SafeCadence Portal

Live Demo · Sample data only

SafeCadence NetRisk — see it in action

Click any card, host, compliance tile, or attack-path node to drill into a sample report. The real product runs entirely on your network — no telemetry, BYO-AI keys, full source.

▶ Build a custom report (live) → Open the live app → Get the platform Static preview ↓

The live builder reads from real system data (34 sample assets pre-loaded — KEV CVEs, EOL gear, identity drift, attack paths). Pick sections + scope filters, preview live, export PDF/HTML/JSON. Read-only on the demo.

SafeCadence Network Risk · Demo Dashboard

Network Risk Assessment

Comprehensive identification, vulnerability mapping, and remediation prioritization for the demo subnet.
Prepared for Acme Corp (sample) · Subnet 192.168.4.0/24 · Scan mode lan_deep · 254 hosts probed in 49.8s · Generated 2026-05-10 14:22 UTC
Critical risk
3
remediate immediately
High risk
12
remediate this quarter
Findings
47
across 40 devices
CVEs mapped
134
heuristic vendor/version
Known Exploited (KEV)
2
on CISA KEV catalog

Hosts at risk

Top 10 devices by aggregated risk score. Click a row for findings, CVEs, recommended actions, and remediation timeline.

All Critical High Medium Low
Showing 10 of 10 hosts
HostnameIPOS / VendorRiskTop finding
dc01192.168.4.10Windows Server 201992Open SMBv1 + SeImpersonatePrivilege on service account
firewall-edge192.168.4.1FortiOS 7.0.588CVE-2024-21762 RCE KEV
esxi-prod-02192.168.4.17VMware ESXi 7.0u390CVE-2024-22252 USB out-of-bounds write KEV
jenkins-build192.168.4.41Ubuntu 22.04 / Jenkins 2.38779Anonymous job execution + outdated plugins
fileserv01192.168.4.22Windows Server 201676SMB signing not required, EOL OS
pbx-asterisk192.168.4.55Asterisk 16.30 / Debian 1158SIP exposed to LAN, default admin password
nas-synology192.168.4.30DSM 7.254SMBv1 enabled, two-factor auth disabled
printer-hp-1192.168.4.61HP MFP M477fdw51Telnet enabled, default JetDirect creds
cam-axis-lobby192.168.4.71Axis OS 11.638HTTP exposed without TLS, default root password
switch-core192.168.4.2Cisco IOS 15.232Telnet enabled + SNMP v2c with public string

Compliance posture

Findings auto-mapped to commonly-required frameworks. Click a tile to see top failing controls and plain-language remediation.

NIST CSF
78%
84 / 108 controls passing
CIS Controls v8
84%
128 / 153 safeguards passing
PCI DSS
91%
191 / 210 requirements passing
HIPAA
67%
36 / 54 safeguards passing
SOC 2
88%
52 / 59 trust criteria passing

Attack-path graph

Sample lateral-movement chain — click any node to drill in. The real graph maps every reachable identity, host, and exposed service.

CVE-2024-21762 SMBv1 relay SeImpersonate External Internet attacker DMZ firewall-edge (KEV) DC dc01 (SMBv1) File Server fileserv01

Top recommended actions

Prioritized by risk reduction per minute of effort. Click an action for step-by-step instructions and compliance impact.

P0
Disable SMBv1 on dc01 + fileserv01; enforce SMB signing
15 min · removes 18 risk points · NIST CSF, CIS v8, PCI DSS
P0
Patch FortiOS to 7.0.13+ (CVE-2024-21762, KEV)
30 min · removes 28 risk points · closes external entry vector
P1
Patch ESXi to 7.0u3p+ (CVE-2024-22252, KEV)
60 min · removes 22 risk points · vCenter cluster impact
P1
Rotate default credentials on printer / camera / NAS
45 min · 3 devices · removes default-creds finding cluster
P2
Disable Telnet on switch-core; enable SSH only
10 min · removes plaintext mgmt + improves SOC 2 / PCI scoring

Try it on your own network

The platform runs entirely locally — no telemetry, no cloud calls, your data never leaves your machine. Bring your own AI keys for narrative reports, or skip AI entirely and use the deterministic engine.

pip install 'safecadence-netrisk[server]'  ·  safecadence demo  ·  safecadence ui

Get the platform → GitHub → PyPI →

Generated reports look like this

A snapshot of the management report SafeCadence NetRisk produces. Click a section to expand it inline. The full deliverable runs 30–80 pages depending on fleet size.

1Executive Summary

Acme Corp's 192.168.4.0/24 demo subnet was scanned in 49.8 seconds, identifying 40 active hosts with 47 findings across 134 mapped CVEs. 2 vulnerabilities are on the CISA Known-Exploited list and require immediate attention.

The single highest-leverage action is patching firewall-edge from FortiOS 7.0.5 to 7.0.13+, which removes the most likely external entry vector. Combined with disabling SMBv1 across dc01 and fileserv01, these two changes reduce aggregate risk by an estimated 46 points in under one hour of effort.

Compliance posture is strong on PCI DSS (91%) and SOC 2 (88%) but weak on HIPAA (67%), driven primarily by audit-log retention gaps and missing encryption on three legacy endpoints.

2Top Risks
  1. FortiOS pre-auth RCE (CVE-2024-21762, KEV) — exposed at the perimeter, exploitable without credentials. Patch immediately.
  2. SMBv1 + missing SMB signing on dc01 — enables NTLM relay against the domain controller; combined with SeImpersonate it's a one-step path to Domain Admin.
  3. ESXi USB OOB write (CVE-2024-22252, KEV) — guest-to-host escape; affects the production virtualization cluster.
  4. Anonymous Jenkins job execution — exposed CI server allows unauthenticated remote code execution; pivots into build artifacts and signing keys.
  5. Default credentials cluster (3 devices) — printer, IP camera, and NAS all retain factory default passwords.
3Asset Inventory
IPHostnameVendorOpen ports
192.168.4.1firewall-edgeFortinet443, 500, 4500, 10443
192.168.4.2switch-coreCisco22, 23, 161, 443
192.168.4.10dc01Microsoft53, 88, 135, 389, 445, 3389
192.168.4.17esxi-prod-02VMware22, 80, 443, 902
192.168.4.22fileserv01Microsoft135, 139, 445
192.168.4.30nas-synologySynology80, 443, 445, 5000
192.168.4.41jenkins-buildUbuntu22, 8080, 50000
192.168.4.55pbx-asteriskDebian5060, 5061, 10000-20000
192.168.4.61printer-hp-1HP23, 80, 443, 9100
192.168.4.71cam-axis-lobbyAxis80, 554
4CVE Mapping
CVECVSSKEVAffects
CVE-2024-217629.8KEVFortiOS 7.0.5 — firewall-edge
CVE-2024-222529.3KEVVMware ESXi 7.0u3 — esxi-prod-02
CVE-2023-233979.8Outlook NTLM relay — dc01
CVE-2022-379588.1Windows Server 2016 SPNEGO — fileserv01
CVE-2024-238979.8Jenkins arbitrary file read — jenkins-build
CVE-2023-496069.8Tinyproxy use-after-free — pbx-asterisk
5Compliance Roll-up
FrameworkScorePassingTop gap
NIST CSF78%84/108PR.AC-4 — least-privilege not enforced
CIS v884%128/1534.7 — manage default accounts
PCI DSS91%191/21011.5.1 — change-detection mechanisms
HIPAA67%36/54164.312(b) — audit log retention 90d
SOC 288%52/59CC7.2 — anomaly detection sources
6Action Plan

Within 24 hours: Patch FortiOS to 7.0.13+, disable SMBv1 on dc01 + fileserv01, enforce SMB signing.

Within 7 days: Patch ESXi to 7.0u3p+, rotate default credentials on printer / camera / NAS, restrict Jenkins to authenticated users only.

Within 30 days: Replace SNMP v2c with v3 + AES on switch fleet, disable Telnet, enable centralized log retention to satisfy HIPAA 164.312(b), document anomaly-detection sources for SOC 2 CC7.2.

Within 90 days: Plan migration off Windows Server 2016 (EOL), evaluate firewall replacement options if FortiOS continues to accumulate KEV entries, formalize quarterly NetRisk scans into the change-management calendar.

Get this sample report by email — weekly

Send the sample to yourself or a teammate. We'll email a clean version of this dashboard's findings (no signup, no spam — one email).

All data on this page is fictional. The real SafeCadence NetRisk runs locally on your network. No telemetry. BYO-AI.
← Back to all tools