Features

The full posture toolkit —
free, and fully unlocked.

Per-product monitors, severity-ranked findings with built-in fix guidance, remediation milestones, compliance coverage and sign-off, tamper-evident evidence packs, and a shareable trust page — wired into the products you already use today. Dark-web monitoring, breach-corpus checks, scam detection, and vendor verification are rolling out next.

01

Cross-Product Monitoring

Watch every product you use from one console.

Per-product monitors

Dedicated scanners for each product (CRM, Books, HR, Desk, Sign, Field, SE, Hosting) tuned to that product's data model.

Abuse & abnormality detection

Flag waste, fraud, unusual access patterns, and policy drift across your whole account — surfaced with full context.

Severity rollups

Per-severity distribution and a worst-of indicator per product, so you triage the loudest signal first.

Finding age you can trust

Every weakness is dated from the moment we first saw it, recorded in a first-seen ledger — so age buckets, SLA clocks, escalation, and POA&M "Identified" dates reflect real elapsed time, not the last scan. A finding open for 60 days reads as 60 days old and lands in the stale bucket, instead of resetting to "this week" on every run. Aged findings surface automatically so nothing rots in the queue.

02

Account Takeover Defense

Catch credential exposure and identity attacks before they land.

Dark-web monitoringRolling out

Will continuously scan leak databases and dark-web markets for any email tied to your company, leaked employee credentials, or exposed API keys. Until the feed is connected, the dashboard reports this source as not connected — never a false all-clear.

Breached-password detectionRolling out

Live today: check any candidate password against the Have I Been Pwned corpus from the Policy Checker — k-anonymity, so the password itself never leaves our server, and it's never stored. Automatic team-wide credential monitoring with forced-rotation prompts is rolling out; your account email is checked against breach corpora once the HIBP intel key is configured, and shows as a not-connected source until then.

Impossible-travel watchRolling out

Will detect when the same user logs in from two distant locations in an implausible window — across every product in one stream. Reports as a not-connected source until login-location telemetry is wired.

MFA & admin gaps

Live today: every scan checks your account owner login — the most privileged identity on your account — and raises a finding when it has no verified multi-factor method enrolled. Stale offboarded users and periodic privileged-access reviews are rolling out next.

03

Financial Fraud Watch

Billing-integrity checks today — Plaid-powered transaction anomaly detection rolling out.

Bank anomaly detectionRolling out

Books already syncs your bank via Plaid. Security will audit the same stream for unusual amounts, off-hours transfers, and new-payee risks. Billing-integrity checks on your subscriptions (past-due, unpaid, unexpected cancellations) are live today; transaction anomaly detection reports as not connected until wired.

Vendor-payment fraudRolling out

Will catch spoofed-vendor patterns, sudden bank-routing changes, and invoices that don't match historical fingerprints — before they're paid. Reports as a not-connected source until the verification feed is wired.

Payroll fraud signalsRolling out

Will watch HR + Books together for ghost employees, double-payments, off-cycle bonuses, and payroll-account redirects. Fraud-risk signals from your HR profile are live today; the cross-product payroll correlation is rolling out.

AES-256-GCM at rest

Banking tokens encrypted at rest with a one-way key commitment. Rotation is intentional — never accidental.

04

Identity, Vendor & Scam Defense

Protect the people, vendors, and inbound channels your business depends on.

Customer PII leak monitorRolling out

Will watch leak feeds for any customer email/phone in CRM and notify your team — and optionally the customer — when something appears. Reports as a not-connected source until the leak feed is wired.

Inbound scam detectionRolling out

Will score Desk inbound mail and Sign contract requests for phishing, vendor-impersonation, and bank-routing-change scams before you reply. Reports as a not-connected source until the intel feed is wired.

Vendor identity verificationRolling out

Will cross-check vendors in Books against business registries and known-fraud databases — new vendor + unusual amount = automatic hold. Reports as a not-connected source until the verification provider is wired.

Brand & domain protectionRolling out

Will watch for lookalike domains, leaked corporate email accounts, and social-handle squatting that targets your business identity. Reports as a not-connected source until the intel feed is wired.

05

Alerts, Posture & Compliance

Calm communication, audit-ready posture, and trust by default.

Compliance framework coverage

Your latest scan, mapped to cross-framework control areas — Access Control, Change Management & Audit Logging, Data Protection, Vendor & Supply-Chain, Account & Billing Integrity, and Identity & Credential Hygiene (CIS Controls v8 · OWASP · NIST CSF). Each area shows whether an active monitor on your subscribed products covers it, how many open findings touch it, and an at-a-glance status (Clear / Findings open / Source not connected) — so you can answer an assessor's "show me your coverage of access-control controls" instead of just "we have 3 criticals." The control-area roll-up travels with the JSON evidence pack. A deterministic self-assessment of your own scan — not a certification or audit.

Compliance control-area sign-off

Mark each CIS/OWASP/NIST CSF control area Reviewed or Accept-risk with an optional dated note — and it persists. The attestation stops evaporating on refresh and travels into every artifact: your JSON evidence pack, POA&M export, and branded posture report each carry a dated "Access Control reviewed on 2026-07-09" line per area, so you hand an assessor a record of what you actually reviewed, not just a live scan. Owner-scoped and one mark per area, with a one-click Clear to change your mind. Self-assessment, not a certification.

Critical email digests

Severity-gated emails for criticals only. Idempotent — you never get the same alert twice for the same finding.

Notification routing & preferences

Route alerts to your security inbox, set the severity that pages you, and silence off-hours noise. Add extra recipients (CC'd alongside your account email — your address is always included and can never be removed), lower the floor to warning-and-above, and configure a UTC quiet-hours window so off-shift sends are held until the next scan outside the window rather than dropped permanently. Your email channel, your audience, your threshold.

Security posture score

One risk-weighted 0–100 number, captured daily, so you can prove week over week whether you're getting safer. Spot regressions before customers do — watch the slope, not the absolute.

Time-to-breach countdown

See what's about to breach — before it does. For every open finding we project its age against the SLA window you configured and show the days remaining before it crosses the line, with an "Approaching SLA breach" panel that lists the findings closest to breaching first. This turns the SLA from a rear-view mirror ("you missed it") into an early-warning system ("fix this in the next two days to stay inside your window"). Pure computation over data you already have — your finding age and your own configured windows; your targets, not a guarantee or certification.

Weekly posture report

A plain-English email recap of your security score trend, what opened and closed this week, and your oldest unresolved critical — so a quietly degrading posture reaches you proactively instead of waiting for your next login. Reuses your notification routing (extra recipients, quiet hours); on by default, one click to opt out in Settings.

What changed since your last scan

The itemized delta behind every posture movement. Each scan records the exact set of findings it surfaced, so we tell you precisely what appeared and what cleared since your prior scan — a cleared critical reads loud, carrying its last-seen severity, while unchanged findings are a count only. Scheduled scans update it too, so a returning customer sees what moved while they were away, not just since their last visit. The appeared/cleared deltas land on the finding audit trail and travel with the CSV and JSON evidence export. Observed change tracking between your own scans — not an SLA or certification.

Scan history

See every scan that ran, when it ran, and how your finding counts moved scan-over-scan — so a stalled scheduled scan can never hide. A read-only activity log of your most-recent scans, newest first, with a prominent "Last scan" timestamp and per-scan critical / warning / info counts carrying delta arrows against the immediately-prior scan. Where the posture score is one daily number and the last-scan diff is the two most-recent runs, this is the full per-scan cadence — proof your scheduled scans are actually firing. Observed history on your own scans, not an SLA or certification.

Recurring-finding watch

A finding that clears and then comes back on its own — across scans — is flagged Recurring with the number of times it has reappeared, so an unstable control that looks healthy on any single scan can't hide between scans. Distinct from a regression (a fix you marked Resolved that broke): this is a condition that flickers seen → cleared → seen on its own. The appearance count travels with the finding and into the JSON evidence pack. Observed scan-to-scan behavior on your own history, not an SLA or certification.

Close the loop

Mark findings Resolved with a remediation note — and if a resolved finding reappears on a later scan it automatically reopens, flagged as a regression so a failed fix can't masquerade as closed. Export the full open → resolved → reopened trail for auditors — every closed finding carries its resolved-on date and the exact remediation note you typed, right in the CSV and JSON.

Remediation due dates

Set a target fix-by date on any individual finding — a 30-day vendor-coordinated fix and a same-day patch no longer share one global clock. The moment a target slips, the finding is flagged Overdue and escalated ahead of the age threshold; future-dated findings show Due in N days. It's a target you control for your own remediation workflow, not an SLA or certification.

Configurable severity SLA thresholds

Set the escalation windows that match your own compliance commitments — 2 days for criticals, 30 for warnings, whatever your policy requires. When the table is absent, the engine falls back to the built-in defaults (7d critical / 14d warning) with no behavior change for existing installs. Your SLA, not ours.

Remediation velocity

Mean time-to-remediate by severity, plus your SLA-breach rate — computed from your own finding history (first detected → resolved), so you can prove your remediation process is actually getting faster, not just hope it is. Each row carries its sample size (how many findings closed in the window) so the mean is honest, and a breach is judged against the very SLA window you configured. Observed workflow metrics on your own data — not an SLA guarantee, certification, or attestation of compliance.

Finding ownership

Name an owner on any finding — a person, an email, or a team — so nothing sits in the "we saw it, nobody fixed it" gap. Assignments show as an owner badge on the card, write a dated entry to the finding's audit trail, and travel with the CSV and JSON evidence exports. Internal accountability tracking, not a user account or RBAC grant.

Working notes on a finding

Leave a free-text note on any finding without touching its status — "left a voicemail with the vendor", "waiting on IT to schedule the window", "third time this quarter". Each note lands on the finding's audit trail in chronological order, so the remediation conversation stays on the record and the finding's full history reads as one timeline — and it travels with the CSV and JSON evidence exports. Your own operational note-taking; notes are append-only, so they stay on the record.

Saved finding views

Filter the findings list by severity, product, category, owner, due date, or free-text search, then save the slices you actually work from — "My overdue criticals", "Unowned on hosting" — as one-click views you reload on every visit. Built-in presets (All open, Critical, Overdue, Unowned) work out of the box; your own views are scoped to your account. Workflow tooling for working the queue, not a compliance report.

Bulk finding actions

Filter to the slice you care about, select all (or pick the ones you want), and acknowledge, resolve, mute, assign an owner, or set a due date across the whole set in one click — no more O(n) clicking through a noisy scan. Each finding still gets its own state change and its own dated audit-trail entry, so the per-finding evidence record stays exact; a failure on one finding never aborts the batch. Workflow accelerator for clearing the queue, not an SLA or compliance control.

Accept-risk mute

Silence a reviewed finding for 30 or 90 days — or indefinitely — with a reason on the record. It stops nagging your inbox and escalation queue and drops out of the open count; it stays in the Muted list and the evidence export. When the timer expires it returns automatically.

Exportable evidence pack

Download every finding as CSV or a timestamped JSON evidence pack, with age, acknowledgement, and full resolution evidence — resolved-on timestamp and remediation note for every closed finding — the moment an auditor asks. One-click POA&M export: turn every open finding into an assessor-ready Plan of Action & Milestones row — control reference, owner, fix-by date, and status. And your POA&M now ships with real milestones: attach dated, staged remediation steps to any finding ("Rotate exposed key — 2026-07-20; Enforce MFA — 2026-08-05 [done]") and they populate the "Milestones with Completion Dates" column your CMMC/NIST 800-171 assessor expects — not just a single lump due date — and thread into the JSON evidence pack per finding. A self-assessment aid that helps you populate your POA&M, not a certification.

Tamper-evident evidence packs

Every export carries a self-verifiable SHA-256 checksum and manifest, so whoever receives your pack can confirm it's intact and unaltered. The JSON evidence pack embeds an integrity block — the algorithm, the checksum, and a manifest echoing what it covers — computed with a documented, reproducible canonicalization over the pack itself; the branded posture report prints the same value in its footer, and the download returns it as a response header. A recipient (prime, insurer, or assessor) recomputes it with nothing but standard tools to prove the artifact matches what the tool emitted — a truncated download, a stray edit, or a re-saved-and-mangled file flips it to fail. A content integrity check over your own output, not a signature, certification, or third-party seal.

Built-in remediation guidance

Every finding now ships with a recommended fix — a clear, deterministic corrective action (and, for the big ones, ordered steps) right on the finding card, so a weakness never just tells you what's wrong without telling you what to do about it. The same guidance auto-fills the "Remediation Plan / Comments" column of your assessor-ready POA&M export, so a fresh open finding never hands an auditor a blank corrective-action cell — while your own resolution or accept-risk note always takes precedence when you've written one. The guidance also travels with the JSON evidence pack. Pure, offline, and rule-mapped — no AI call, no rate limit, no waiting. A recommended corrective action on your own scan output, not a certification.

On-demand branded posture report

Download a branded, assessor-ready security posture report in one click — hand your primes, insurers, and clients a real document, not a spreadsheet. A single self-contained page composes everything the product already computes: posture score and week-over-week trend, severity distribution and worst product, remediation velocity (MTTR and SLA-breach by severity), compliance control-area coverage (CIS · OWASP · NIST CSF), and finding age with the oldest open critical called out. Print-styled for a clean browser save-to-PDF, scoped to your account only, and carrying the standing self-assessment disclaimer — a deterministic summary of your own scan, not a certification or audit.

Shareable trust page + badge

Prove you're secure without emailing spreadsheets. Publish a live, always-current summary of your security posture at a shareable public link — overall score, severity counts, compliance-coverage %, and last-scanned date — and drop an embeddable badge on your own site. Pick exactly which summary cards are visible, rotate or revoke the link anytime, and rest easy that only aggregate summary data is ever exposed: no finding details, systems, or remediation steps leave your account. Self-attested posture from your own scan — clearly labeled as such, not a certification or audit. Free, in the self-serve tier.

Reliable webhook delivery

Push new findings to any HTTP endpoint — Slack, PagerDuty, a ticketing system, or your own service. Each delivery is HMAC-SHA-256 signed so you can verify it before processing. Configure a severity floor (criticals only, warnings and above, or all) per endpoint. Failed alert deliveries are automatically retried on subsequent scans (bounded, with backoff) so a broken Slack/PagerDuty endpoint never silently swallows a critical, and a per-endpoint delivery log shows every attempt — status, time, and retry number — not just the last one.

AI policy assistant

Anthropic Claude-powered assistant helps you draft and tune security policies in your own words.

Persisted AI security briefing

The Claude-powered analysis that reads across your products — cross-product correlation, predicted emerging risks, and plain-language recommendations — is now on the record instead of vanishing on refresh. Every generated briefing is dated and saved: the panel shows when it was generated and a Previous analysis view of the last one (no new AI call), so you can see how the risk read is trending. The latest briefing threads into your JSON evidence pack and branded posture report, carrying its own self-assessment disclaimer, so the narrative you read at 9am is the same one you hand an auditor, prime, or insurer at noon. Self-assessment aid, not a certification.

Platform

The boring foundations done right.

Scheduled scans

Scans run on a schedule for every account. The pipeline batches work per account and never wastes a cycle.

Free, fully unlocked

No plan to pick, no card to enter. Every feature is available the moment you sign in — nothing is gated.

Org-isolated by default

Per-account scoping enforced server-side. You only ever see your own projects and workspaces.

Sentry-aware errors

Failure paths route through a Sentry-aware investigate helper. Errors are visible, never swallowed.

Boot-time env validation

Refuses to start in production with placeholder secrets. Misconfiguration fails loudly, not silently.

Free for everyone — every feature, no subscription.

Security is free on its own and free alongside the rest of the suite (CRM, Books, HR, Desk, Sign, Field, SE, or Hosting). No tiers, no per-seat tax, no card — just sign in.