Skip to content
Platform

One inventory. Three signals. Two outcomes.

From endpoint, browser and directory signals into one identity graph · then into risk decisions and cost decisions. The whole architecture in 30 seconds.

Diagram

The architecture at a glance

Three observers feed one identity graph. Two modules consume it. One policy layer runs the rules.

Policy & Governance
Recent app launches
  • Slack14m ago
  • ChatGPT22m ago
  • Photoshop1h ago
Sign-in source
  • Corporate (SSO confirmed)68%
  • Personal24%
  • Unknown8%
AD sync status
  • DC-HQ-01just now
  • DC-IST-022m ago
  • DC-ANK-013m ago
Identity-centric inventory
Users · Devices · SaaS
One source of truth
CenseRisk
  • Risk score · 78
  • Drift +23% / 12w
  • 5 critical SaaS
CenseCost
  • 18 idle seats
  • Renewal · 9 days
  • $4.2k waste / mo
Where the signals come from

Three signals, one identity.

Each observer sees a different slice of reality. None is enough alone. Together they're a real inventory · not a guess.

Endpoint signals

A Windows endpoint agent watches what your users actually run. Optionally serves as the in-network AD reader.

Recent app launches
  • Slack14m ago
  • ChatGPT22m ago
  • Photoshop1h ago
What it sees
  • Foreground applications and processes
  • Device trust (Managed · Registered · Unmanaged)
  • AD lastLogon and group membership in leader mode
What it never touches
  • Screen content or screenshots
  • Keyboard input
  • File contents

Browser signals

A browser extension watches authenticated SaaS usage and how users sign in. It observes URL navigation events only · never page content.

Sign-in source
  • Corporate (SSO confirmed)68%
  • Personal24%
  • Unknown8%
What it sees
  • Domain of the active tab
  • SSO redirect host (Corporate vs Personal)
  • OAuth grant requests
What it never touches
  • Page DOM content
  • Email addresses or form data
  • Passwords or session cookies

Directory signals

An Active Directory / LDAP read-only connector runs inside your network on a managed endpoint · never as a separate connector server.

AD sync status
  • DC-HQ-01just now
  • DC-IST-022m ago
  • DC-ANK-013m ago
What it sees
  • lastLogon across every domain controller (MAX)
  • Account disabled state and creation time
  • Group membership for user lifecycle
What it never touches
  • Passwords or password hashes
  • Write to the directory · read-only
  • Leave your network perimeter
Connected systems

Five system classes, real depth on each.

Rather than a long list of integrations, we provide measurable depth across the five system classes that close the loop: identity, endpoint, SaaS, AI and compliance. For each class, our scope is committed in writing.

Identity & Directory
3 GA · 3 roadmap
ADLDAPEntraOkta
read-only · in-network
Endpoint & Browser
1 GA · 2 review · 1 roadmap
WinChromeEdgemacOS
telemetry · no MITM
CenseCloud
Identity-centric inventory
SaaS & OAuth
2 GA · 2 roadmap
M365Catalog 100+GWSSlack
oauth scoped · url events
AI & Models
4 GA
ChatGPTClaudeGeminiCopilot
guardrail ladder
Compliance Frameworks
4 GA
KVKKGDPRISO27001NIST
framework export

GA = generally available · Review = store review pending · Roadmap = planned, no commitment. We don't market what we haven't shipped.

The decision layer

From signals to action.

Once the inventory is real, the decisions are too. Risk, policy, lifecycle and governance run on the same source of truth.

Risk scoring

Each SaaS is scored across three independent layers; overall risk is the highest layer. Not a black-box score · a defensible number.

  • KVKK regulatory layer
  • Security posture (encryption · MFA · breach history)
  • Behavioral signal (sensitivity of use)
  • Risk Reasons: every factor traces to a rule
  • 12-week drift trend: new discovery velocity
Three layers · overall = max
KVKK reg.
78MAX
Security
42
Behavioral
64
Policy engine

Six action types from soft tuning to hard block. Enforcement happens at the endpoint · content is never stored.

  • Risk Whitelist · Severity Override
  • Block Access · Paste · Upload · Download
  • Coaching: paste/upload pass with a justification
  • Corporate (SSO-confirmed) accounts exempt by default
  • Policy Simulator + Block Activity log
Soft ─ Hard
  • 1Risk Whitelist
  • 2Severity override
  • 3Coach (with justify)
  • 4Block paste
  • 5Block upload
  • 6Block access · download
Lifecycle

Joiner-mover-leaver signals from AD. Each category ships with a concrete IT action · including a ready mailto template.

  • Deprovisioned (AD-disabled)
  • Dormant (90+ days silent in AD)
  • Stale (30–90 days silent)
  • Orphan · Unverified (AD mismatch)
  • Coverage gap: agent lost · extension lost · both lost
Days silent in AD · lastLogon MAX
  • Active
    0–30d
  • Stale
    30–90d
  • Dormant
    90–180d
  • Deprovisioned
    180d+
  • Orphan
Governance

Three governance modes, six capabilities, tenant isolation. Your org's structure modelled, not forced.

  • Global super · Modular super · Single-module super
  • Six capabilities: system · users · policy · inventory · device · command
  • Every request resolves tenant from the auth context
  • Audit trail: login · policy · enforcement · OAuth
  • RBAC: admin · auditor · analyst · viewer
RBAC · 4 roles × 6 capabilities
SysUsersPolicyInvDevCmd
Admin
Analyst
Auditor
Viewer
writereadnone
Architecture & deployment

Boundary control, by architecture.

Four architectural commitments that show up in every deployment · not features you have to switch on.

In-network AD reader

The Active Directory / LDAP connector runs in leader mode on a managed endpoint inside your network. No separate connector server, no RSAT requirement, Kerberos pass-through by default. Multi-DC federation reads every domain controller and takes the most recent lastLogon, so the 9–14 day replication delay never lies about who's still active.

AD/LDAP topology
Your network
Managed endpoint
DC-* read-only
Never leaves perimeter

No proxy · No MITM · No prod-server agents

We do not sit in your traffic path. The endpoint agent runs on end-user devices only · never on production servers, databases or domain controllers. Your network topology doesn't change to deploy CenseCloud.

Traffic flow · no MITM
User
SaaS
CenseCloud · telemetry only
Off the data path

KVKK-first, by architecture

The browser extension uses URL navigation events only · no DOM scraping, no email parsing, no form data. OAuth tokens are encrypted with tenant-specific AES-256-GCM keys. The product is bilingual (TR + EN) end-to-end. KVKK is a dedicated risk layer, not a footnote on a GDPR product.

Browser extension scope
URL navigation events
OAuth tokens (AES-256-GCM)
DOM / page content
Email parsing
Form data

Tenant isolation

Every request resolves the tenant from the auth context · never from the URL or body. Every privileged action is audited: sign-in, policy change, token revoke, enforcement, OAuth grant. Role-based access control is codified in the architecture, not bolted on later.

Tenant resolution
Tenant A
auth
a
Tenant B
auth
b
Tenant C
auth
c
Resolved from authNever from URL
Setup, then live

Two phases. Days to value.

Zero-touch MSI. Your existing MDM does the deployment. No prod-server touches, no proxy, no months-long professional services contract.

Hours → 1 week
1 · Hours
Setup
Dashboard → Central Setup
  • Firm Code
  • Enrollment Secret
  • Signed MSI (.msi)
4 distribution channels
IntuneGroup PolicyRMMManual
AD / domain NOT required
2 · Same day → 1 week
Live
MSI auto-enroll
  • 1Silent install (admin elevation auto)
  • 2Browser extension force-install
  • 3Agent enrolls on next user logon
Data flow
  • Hours · first inventory fills
  • 1 week · meaningful risk + cost data
Optional
Connect AD → 5 min later, JML lifecycle is live.
No human intervention needed

See the platform end-to-end.

A 30-minute guided walkthrough · your inventory, your identities, your stack.

Explore the modules:CenseRisk·CenseCost