We believe a security platform should be honest about what it does today. This page is the
single source of truth for what is live in production, what you can explore as a
sandbox demo, what is in development, and what is planned.
Marketing pages describe our direction; this page describes today.
Last reviewed: 2026-07-06 · Stage A production-reality alignment
Production-readySandbox demoIn developmentPlanned
How to read this: "Production-ready" means it runs in our production deployment on live
tenant data. "Sandbox demo" means the interface is real but shows clearly-labelled synthetic data for
evaluation. "In development" means the capability is built in our codebase but is not yet enabled or
verified in production. "Planned" means it is on the roadmap and not yet implemented.
Production-ready
Multi-Factor Authentication (TOTP)
Real encrypted TOTP MFA with backup codes, enforced at login. Currently per-user opt-in (org-wide enforcement policy is on the roadmap).
Role-Based Access Control
Server-side RBAC with wildcard permissions, enforced on protected routes.
Read-only Sandbox / Early Access
Server-enforced read-only mode for early-access roles, with hash-chained audit logging of blocked mutations.
Executive Report Generation
Generates board-ready reports from real tenant data and persists each run. Empty tenants fall back to clearly-labelled sandbox data.
Sandbox demo
AI SOC Analyst (autonomous investigation)
Implemented with a real LLM agent, but running in a service that is not yet in the production deployment. In-product views show clearly-labelled sandbox activity.
Detection Engine
Detection rules (impossible travel, privilege escalation, and more) run in the pipeline service that is not yet deployed. Figures shown in-product are synthetic.
Threat Intelligence
Threat-intel feeds (OTX, Abuse.ch) are real but run in a service not yet deployed; matching is IP-only today.
Compliance Dashboard
Compliance scoring is a posture-derived model and ISO/SOC 2 mapping is heuristic — it is not a certified audit. Some report attestations are not yet live-verified.
In development
AI Security Assistant
Uses a real model with read-only tools; not yet wired into the customer production path, and it cannot take actions.
AI Alert Triage
Triage currently uses deterministic risk scoring (asset criticality, IOC, behavior), not model-based classification.
Cloud Connectors — AWS, Microsoft 365, Google Workspace
Collectors perform real OAuth/SDK authentication and data pulls, but are not yet enabled in the production ingestion pipeline.
Event Pipeline (ingest → normalize → correlate)
The OCSF pipeline is built end-to-end in services not yet in the production deployment.
Response Automation (lock user / revoke session / block IP)
Actions are built against real provider APIs, but are not enabled for autonomous execution in production, and rollback does not yet exist.
SSO / SAML
SAML is implemented but not production-verified end-to-end. Use email sign-in with MFA until SSO is enabled. OIDC is not yet available.
Tamper-Evident Audit Log
A hash-chained audit log exists for auth, billing, and early-access events; a parallel path and response-action auditing are being consolidated onto the chain.
PDF Export
Report export currently uses the browser print dialog. Server-side PDF generation is not yet implemented.
Planned
GitHub connector
No GitHub audit-log integration exists yet.
Cloudflare pull & Slack audit ingest
Cloudflare is webhook-push-only and Slack is outbound alerting only today; audit-log ingestion for both is planned.
Autonomous, org-enforced response & rollback
Approval-gated autonomous response with reversible rollback and org-wide MFA enforcement are planned hardening milestones.