SafeCadence Network Risk v10.0.2 is on PyPI:
pip install 'safecadence-netrisk[server]'
safecadence demo
safecadence uiAbout a minute end-to-end and you have a 34-asset demo fleet, identity vault, NHIs, execution jobs, rollback plans, and compliance artifacts populated in a local web UI. Open http://127.0.0.1:8766/home and the first thing you see is the fleet Safe Score (0–100) and a Weak Link card that says “Fix edge-fw-01 and 7 attack paths collapse — fleet score climbs 64 → 78.” That’s the value proposition in one sentence.
What v10.x means
The v9.x line was a sustained audit-then-fix cycle across every customer-visible surface — Execute, Discover, Compliance, Identity write-back, Automation, AI assistant, the activity log. Each section got a deep audit doc, a punch list of honest gaps, and a dedicated release closing them out — most often followed by a .1 cleanup release for items the audit flagged but didn’t fix.
v10.0.0 declared the result: every load-bearing surface is capability-gated, rate-limited where it could be abused, audit-logged, and tested at the HTTP level. v10.0.1 added pre-ship validation (1271 tests across the suite, 325 modules importing cleanly, every CLI command rendering, every UI page returning 200) and a complete rewrite of HOWTO.md. v10.0.2 fixes the broken project URLs on PyPI’s package metadata.
The v10.x line is “trust posture” — the polish you ship after the feature work is done.
What ships in the box
Forty-five adapters across network gear, servers, identity, cloud, and backup. Twenty-two atomic security controls authored as policy. Sixteen multi-vendor translators that turn one declared intent into per-vendor configs. Attack-path graph, KEV+EPSS-prioritized CVEs, cross-system drift detection, posture scoring, full compliance suite, identity write-back with HMAC-bound confirm tokens, real per-vendor rollback plans, and Tier-3 SSH execution behind a triple-gate.
Three things SafeCadence does that no commercial alternative does well together:
- One declared policy → many vendors. “Block SMB inbound from anything outside the /24 mgmt subnet” becomes correct configuration for Cisco IOS, NX-OS, ASA, Arista EOS, Juniper Junos, Fortinet, Palo Alto PAN-OS, Aruba — and AWS IAM, Azure CA, GCP IAM, Okta, ISE, ClearPass when the same policy needs an identity equivalent.
- Attack-path-aware risk. The score on each asset reflects whether it sits on a path to a crown-jewel — not just whether it has a CVE in isolation. The Weak Link card finds the asset whose remediation collapses the most paths.
- Local-first / air-gap-ready. Pure-stdlib SNMP, file-backed JSON storage by default, optional Postgres for scale, optional BYO-AI for the LLM bits (OpenAI / Anthropic / local Ollama). Nothing phones home. The whole thing runs on a laptop you took into a customer SCIF.
Why local-first matters
The hardest problem with a tool that can push config to firewalls and identity systems is making sure it never does so by accident, never lies to the operator about what it’s about to do, and always leaves a way back. A SaaS backend that sees your data is also a SaaS backend that holds your data — every customer becomes a target through your vendor.
SafeCadence is built so that’s structurally not possible. There’s no remote server to compromise, no credential vault we can read, no policy decisions made on a machine that isn’t yours. Your identity connector credentials are Fernet-encrypted under a master key that only ever exists at ~/.safecadence/.identity_vault.key. Your AI keys go directly from your local SafeCadence server to the LLM provider — they never touch us.
Trust posture
The audit-then-fix discipline shows up everywhere customers care about it:
- Dry-run is the default at every layer. Identity write-back, Tier-3 SSH execution, and policy translation all return a diff first. The operator has to flip an explicit flag to commit.
- HMAC-bound confirm tokens for identity policy commits — bound to the IR hash, scope, actor, a 600-second TTL, and the adapter version. A token minted for one IR cannot be replayed against a different one.
- Real per-vendor rollback plans — ~45 inversion patterns covering Cisco IOS / NX-OS, Arista EOS, Junos (set ↔ delete), Palo Alto, FortiGate. Operators see the inverted commands per-vendor in the rollback slide-over before clicking. Patterns that can’t be safely auto-inverted are flagged for manual review.
- Pre/post config snapshots — Tier-3 SSH execution captures running-config before and after each command. /per-device-diff renders a unified diff with vendor pill, dry-run badge, and +/- line counts.
- Tier-3 triple-gate. Real SSH execution requires
SC_TIER3_ENABLED=1, theEXECUTE_REALcapability on the role, an explicit acknowledge + i_mean_it payload, and TOTP MFA. - Capability-based RBAC — 26 fine-grained capabilities (
read.*,write.*,execute.*,identity.apply.*,admin.*) layered over a six-tier role floor. Per-user explicit grants/denies persisted in YAML, every change audit-logged, every change fires acapability_changedevent. - OIDC SSO with capability auto-grant — Auth Code + PKCE against any RFC-compliant IdP.
capability_mapfield maps IdP group claims to capability lists; on every loginreconcile_sso_grants()idempotently grants what’s needed and revokes what’s gone. Manual grants are tracked separately and never touched. - Activity log + tenant-scoped audit page. Every authenticated mutation lands as a JSONL line via an ASGI middleware. /audit filters by date / actor / method / path / tenant / arbitrary date range, exports CSV with the export itself audit-logged, and shows browser-local time on hover. Endpoint is rate-limited and tenant-scoped.
- AI assistant hardened. /ask honors
SC_AI_DISABLEDfor air-gap mode, is gated byread.asset+read.finding, question length capped at 2 KB, per-(user, IP) rate-limited, snapshot truncation reported to the LLM rather than silently sliced, citations cross-checked against real asset/finding IDs, audit row stores SHA-256 hash of the question (not plaintext). Write-intent screen flags destructive CLI patterns even when generated.
How it compares
| Tool category | Examples | What they do | What they don’t do |
|---|---|---|---|
| Vulnerability scanning | Tenable, Qualys, Rapid7 | Find CVEs on hosts | No multi-vendor config remediation, no identity, no air-gap |
| Network policy | AlgoSec, Tufin, FireMon | Manage firewall rules | One vendor at a time, no identity, no air-gap |
| Compliance automation | Drata, Vanta, Secureframe | Collect evidence for SOC 2 / ISO | SaaS-only, no firewall configs, no air-gap |
| SafeCadence | this repo | All three, locally | — |
How to try it
pip install 'safecadence-netrisk[server]'
safecadence demo
safecadence uiThat’s the whole demo. Open http://127.0.0.1:8766/home and click around.
The demo seed is intentionally three-tier: a “good” tenant with a connected Okta + healthy NHIs, a “medium” tenant with an unsynced ClearPass, and a “broken” tenant with an LDAP misconfig — so every connector state is visible without having to wire up real systems.
For real deployment, see docs/DEPLOY.md (laptop / small server / Docker / production paths) and docs/HOWTO.md (the five-minute quick start, killer features, real workflows, FAQ, CLI reference, REST API reference, env-var tunables).
Status
v10.0.2 — production milestone, on PyPI. Open source, MIT licensed, contributions welcome.