safecadence-netrisk 7.0.0

Free, open-source infrastructure + identity platform — 45 adapters (40 infra + 5 identity), 22 controls, 16 multi-vendor translators, AI policy intelligence, attack-path graph, KEV+EPSS-prioritized CVEs, cross-system drift detection, local-first, BYO-AI, never executes.

SafeCadence Device Intelligence Platform

Free, open-source multi-vendor infrastructure platform — 40 vendor adapters across 6 domains, AI policy intelligence, multi-vendor remediation. Local-first. BYO-AI. Never executes.

The features of AlgoSec, Tufin, FireMon, Tenable, Qualys, Wiz, NetBrain, and Itential — packaged into a single open-source CLI + local web UI you pip install in 30 seconds.

pip install 'safecadence-netrisk[server]'
safecadence ui     # opens http://127.0.0.1:8765

That's it. Discovery, identification, CVE matching, AI policy interpretation, drift detection, multi-vendor remediation generation, compliance reports — all running on your machine, no cloud, no signup, no telemetry.

---

What it does

Three layers, one tool:

v2 — Audit (the original)

• Discovers every device on your LAN — TCP probing + ARP cache + mDNS Bonjour + SNMP v2c
• Identifies vendor + OS + model + version — bundled OUI database, banner-grab, SNMP sysDescr, TLS cert subject, HTTP page-title
• Matches against the live CISA KEV catalog — flags known-exploited vulnerabilities
• Toxic-combination detection — "Telnet AND HTTP admin AND SNMP exposed = compound critical"
• Compliance audit packs — SOC 2, PCI-DSS, HIPAA, NIST 800-53, CIS Controls v8

v4 — Device Intelligence Platform

• 40 vendor adapters across 6 infrastructure domains:
  • Network (8): Cisco IOS/NX-OS/ASA, Arista EOS, Juniper Junos, Fortinet FortiGate, Palo Alto PAN-OS, Aruba CX, Brocade FabricOS, HPE ProCurve
  • Servers (6): Dell iDRAC, HPE iLO, Lenovo XClarity, Supermicro IPMI, Cisco UCS, IBM Power HMC
  • Storage (9): NetApp ONTAP, Pure Storage, Synology DSM, Dell EMC Unity + PowerStore, HPE Primera/3PAR + Nimble, IBM FlashSystem, Hitachi VSP
  • Virtualization (5): VMware vCenter, Nutanix Prism, Hyper-V, Proxmox VE, Citrix Hypervisor
  • Cloud (6): AWS, Azure, GCP, Kubernetes, OCI, Cloudflare
  • Backup (6): Veeam, Rubrik, Cohesity, Commvault, Veritas NetBackup, Acronis Cyber Protect
• Universal asset schema — every vendor's wildly different data normalized to one shape
• Cross-domain correlation engine — VM → host → datastore → array → backup chains
• 10 platform-wide reports — lifecycle, security posture, capacity, backup compliance, vendor inventory, EOL/EOS, health summary, risk register, cloud exposure, executive overview

v5 — Policy Intelligence Engine

• 22 atomic security controls + 10 starter templates (network hardening, firewall baseline, server hardening, cloud security, zero trust, etc.)
• Plain-English → policy via the AI interpreter (BYO-AI: OpenAI, Anthropic, or local Ollama). Offline keyword matcher always runs as a safety net so the AI can ADD controls but never drop one.
• 12 multi-vendor config translators generate fix / rollback / verify commands per asset
• 7 export formats: Ansible, Terraform, PowerShell, Bash, Markdown, PDF, raw configs
• Continuous compliance + drift detection + risk-acceptance exception workflow
• GitOps for policies — safecadence policy git-sync git@github.com:org/policies.git
• Compliance attestation reports — auditor-ready: NIST 800-53, CIS, PCI-DSS, HIPAA, ISO 27001
• What-if simulator, CVE-driven auto-policies, shadow-IT detection, policy testing harness, multi-environment variants, violation webhooks
• NEVER executes commands. Generated configs are exported for your existing change-management process (Ansible, Terraform, your runbook).

---

Three install paths

Method	Best for	One-liner
Anyone	Don't want to think about it	curl -fsSL https://safecadence.com/install.sh | bash
Python users	Devs, sysadmins with Python on PATH	pipx install safecadence-netrisk
Container/k8s	Non-Python, ops, CI/CD	docker run -p 8765:8765 -v sc-data:/data fkarim1/netrisk:latest ui --host 0.0.0.0

Then open http://127.0.0.1:8765 and the sidebar will show three sections: Audit (v2) · Platform (v4) · Policy (v5).

Cross-platform: macOS (Intel + Apple Silicon), Linux (any glibc/musl distro), Windows via WSL or Git-Bash; physical or virtual.

---

60-second tour

# v2: discover every device on your LAN
safecadence discover 192.168.1.0/24

# v2: audit a config file
safecadence scan ~/configs/router.txt --html report.html

# v5: list the 10 built-in policy templates
safecadence policy templates

# v5: turn plain English into a policy (with BYO-AI if a key is set)
safecadence policy interpret --ai \
  "Disable Telnet, enforce SSHv2, require AAA/TACACS to 10.10.10.5,
   enable NTP, enforce SNMPv3, send logs to 10.10.10.50,
   restrict mgmt to 10.10.10.0/24"

# v5: evaluate a saved policy against your collected fleet
safecadence policy evaluate <policy_id>

# v5: generate the fix as an Ansible playbook
safecadence policy export <policy_id> --format ansible --out fix.yml

# Open the unified web UI (Audit + Platform + Policy in one sidebar)
safecadence ui

---

Why this exists

Network configuration auditors — AlgoSec, Tufin, FireMon, Tenable Nessus, Qualys VMDR, Rapid7 InsightVM, Wiz, NetBrain, Itential — share three properties: they cost upwards of $50,000/year per license, they take 1-2 weeks of professional services to deploy, and they want your configuration data flowing through their cloud.

For 90% of the value those tools deliver, the architecture is overkill. Most audits flag the same handful of things every time: any/any firewall rules, missing logging, default SNMP communities, telnet still enabled, OSes years past end-of-life, no backup immutability, public S3 buckets, wildcard IAM. These are pattern-matchable from already-collected device state. They do not need a SaaS backend or a $50,000 license.

safecadence-netrisk is the open-source version. It's MIT-licensed. It runs 100% on the operator's machine. It supports 40 vendors out of the box, across 6 infrastructure domains. It's installable with one command. There is no telemetry, no cloud sync, no signup. And it does things the commercial tools don't — toxic combinations, AI policy interpretation, multi-vendor remediation generation, GitOps for security policy.

---

How it compares

Capability	safecadence-netrisk v5.x	Tenable Nessus	Qualys VMDR	Wiz	NetBrain	AlgoSec
Multi-domain inventory (network/server/storage/virt/cloud/backup)	✅ 40 adapters / 6 domains	partial	partial	cloud-only	network-only	network-only
Cross-domain correlation (VM→host→array→backup)	✅	❌	❌	partial	partial	❌
Plain-English → policy (AI)	✅ BYO-AI	❌	❌	❌	partial	❌
Multi-vendor config remediation generation	✅ 12 translators	❌	❌	❌	✅	partial
Export: Ansible / Terraform / PowerShell / Bash / MD / PDF	✅ all 7	❌	❌	❌	❌	❌
GitOps for security policies	✅ policy git-sync	❌	❌	❌	❌	❌
What-if policy simulator	✅	❌	❌	❌	❌	✅
CVE matching per device (KEV-prioritized)	✅	✅	✅	✅	❌	❌
Toxic-combination detection	✅ 10+ patterns	❌	❌	partial	❌	❌
Compliance packs (SOC 2/PCI/HIPAA/NIST/CIS/ISO)	✅ all six	✅	✅	✅	partial	✅
Continuous monitoring + alerts	✅ Slack/Teams/Email/webhook	✅	✅	✅	✅	✅
100% local, no SaaS	✅	❌	❌	❌	partial	partial
Docker container (multi-arch)	✅ amd64 + arm64	❌	❌	❌	❌	❌
Price	Free, MIT-licensed	$3,990/yr	$2,800+/yr	$25k+/yr	$50k+/yr	$50k+/yr

---

Documentation

Topic	Where
CLI commands	safecadence --help (v2 audit + v5 safecadence policy ... subcommands)
API endpoints	http://127.0.0.1:8765/api/docs (after safecadence ui)
Local UI tabs	Run safecadence ui — sidebar shows all three eras
Policy templates	safecadence policy templates — or read src/safecadence/policy/templates/*.yaml
Policy controls	safecadence policy controls — 22 controls + their framework mappings
Custom controls	Drop YAML in ~/.safecadence/custom_controls/ — auto-loaded
Compliance attestation	safecadence policy ... then /api/policy/<id>/attestation?format=markdown
Architecture (platform)	docs/PLATFORM_ARCHITECTURE.md

---

Architecture

safecadence-netrisk/
├── core/             v2 vendor adapter framework, registry, schema
├── adapters/         v2 audit adapters (config-file based)
├── engines/          v2 audit rule engine (regex + absent + custom)
├── discovery/        v2 LAN scan (ARP/mDNS/TCP/SNMP/OUI/CVE/AI)
├── enrichment/       CVE + EOL data refreshers
├── reports/          HTML / Markdown / JSON / DOCX / PDF renderers
├── ai/               Provider-agnostic LLM client (OpenAI / Anthropic / Ollama)
├── platform/         v4 Device Intelligence Platform
│   ├── schema.py        UnifiedAsset (12 dataclasses)
│   ├── adapter_base.py  BaseAdapter + registry
│   ├── connection_manager.py
│   ├── credential_vault.py  Fernet-encrypted multi-vendor creds
│   ├── health_scoring.py    4-dim score + grade A-F
│   ├── correlation.py       Cross-domain dependency walker
│   └── adapters/            40 vendor adapters across 6 domains
├── policy/           v5 Policy Intelligence Engine
│   ├── schema.py            SecurityPolicy / Control / Violation / Plan
│   ├── controls/            22 atomic security controls
│   ├── templates/           10 starter policy templates (YAML)
│   ├── frameworks/          NIST/CIS/PCI/HIPAA/ISO mappings
│   ├── translators/         12 vendor → config translators
│   ├── exporters/           7 output formats
│   ├── interpreter.py       Plain-English → policy (BYO-AI)
│   ├── evaluator.py         Run policy vs fleet
│   ├── drift.py             Regression detection
│   ├── remediation.py       Per-asset fix plan
│   ├── simulator.py         What-if rollout preview
│   ├── attestation.py       Auditor-ready evidence packs
│   ├── git_sync.py          Pull policies from a git repo
│   ├── exceptions.py        Risk-acceptance with auto-expiry
│   ├── cve_policies.py      Auto-generate from active CVEs
│   ├── webhooks.py          Splunk/Sentinel/Slack on violation
│   ├── shadow_it.py         Assets covered by no policy
│   ├── testing.py           Unit-test policies against fixtures
│   ├── audit.py             Append-only JSONL audit log
│   └── store.py             Local JSON store
├── server/           FastAPI server-mode API (multi-user, JWT)
├── ui/               Local single-user UI (`safecadence ui`)
│   ├── app.py               40+ endpoints incl. /api/platform/* + /api/policy/*
│   ├── templates/index.html Sidebar with Audit · Platform · Policy
│   ├── platform_ui.py       9-tab platform dashboard
│   └── policy_ui.py         7-tab policy dashboard
├── storage/          SQLite + SQLAlchemy backends
├── security/         Encrypted vault for credentials
├── cli.py            v2 CLI commands
└── cli_policy.py     v5 `safecadence policy ...` subcommands

---

Need help running it?

SafeCadence offers fixed-scope remediation engagements. We use the same open-source engine you ran. The tool is and will stay free + MIT — our only revenue is doing the remediation work.

Email hello@safecadence.com →

---

Contributing

PRs welcome — especially:

• New vendor adapters for the v4 platform (clone the closest match in src/safecadence/platform/adapters/ and submit). 13 adapters in v5.0 are flagged as beta and need real-hardware validation.
• New vendor translators for v5 policy remediation (Cisco SD-WAN / Meraki / Mist / MikroTik / Ubiquiti are next).
• Additional policy controls — drop a YAML in ~/.safecadence/custom_controls/, contribute upstream once it's proven.
• Audit rules for the v2 layer (drop YAML in src/safecadence/data/rules/).
• Compliance framework mappings — add to src/safecadence/policy/frameworks/mappings.yaml.
• Policy templates — add a YAML in src/safecadence/policy/templates/.

---

License

MIT — see LICENSE.