★ Open source · MIT license · BYO-AI · v10.0.2 · 1,271 tests
SafeCadence Network Risk
The local-first alternative to AlgoSec, Tufin, Drata, and Saviynt — combined. Open-source infrastructure + identity policy automation that runs on your laptop, your server, or in your customer's air-gapped SCIF.
One declared policy — "Block SMB inbound from anything outside the /24 mgmt subnet" — becomes correct configuration for every vendor in your fleet. Cisco IOS, NX-OS, ASA, Arista EOS, Juniper Junos, Fortinet, Palo Alto, Aruba — and AWS IAM, Azure CA, GCP IAM, Okta, Cisco ISE, ClearPass, AD/LDAP when the policy needs an identity equivalent. Sixteen multi-vendor translators do the work.
About a minute end-to-end. Open /home and the first thing you see is the fleet Safe Score (0–100) and a Weak Link card — "Fix edge-fw-01 and 7 attack paths collapse — fleet score climbs 64 → 78." That's the value proposition in one sentence.
How it compares
| Tool category | Examples | Cost / yr | What they don't do |
|---|---|---|---|
| Network policy mgmt | AlgoSec, Tufin, FireMon | $50k+ | One vendor at a time, no identity, SaaS-leaning |
| Vulnerability scanning | Tenable, Qualys, Rapid7 | $30k+ | No multi-vendor remediation, no identity |
| Compliance automation | Drata, Vanta, Secureframe | $25k+ | SaaS-only, no firewall configs, no air-gap |
| Identity governance | Saviynt, SailPoint | $50k+ | No network policy, SaaS-only |
| SafeCadence Network Risk | this product | $0 · MIT | — |
Capabilities
1. Multi-vendor policy synthesis
Author one declared policy. Get correct configuration for every vendor in your fleet. Sixteen translators ship in v10.0.2 across Cisco IOS, NX-OS, ASA, Arista EOS, Juniper Junos (with symmetric set/delete), Fortinet, Palo Alto, Aruba, AWS IAM, Azure Conditional Access, GCP IAM, Cisco ISE, ClearPass, AD/LDAP, Okta, Veeam, AWS S3 Object Lock, Azure Blob immutability. Per-vendor rollback + verify commands generated alongside the change.
2. Identity policy automation + write-back
Five identity adapters: Cisco ISE, HPE ClearPass, Active Directory / LDAP, Microsoft Entra ID, Okta. EffectivePermissionResolver composes ALLOW/DENY across all systems with reasons. AIPolicyTranslator turns English into a unified policy IR with per-system change preview. Identity write-back is HMAC-bound: every commit requires a confirm token bound to the IR hash, scope, actor, 600-second TTL, and adapter version — a token minted for one IR cannot be replayed against another. JIT access workflow with auto-revoke. Non-Human Identity (NHI) lifecycle: register → attest → rotate → mark_used → deprecate.
3. Attack-path graph
Knows which assets actually matter. The Safe Score on each asset reflects whether it sits on a path to a crown-jewel — not just whether it has a CVE in isolation. Six edge types: member_of, can_impersonate, can_assume_role, has_credential_to, network_reach, identity_reach. The Weak Link card on /home finds the asset whose remediation collapses the most attack paths weighted by target criticality.
4. Tier-3 SSH execution + real per-vendor rollback plans
Actual remediation, not just reports. Tier-3 SSH execution is gated by a triple-gate: SC_TIER3_ENABLED=1, the EXECUTE_REAL capability on the role, and an explicit acknowledge + i_mean_it payload + TOTP MFA. Pre/post running-config snapshots captured for every command. Real rollback plans ship with ~45 inversion patterns covering Cisco IOS / NX-OS, Arista EOS, Junos (set ↔ delete), Palo Alto, FortiGate. The /rollback slide-over shows the inverted commands per vendor before commit. Patterns that can't be safely auto-inverted (interface blocks) are flagged for manual review.
5. Capability-based RBAC + OIDC SSO
26 fine-grained capabilities (read.*, write.*, execute.*, identity.apply.*, admin.*) layered over a six-tier role floor (VIEWER → AUDITOR → OPERATOR → ENGINEER → SECURITY_ADMIN → SUPER_ADMIN). Per-user grants/denies persisted in YAML, every change audit-logged, every change fires a capability_changed event. OIDC SSO with Auth Code + PKCE against any RFC-compliant IdP (Okta, Entra, Auth0, Keycloak, Google). capability_map field maps IdP group claims to capability lists; on every login reconcile_sso_grants() idempotently grants what's needed and revokes what's gone. Manual grants tracked separately. Cross-tenant view at /api/capabilities/all-tenants for MSP-style deployments.
6. Compliance evidence — six frameworks
Every SafeCadence control mapped to NIST 800-53 r5, CIS v8, PCI-DSS 4.0, HIPAA, ISO 27001:2022, SOC 2 TSC. /compliance coverage matrix. Type-2 control history for evidence. Exception lifecycle with expiry / re-review and daemon alerts. Risk register at /risks. Auditor portal with scope-tagged share tokens. Tamper-evident hash chain: evidence packs cryptographically chained so any tampering is verifiable.
7. AI policy intelligence — BYO-AI
OpenAI / Anthropic / local Ollama. AI command builder with offline pack table fallback (works without an internet connection). AI-explain a finding. AI executive briefing. Natural-language /ask assistant gated by read.asset + read.finding capabilities, question length capped at 2 KB, per-(user, IP) rate-limited, snapshot truncation reported to the LLM rather than silently sliced, citations cross-checked against real asset/finding IDs. Every /ask audit row stores SHA-256 hash of the question (not plaintext). SC_AI_DISABLED=1 hard-disables the entire AI subsystem for air-gap mode.
8. Discovery + inventory — 45 adapters
40 infrastructure adapters across network gear, servers, storage, virtualization, cloud, backup. 5 identity adapters. Pure-stdlib SNMP probe. LAN scan with ARP + mDNS + TLS/HTTP fingerprinting. LLDP/CDP topology harvest. AD / Entra ID / DHCP read connectors. AWS / Azure / GCP cloud connectors. Meraki-style topology with pictograms, status rings, site groups, search. Geographic site map view. Christmas-tree network hierarchy view.
9. Activity log + tenant-scoped audit page
Every authenticated mutation lands as a JSONL line under $SC_DATA_DIR/activity/YYYY-MM-DD.jsonl via an ASGI middleware. /audit page filters by date / actor (substring match) / method / path / tenant / extra_filter / arbitrary date range. CSV export with the export itself audit-logged. Browser-local time on hover. "My actions only" toggle. Endpoint rate-limited (60/60s default) and tenant-scoped — non-admins can't read other tenants' activity. Retention via logrotate, systemd timer, or daemon hook (SC_ACTIVITY_RETENTION_DAYS default 90).
10. Multi-channel notifications + automation
One dispatch_event(kind, severity, …) router behind everything. Eight NOTIFY_CATEGORIES (approval_requested, finding_critical, watchlist_change, drift_detected, automation_fired, jit_granted, digest_daily, capability_changed). Eleven webhook providers ship: Slack, Teams, Discord, Mattermost, Rocket.Chat, PagerDuty, Opsgenie, Webex, ServiceNow, Google Chat, generic_hmac. Customer SMTP for email DMs. Per-user notify-prefs override tenant defaults. All webhook URLs and tokens Fernet-encrypted at rest. Automation engine: IF/THEN rules with eight actions including auto_fix (honors IR targets, dry-run by default, commit=true opt-in), add_to_watchlist, add_comment, notify_pagerduty (deterministic dedup_key), notify_webhook (multi-provider fan-out).
Trust posture
- Dry-run is the default at every layer. Identity write-back, Tier-3 SSH execution, and policy translation all return a diff first. The operator has to flip an explicit flag to commit.
- HMAC-bound confirm tokens for identity policy commits, with TTL + IR-hash binding, prevent replay and substitution attacks.
- Encrypted credential vault. Identity connector credentials Fernet-encrypted (AES-128 + HMAC-SHA256) under a master key auto-bootstrapped to
~/.safecadence/.identity_vault.key(chmod 600). save_creds refuses to persist unless test_connection passed first. - 1,271 tests, all green. Capability gates, activity log filters, OIDC reconcile, identity write-back, attack-path traversal, rollback plan inversion, AI assistant hardening, compliance APIs, link audit catching broken nav in CI.
- Local-first / air-gap-ready. File-backed JSON storage by default, optional Postgres for scale, optional BYO-AI for the LLM bits. Nothing phones home. Runs on a laptop you took into a customer SCIF.
Install paths
| Path | Use when | Time |
|---|---|---|
| Local laptop | One operator, demo, evaluating | 5 min |
| Small server | One team, internal use | 30 min |
| Docker | You prefer containers | 15 min |
| Production | Multi-team, audit-grade, OIDC SSO, Postgres | 2–4 hr |
All four paths share the same codebase. Production differs only in DATABASE_URL=postgres://… + an OIDC IdP via SC_OIDC_* env vars. Full guide: docs/DEPLOY.md.
Source + docs
PyPI · GitHub · HOWTO · DEPLOY · CHANGELOG · MIT licensed
Need help running it?
SafeCadence offers paid engagements to plan, deploy, integrate with your IdP, and operate the platform end-to-end — we use the same open-source engine, no vendor lock-in, your data stays in your environment. Email hello@safecadence.com to scope a project.