Un-Reachability Certificate — A signed, dated proof a crown jewel is NOT reachable — re-checkable without trusting us.
Every tool sells you your problems. We sell you their absence — provably.
A dated, scope-bounded, signed proof that a crown jewel is NOT reachable in your modeled twin — with a witness anyone re-checks without trusting us.
Honestly refused when a path exists. The restraint is the proof.
The witness travels with the proof.
A signature proves who issued the certificate — not that it’s true. So the witness ships with it: the reachable-node set and the exact edge graph the check ran over.
Here is the whole mechanism: you declare a crown jewel, the engine walks every modeled edge in your twin, and only if nothing reaches it does a certificate get issued — dated, signed, and carrying the exact graph it walked. Anyone can re-run the same traversal over that witness and get the same answer.
✓ Re-ran the breadth-first search (BFS) over the witness graph → the crown is outside the reachable set. The proof holds.
No server, no trust — a pure recomputation over the signed witness. Drop any bundle at /verify and your browser re-checks it — nothing uploads.

Three steps. Two honest outcomes.
Name the crown jewel
Pick the asset that must never be reachable — the customer-data bucket, the OT segment, the payroll DB.
The engine walks every modeled edge
Breadth-first over the twin built from your uploads — every hop an attacker could traverse, across every ingested surface.
Certificate, or the path that blocked it
No path: a dated, signed certificate with its witness. A path: we refuse, and show you the exact chain to cut first.
Re-checked against the upload of Jun 30 — no path reaches the crown. The certificate stays valid, dated, and re-checkable.
A staged firewall change opens a new path in the modeled twin. The Change Gate prices it before you ship — the proof is refused, not fudged.
The director's duty is now in writing.
NIS2 Art. 20 makes management bodies approve and oversee cyber-risk measures — and holds them liable for infringements, with the exact regime set by each member state's transposition. A dated, recomputable proof of a state is oversight a director can actually evidence.
A signed proof that the crown is unreachable, dated for the minutes — oversight you can evidence.
A target proves isolation from partial, NDA’d artifacts — no scan, no full access — at full strength.
Underwrite on a re-checkable proof, not a questionnaire the insured attests to.
A witness they re-run themselves — the rare security claim they don’t have to take on faith.
The scope isn’t fine print. It’s the proof.
A proof of absence fails in exactly one way: over-claim. So the certificate can’t be issued without its scope, its date, and a MODELED label.
The claim is bounded by construction.
We never say “unreachable” unqualified. Every certificate reads “no path in the MODELED twin, over these surfaces and assets, as of this date.” The scope isn’t fine print — it’s printed on the certificate, because a proof of absence is only as complete as what was ingested.
We only certify the absence we actually find.
If a modeled path reaches the crown, we refuse to certify it and show you the path instead. You can only sell the absence you have.
Re-checkable without trusting us.
The certificate carries its witness — the reachable-node set and the traversable edge graph. Your auditor (or your browser, right now) re-runs the reachability check and confirms the crown is outside the reachable set. The signature binds it to your key; the witness makes the claim re-checkable — the same traversal over the modeled twin you signed, so you verify the math instead of taking it on faith.
A modeled result, honestly labeled.
Reach is modeled from ingested configuration, not a live scan — so the strength of the claim equals the completeness of what you ingested, which the certificate states. We would rather issue a scoped, defensible claim than an absolute one that a single un-modeled edge destroys.
The same cross-surface graph, run in reverse.
Does the certificate ever say “unreachable” outright?
What happens when a path DOES reach the crown?
How does an auditor check it without trusting us?
The claim is always scope-bounded and MODELED — “no path in the modeled twin, over the ingested scope, as of this date.” Refused when a path exists, and re-checkable by anyone without trusting us.
Stop shipping your board a list of problems.
Included in the Program tier — no add-on, no separate SKU.
Reachability over an attack graph cross-stitched from the 15 security tools we support · 26 MITRE ATT&CK techniques · 9,000 automated tests
Full coverage & honesty detail → /features#coverage
The deliverables a senior consulting partner would produce — refreshable, sourced, board-ready.
If one service account leaks, what does it reach — and what is that worth?
Deep dive →If this vendor is breached, what do they reach inside you?
Deep dive →The dollar estimate, the 4-day 8-K clock, and the draft — for your disclosure committee.
Deep dive →