌ |
| Exec-grade PDF report | ✅ inline | ✅ | ✅ | ✅ | ✅ |
| 100% local, no SaaS | ✅ | ❌ | ❌ | ❌ | ❌ |
| Docker container | ✅ multi-arch | ❌ | ❌ | ❌ | ❌ |
| GitHub Actions integration | ✅ official action | ❌ | ❌ | ❌ | ❌ |
| SARIF / Code Scanning output | ✅ | ❌ | ❌ | Add-on | ❌ |
| **Price** | **Free, MIT-licensed** | **$3,990/yr** | **$2,800+/yr** | **$2,000+/yr** | **$50k+/yr** |

---

## Documentation

| Topic | Where |
|---|---|
| **CLI commands** | `safecadence --help` (18 commands available) |
| **API endpoints** | `http://127.0.0.1:8765/api/docs` (after `safecadence ui`) |
| **Local UI guide** | Run `safecadence ui`, read the in-app help text |
| **Continuous monitoring** | `safecadence watch --help` |
| **Configuration file syntax** | YAML rule packs in `src/safecadence/data/rules/` |
| **CVE database format** | YAML in `src/safecadence/data/cves/` |

---

## Architecture

```
safecadence-netrisk/
├── core/             Vendor adapter framework, registry, schema
├── adapters/         Cisco IOS / NX-OS / ASA / Aruba / Arista / Juniper / Palo / Fortinet / etc.
├── engines/          Audit rule engine (regex + absent + custom)
├── discovery/        ARP / mDNS / TCP sweep / SNMP / OUI lookup
│   ├── lan_scan.py     LAN deep scan combiner
│   ├── snmp_probe.py   Pure-stdlib BER encoder
│   ├── categorize.py   Heuristic device classifier
│   ├── cve_match.py    Vendor+version → CVE lookup
│   ├── toxic_combinations.py  Compound risk detector
│   ├── ai_analyze.py   Per-device AI with grounded JSON
│   ├── ai_chat.py      Conversational AI
│   ├── attack_paths.py AI attack-path tracer
│   ├── ai_architect.py AI architecture reviewer
│   ├── threat_hunt.py  Live CISA KEV integration
│   ├── compliance_pack.py  Multi-framework evidence packs
│   ├── webhooks.py     Slack / Teams / Generic delivery
│   ├── email_digest.py Daily/weekly summary email
│   └── ...
├── enrichment/       CVE + EOL data refreshers
├── reports/          HTML / Markdown / JSON / DOCX / PDF renderers
├── ai/               Provider-agnostic LLM client (OpenAI / Anthropic / Ollama)
├── server/           FastAPI multi-tenant API mode (`safecadence api`)
├── ui/               Local single-user UI (`safecadence ui`)
│   ├── app.py        FastAPI app with 30+ endpoints
│   ├── templates/    Single-file HTML SPA, no CDN
│   ├── discover_store.py   Saved scan SQLite
│   └── asset_tags.py       Tag SQLite
├── storage/          SQLite + SQLAlchemy backends
├── security/         Encrypted vault for credentials
└── cli.py            18 CLI commands
```

---

## Need help running it on your network?

SafeCadence offers fixed-scope remediation engagements. We use the same open-source engine you ran. The tool is and will stay free + MIT — our only revenue is doing the remediation work.

[**Email hello@safecadence.com →**](mailto:hello@safecadence.com)
[**Audit-engagement details →**](https://safecadence.com/audit-engagement/)

---

## Contributing

PRs welcome — especially:
- New vendor adapters (MikroTik, Ubiquiti, Meraki, Mist next)
- Additional audit rules (drop YAML files in `src/safecadence/data/rules/`)
- Toxic-combination patterns (add to `src/safecadence/discovery/toxic_combinations.py`)
- Compliance framework mappings (add to `src/safecadence/discovery/compliance_pack.py`)

---

## License

MIT — see [LICENSE](LICENSE).
