safecadence-netrisk 3.1.0

Free, open-source network infrastructure risk auditing — local-first, multi-vendor, BYO-AI.

SafeCadence Network Risk

Free, open-source enterprise network risk auditing — local-first, multi-vendor, AI-augmented.

The features of AlgoSec, Tufin, FireMon, Tenable, and Qualys — packaged into a single open-source CLI + local web UI you pip install in 30 seconds.

pip install 'safecadence-netrisk[server]'
safecadence ui     # opens local web UI at http://127.0.0.1:8765

That's it. Discovery, identification, CVE matching, AI analysis, compliance reports, continuous monitoring — all running on your machine, no cloud, no signup, no telemetry.

---

What it does

In a single tool:

• Discovers every device on your LAN — TCP probing + ARP cache + mDNS Bonjour + SNMP v2c. Finds devices that no other scanner sees (sleeping IoT, printers in standby).
• Identifies vendor + OS + model + version for each — bundled OUI database, banner-grab, SNMP sysDescr, TLS cert subject, HTTP page-title scrape.
• Matches against the live CISA KEV catalog — flags known-exploited vulnerabilities affecting your specific devices.
• Scores risk per device — 0-100 score with band (safe / low / medium / high / critical) + explicit findings + recommended actions.
• Detects toxic combinations — "Telnet AND HTTP admin AND SNMP exposed = compound critical" — the way breaches actually happen.
• Audits configs — 158 vendor-specific rules across 14 vendors (Cisco, Aruba, Arista, Juniper, Palo Alto, Fortinet, Linux, Windows, ESXi, AWS, Azure, GCP).
• Bring-Your-Own-Key AI — per-device deep-analyze, conversational chat with your fleet, attack-path tracing, network architect review, multi-LLM consensus. OpenAI / Anthropic / Ollama supported. Your key never touches a SafeCadence server because there is no server.
• Generates compliance audit packs — auditor-ready HTML evidence for SOC 2 / PCI-DSS / HIPAA / NIST 800-53 / CIS Controls v8.
• Renders an exec-grade management report — multi-section HTML with cover page, KPI grid, inline-SVG charts, per-device cards, top vulnerabilities, compliance mapping. Print to PDF for board meetings.
• Continuously monitors — safecadence watch runs in background, scans periodically, alerts via Slack / Teams / Webhooks / Email when something changes or a new KEV CVE matches.
• Force-directed topology graph — visualize your network with risk-colored nodes, double-click to drill into any device.
• Persists everything — server-side scan history, asset tags, owner assignments, criticality. Diff any two scans to see what changed.

Discovery → Identification → CVE Matching → Risk Scoring → Toxic Combos
   ↓
Per-device AI Analysis · Bulk Fleet Analysis · Attack Paths · Network Architect
   ↓
Continuous Monitoring · Slack/Teams/Email Alerts · CSV/HTML/PDF Reports
   ↓
Compliance Packs (SOC 2 · PCI · HIPAA · NIST · CIS) · Topology Map · Asset Inventory

---

Three ways to install

Method	Best for	One-liner
pip	Python users, devs	pip install 'safecadence-netrisk[server]'
pipx	Anyone wanting a global safecadence command	brew install pipx && pipx install 'safecadence-netrisk[server]'
Docker	Non-Python users, containerized environments	docker run -p 8765:8765 ghcr.io/famousleads/safecadence-netrisk ui --host 0.0.0.0

---

60-second tour

# Discover every device on your LAN
safecadence discover 192.168.1.0/24

# Audit a config file
safecadence scan ~/configs/router.txt --html report.html

# Run all the things via local web UI
safecadence ui
# → opens http://127.0.0.1:8765 with 14 tabs:
#   Dashboard · Scan · Devices · History · Subnet sweep · Saved scans
#   Topology map · Assets & tags · CVEs · End-of-life · Threat hunting
#   Chat with fleet · AI explainer · AI architect · Compliance packs · Settings

# Continuous monitoring with Slack alerts
safecadence watch 192.168.1.0/24 \
  --interval 3600 \
  --slack-webhook https://hooks.slack.com/... \
  --alert-on changes

---

What's in the box (full feature list)

Discovery & Identification

• LAN deep scan: ARP cache + mDNS + TCP (27 management ports) + SNMP v2c sysDescr + TLS cert subject + HTTP page-title
• MAC OUI vendor lookup (bundled database)
• Heuristic device categorization: router, switch, firewall, AP, printer, camera, NAS, IoT, server, workstation, mobile
• Multi-mode: quick, extended, lan_deep
• Subnet sweep CIDR support, multi-threaded (configurable workers)

Vulnerability & Risk

• 158 vendor-specific audit rules (Cisco IOS / IOS-XE / NX-OS / ASA, Aruba CX, Arista EOS, Juniper Junos, Palo Alto PAN-OS, Fortinet FortiOS, Linux, Windows, ESXi, AWS, Azure, GCP)
• Bundled CVE database with KEV-prioritization
• Live CISA Known Exploited Vulnerabilities feed integration
• 13 port-based heuristic risk rules
• 10 toxic-combination patterns (compound risks)
• Per-device 0-100 risk score + band + findings + recommended actions
• End-of-life (EOL/EOS) tracking via endoflife.date

AI (Bring-Your-Own-Key)

• Per-device deep-analyze with grounded JSON output (no hallucinated CVEs)
• Conversational chat with fleet ("which devices have telnet open?")
• Bulk fleet analysis with cross-device pattern recognition
• Attack path analysis (multi-hop chains from initial access to objective)
• Network architect review (segmentation, zero-trust, lateral movement)
• Multi-LLM consensus (run same analysis through OpenAI + Anthropic, flag disagreements)
• Vendor-specific remediation playbooks (Markdown, copyable to runbook)
• BYO API keys: OpenAI, Anthropic, Ollama (localhost)

Reports

• Inventory report (HTML)
• Management report (exec-grade HTML with inline-SVG charts, KPI grid, per-device cards, compliance mapping)
• Compliance audit packs: SOC 2 Type II, PCI-DSS v4.0, HIPAA Security Rule, NIST 800-53 Rev. 5, CIS Controls v8
• CSV export of fleet inventory
• All reports print-perfect (Cmd+P → Save as PDF)

Operations

• safecadence watch continuous monitoring CLI with diff-based alerting
• Slack / Microsoft Teams / Generic webhook delivery
• Email digest (NEW in v2.10)
• Persistent server-side scan history (SQLite) — survives browser/server restarts
• Diff between any two scans (added/removed/changed devices, port + CVE deltas)
• Per-device asset tagging (tags, owner, criticality, notes)
• Crown-jewel assets auto-boost risk score for prioritization

UI (the Dashboard)

• 14 tabs covering every feature
• Force-directed topology graph (click for quick info, double-click to drill into device)
• Single-file HTML+JS, no CDN dependencies (works air-gapped)
• localhost-only by default
• No authentication (single-user local mode)
• 100% local, zero telemetry

Distribution

• pip install safecadence-netrisk (PyPI)
• pipx install safecadence-netrisk[server] (global)
• docker run ghcr.io/famousleads/safecadence-netrisk (containerized)
• GitHub Actions composite action (uses: famousleads/safecadence-network-risk@v2.10.0)
• SARIF output for GitHub Code Scanning integration

---

Why this exists

Network configuration auditors — AlgoSec, Tufin, FireMon, Tenable Nessus, Qualys VMDR, Rapid7 InsightVM — share three properties: they cost upwards of $50,000/year per license, they take 1-2 weeks of professional services to deploy, and they want your configuration data to flow through their cloud.

For 90% of the value those tools deliver, the architecture is overkill. Most audits flag the same handful of things every time: any/any firewall rules, missing logging, default SNMP communities, telnet still enabled, operating systems years past end-of-life. These are pattern-matchable from a static configuration file. They do not need a SaaS backend or a $50,000 license.

safecadence-netrisk is the open-source version. It's MIT-licensed. It runs 100% on the auditor's machine. It supports 14 vendors out of the box. It's installable with one command. There is no telemetry, no cloud sync, no signup. And it does things the commercial tools don't — toxic combinations, AI attack-path tracing, conversational chat with your fleet, multi-LLM consensus.

---

How it compares

Capability	safecadence-netrisk v2.10	Tenable Nessus	Qualys VMDR	Rapid7 InsightVM	AlgoSec
Discover everything on LAN	✅ ARP+mDNS+TCP+SNMP	✅	✅	✅	❌
CVE matching per device	✅ KEV-prioritized	✅	✅	✅	❌
Toxic-combination engine	✅ 10 patterns	❌	❌	❌	❌
AI deep-analyze per device	✅ BYOK, JSON-grounded	❌	Add-on $$	Add-on $$	❌
AI attack-path tracing	✅ multi-hop chains	❌	❌	❌	❌
AI network architect review	✅	❌	❌	❌	❌
Conversational chat with fleet	✅	❌	❌	❌	❌
Multi-LLM consensus	✅ OpenAI + Anthropic	❌	❌	❌	❌
Compliance packs (SOC 2/PCI/HIPAA/NIST/CIS)	✅ all five	✅	✅	✅	✅
Continuous monitoring + alerts	✅ Slack/Teams/Email	✅	✅	✅	✅
Topology map	✅ force-directed	❌	Add-on	Add-on	✅
Force-directed graph drill-down	✅ double-click	❌	❌	❌	❌
Exec-grade PDF report	✅ inline	✅	✅	✅	✅
100% local, no SaaS	✅	❌	❌	❌	❌
Docker container	✅ multi-arch	❌	❌	❌	❌
GitHub Actions integration	✅ official action	❌	❌	❌	❌
SARIF / Code Scanning output	✅	❌	❌	Add-on	❌
Price	Free, MIT-licensed	$3,990/yr	$2,800+/yr	$2,000+/yr	$50k+/yr

---

Documentation

Topic	Where
CLI commands	safecadence --help (18 commands available)
API endpoints	http://127.0.0.1:8765/api/docs (after safecadence ui)
Local UI guide	Run safecadence ui, read the in-app help text
Continuous monitoring	safecadence watch --help
Configuration file syntax	YAML rule packs in src/safecadence/data/rules/
CVE database format	YAML in src/safecadence/data/cves/

---

Architecture

safecadence-netrisk/
├── core/             Vendor adapter framework, registry, schema
├── adapters/         Cisco IOS / NX-OS / ASA / Aruba / Arista / Juniper / Palo / Fortinet / etc.
├── engines/          Audit rule engine (regex + absent + custom)
├── discovery/        ARP / mDNS / TCP sweep / SNMP / OUI lookup
│   ├── lan_scan.py     LAN deep scan combiner
│   ├── snmp_probe.py   Pure-stdlib BER encoder
│   ├── categorize.py   Heuristic device classifier
│   ├── cve_match.py    Vendor+version → CVE lookup
│   ├── toxic_combinations.py  Compound risk detector
│   ├── ai_analyze.py   Per-device AI with grounded JSON
│   ├── ai_chat.py      Conversational AI
│   ├── attack_paths.py AI attack-path tracer
│   ├── ai_architect.py AI architecture reviewer
│   ├── threat_hunt.py  Live CISA KEV integration
│   ├── compliance_pack.py  Multi-framework evidence packs
│   ├── webhooks.py     Slack / Teams / Generic delivery
│   ├── email_digest.py Daily/weekly summary email
│   └── ...
├── enrichment/       CVE + EOL data refreshers
├── reports/          HTML / Markdown / JSON / DOCX / PDF renderers
├── ai/               Provider-agnostic LLM client (OpenAI / Anthropic / Ollama)
├── server/           FastAPI multi-tenant API mode (`safecadence api`)
├── ui/               Local single-user UI (`safecadence ui`)
│   ├── app.py        FastAPI app with 30+ endpoints
│   ├── templates/    Single-file HTML SPA, no CDN
│   ├── discover_store.py   Saved scan SQLite
│   └── asset_tags.py       Tag SQLite
├── storage/          SQLite + SQLAlchemy backends
├── security/         Encrypted vault for credentials
└── cli.py            18 CLI commands

---

Need help running it on your network?

SafeCadence offers fixed-scope remediation engagements. We use the same open-source engine you ran. The tool is and will stay free + MIT — our only revenue is doing the remediation work.

Email hello@safecadence.com → Audit-engagement details →

---

Contributing

PRs welcome — especially:

• New vendor adapters (MikroTik, Ubiquiti, Meraki, Mist next)
• Additional audit rules (drop YAML files in src/safecadence/data/rules/)
• Toxic-combination patterns (add to src/safecadence/discovery/toxic_combinations.py)
• Compliance framework mappings (add to src/safecadence/discovery/compliance_pack.py)

---

License

MIT — see LICENSE.