CyberTwin
Program tier · Defensibility

Un-Reachability Certificate — A signed, dated proof a crown jewel is NOT reachable — re-checkable without trusting us.

Every tool sells you your problems. We sell you their absence — provably.

A dated, scope-bounded, signed proof that a crown jewel is NOT reachable in your modeled twin — with a witness anyone re-checks without trusting us.

Honestly refused when a path exists. The restraint is the proof.

Signed · Scope-bounded · Re-checkable without trusting us · Included in the Program tier
Un-Reachability Certificate
No path to customer-data (S3, prod)
in the modeled twin · internet → dmz → lan · FortiGate + Okta twin
SIGNED
2026-06-30
Ed25519
witness a3f2…9c41re-check anytime at /verifycrown outside the reachable set

The witness — the reachable-node set and the edge graph the check ran over — ships with the certificate. Your auditor re-runs the traversal and gets the same answer, without trusting us. Refused when a path exists: we only certify the absence we actually find.

Sample certificate (seeded demo) · scope-bounded · modeled twin · point-in-time
Don’t trust us — verify it

The witness travels with the proof.

A signature proves who issued the certificate — not that it’s true. So the witness ships with it: the reachable-node set and the exact edge graph the check ran over.

Here is the whole mechanism: you declare a crown jewel, the engine walks every modeled edge in your twin, and only if nothing reaches it does a certificate get issued — dated, signed, and carrying the exact graph it walked. Anyone can re-run the same traversal over that witness and get the same answer.

RE-CHECK IT YOURSELF

✓ Re-ran the breadth-first search (BFS) over the witness graph → the crown is outside the reachable set. The proof holds.

No server, no trust — a pure recomputation over the signed witness. Drop any bundle at /verify and your browser re-checks it — nothing uploads.

The Un-Reachability Certificate surface in the product, honestly refusing to certify — a modeled path reaches the crown, so it shows the path to cut and the exact scope it checked.
Sample environment (seeded demo) · as of upload · point-in-time snapshot, no live scan

Three steps. Two honest outcomes.

1
Declare

Name the crown jewel

Pick the asset that must never be reachable — the customer-data bucket, the OT segment, the payroll DB.

2
Walk

The engine walks every modeled edge

Breadth-first over the twin built from your uploads — every hop an attacker could traverse, across every ingested surface.

3
Issue — or refuse

Certificate, or the path that blocked it

No path: a dated, signed certificate with its witness. A path: we refuse, and show you the exact chain to cut first.

Proof holds
Verified

Re-checked against the upload of Jun 30 — no path reaches the crown. The certificate stays valid, dated, and re-checkable.

as of upload · 2026-06-30
Proof would break
Pre-flight

A staged firewall change opens a new path in the modeled twin. The Change Gate prices it before you ship — the proof is refused, not fudged.

staged change · pre-flight check
Why now

The director's duty is now in writing.

NIS2 Art. 20 makes management bodies approve and oversee cyber-risk measures — and holds them liable for infringements, with the exact regime set by each member state's transposition. A dated, recomputable proof of a state is oversight a director can actually evidence.

The board

A signed proof that the crown is unreachable, dated for the minutes — oversight you can evidence.

M&A diligence

A target proves isolation from partial, NDA’d artifacts — no scan, no full access — at full strength.

The cyber insurer

Underwrite on a re-checkable proof, not a questionnaire the insured attests to.

The auditor

A witness they re-run themselves — the rare security claim they don’t have to take on faith.

Why this is defensible

The scope isn’t fine print. It’s the proof.

A proof of absence fails in exactly one way: over-claim. So the certificate can’t be issued without its scope, its date, and a MODELED label.

The claim is bounded by construction.

We never say “unreachable” unqualified. Every certificate reads “no path in the MODELED twin, over these surfaces and assets, as of this date.” The scope isn’t fine print — it’s printed on the certificate, because a proof of absence is only as complete as what was ingested.

We only certify the absence we actually find.

If a modeled path reaches the crown, we refuse to certify it and show you the path instead. You can only sell the absence you have.

Re-checkable without trusting us.

The certificate carries its witness — the reachable-node set and the traversable edge graph. Your auditor (or your browser, right now) re-runs the reachability check and confirms the crown is outside the reachable set. The signature binds it to your key; the witness makes the claim re-checkable — the same traversal over the modeled twin you signed, so you verify the math instead of taking it on faith.

A modeled result, honestly labeled.

Reach is modeled from ingested configuration, not a live scan — so the strength of the claim equals the completeness of what you ingested, which the certificate states. We would rather issue a scoped, defensible claim than an absolute one that a single un-modeled edge destroys.

Questions

The same cross-surface graph, run in reverse.

Does the certificate ever say “unreachable” outright?
Never a bare “unreachable.” Every certificate is scope-bounded by construction: “no path in the MODELED twin, over these surfaces and assets, as of this date.” The scope is printed on the certificate, because a proof of absence is only as complete as what was ingested.
What happens when a path DOES reach the crown?
We refuse to certify and show you the exact chain to cut instead. You can only sell the absence you actually find — cut the path, re-upload, and the certificate issues.
How does an auditor check it without trusting us?
The certificate carries its witness — the reachable-node set and the traversable edge graph. Your auditor (or your browser at /verify) re-runs the same reachability check over that witness and confirms the crown is outside the reachable set. No server, no trust.

The claim is always scope-bounded and MODELED — “no path in the modeled twin, over the ingested scope, as of this date.” Refused when a path exists, and re-checkable by anyone without trusting us.

Coverage

Stop shipping your board a list of problems.

Included in the Program tier — no add-on, no separate SKU.

Reachability over an attack graph cross-stitched from the 15 security tools we support · 26 MITRE ATT&CK techniques · 9,000 automated tests

Full coverage & honesty detail → /features#coverage

ProgramMost Popular
$36,000/yr
Annual only

The deliverables a senior consulting partner would produce — refreshable, sourced, board-ready.