From endpoint, browser and directory signals into one identity graph · then into risk decisions and cost decisions. The whole architecture in 30 seconds.
Diagram
The architecture at a glance
Three observers feed one identity graph. Two modules consume it. One policy layer runs the rules.
Policy & Governance
Capture
Correlate
Decide
Recent app launches
Slack14m ago
ChatGPT22m ago
Photoshop1h ago
Sign-in source
Corporate (SSO confirmed)68%
Personal24%
Unknown8%
AD sync status
DC-HQ-01just now
DC-IST-022m ago
DC-ANK-013m ago
Identity-centric inventory
Users · Devices · SaaS
One source of truth
CenseRisk
Risk score · 78
Drift +23% / 12w
5 critical SaaS
CenseCost
18 idle seats
Renewal · 9 days
$4.2k waste / mo
Where the signals come from
Three signals, one identity.
Each observer sees a different slice of reality. None is enough alone. Together they're a real inventory · not a guess.
Endpoint signals
A Windows endpoint agent watches what your users actually run. Optionally serves as the in-network AD reader.
Recent app launches
Slack14m ago
ChatGPT22m ago
Photoshop1h ago
What it sees
Foreground applications and processes
Device trust (Managed · Registered · Unmanaged)
AD lastLogon and group membership in leader mode
What it never touches
Screen content or screenshots
Keyboard input
File contents
Browser signals
A browser extension watches authenticated SaaS usage and how users sign in. It observes URL navigation events only · never page content.
Sign-in source
Corporate (SSO confirmed)68%
Personal24%
Unknown8%
What it sees
Domain of the active tab
SSO redirect host (Corporate vs Personal)
OAuth grant requests
What it never touches
Page DOM content
Email addresses or form data
Passwords or session cookies
Directory signals
An Active Directory / LDAP read-only connector runs inside your network on a managed endpoint · never as a separate connector server.
AD sync status
DC-HQ-01just now
DC-IST-022m ago
DC-ANK-013m ago
What it sees
lastLogon across every domain controller (MAX)
Account disabled state and creation time
Group membership for user lifecycle
What it never touches
Passwords or password hashes
Write to the directory · read-only
Leave your network perimeter
Connected systems
Five system classes, real depth on each.
Rather than a long list of integrations, we provide measurable depth across the five system classes that close the loop: identity, endpoint, SaaS, AI and compliance. For each class, our scope is committed in writing.
Identity & Directory
3 GA · 3 roadmap
ADLDAPEntraOkta
read-only · in-network
Endpoint & Browser
1 GA · 2 review · 1 roadmap
WinChromeEdgemacOS
telemetry · no MITM
CenseCloud
Identity-centric inventory
SaaS & OAuth
2 GA · 2 roadmap
M365Catalog 100+GWSSlack
oauth scoped · url events
AI & Models
4 GA
ChatGPTClaudeGeminiCopilot
guardrail ladder
Compliance Frameworks
4 GA
KVKKGDPRISO27001NIST
framework export
GA = generally available · Review = store review pending · Roadmap = planned, no commitment. We don't market what we haven't shipped.
The decision layer
From signals to action.
Once the inventory is real, the decisions are too. Risk, policy, lifecycle and governance run on the same source of truth.
Risk scoring
Each SaaS is scored across three independent layers; overall risk is the highest layer. Not a black-box score · a defensible number.
Six action types from soft tuning to hard block. Enforcement happens at the endpoint · content is never stored.
Risk Whitelist · Severity Override
Block Access · Paste · Upload · Download
Coaching: paste/upload pass with a justification
Corporate (SSO-confirmed) accounts exempt by default
Policy Simulator + Block Activity log
Soft ─ Hard
1Risk Whitelist
2Severity override
3Coach (with justify)
4Block paste
5Block upload
6Block access · download
Lifecycle
Joiner-mover-leaver signals from AD. Each category ships with a concrete IT action · including a ready mailto template.
Deprovisioned (AD-disabled)
Dormant (90+ days silent in AD)
Stale (30–90 days silent)
Orphan · Unverified (AD mismatch)
Coverage gap: agent lost · extension lost · both lost
Days silent in AD · lastLogon MAX
Active
0–30d
Stale
30–90d
Dormant
90–180d
Deprovisioned
180d+
Orphan
—
Governance
Three governance modes, six capabilities, tenant isolation. Your org's structure modelled, not forced.
Global super · Modular super · Single-module super
Six capabilities: system · users · policy · inventory · device · command
Every request resolves tenant from the auth context
Audit trail: login · policy · enforcement · OAuth
RBAC: admin · auditor · analyst · viewer
RBAC · 4 roles × 6 capabilities
SysUsersPolicyInvDevCmd
Admin
Analyst
Auditor
Viewer
writereadnone
Architecture & deployment
Boundary control, by architecture.
Four architectural commitments that show up in every deployment · not features you have to switch on.
In-network AD reader
The Active Directory / LDAP connector runs in leader mode on a managed endpoint inside your network. No separate connector server, no RSAT requirement, Kerberos pass-through by default. Multi-DC federation reads every domain controller and takes the most recent lastLogon, so the 9–14 day replication delay never lies about who's still active.
AD/LDAP topology
Your network
Managed endpoint
DC-* read-only
Never leaves perimeter
No proxy · No MITM · No prod-server agents
We do not sit in your traffic path. The endpoint agent runs on end-user devices only · never on production servers, databases or domain controllers. Your network topology doesn't change to deploy CenseCloud.
Traffic flow · no MITM
User
SaaS
CenseCloud · telemetry only
✓ Off the data path
KVKK-first, by architecture
The browser extension uses URL navigation events only · no DOM scraping, no email parsing, no form data. OAuth tokens are encrypted with tenant-specific AES-256-GCM keys. The product is bilingual (TR + EN) end-to-end. KVKK is a dedicated risk layer, not a footnote on a GDPR product.
Browser extension scope
URL navigation events
OAuth tokens (AES-256-GCM)
DOM / page content
Email parsing
Form data
Tenant isolation
Every request resolves the tenant from the auth context · never from the URL or body. Every privileged action is audited: sign-in, policy change, token revoke, enforcement, OAuth grant. Role-based access control is codified in the architecture, not bolted on later.
Tenant resolution
Tenant A
auth
a
Tenant B
auth
b
Tenant C
auth
c
✓ Resolved from auth✗ Never from URL
Setup, then live
Two phases. Days to value.
Zero-touch MSI. Your existing MDM does the deployment. No prod-server touches, no proxy, no months-long professional services contract.
Hours → 1 week
1 · Hours
Setup
Dashboard → Central Setup
Firm Code
Enrollment Secret
Signed MSI (.msi)
4 distribution channels
IntuneGroup PolicyRMMManual
AD / domain NOT required
2 · Same day → 1 week
Live
MSI auto-enroll
1Silent install (admin elevation auto)
2Browser extension force-install
3Agent enrolls on next user logon
Data flow
Hours · first inventory fills
1 week · meaningful risk + cost data
Optional
Connect AD → 5 min later, JML lifecycle is live.
No human intervention needed
See the platform end-to-end.
A 30-minute guided walkthrough · your inventory, your identities, your stack.