Skip to content

FAQ

Frequently asked questions.

Straight answers about what PassVision is, how it handles your data, how it compares, and how to buy it. Still have a question? Request a demo or email [email protected].

General

What PassVision is.

What is PassVision?

PassVision is a self-hosted enterprise credential-security platform. It blocks weak and breached passwords inside Active Directory in real time, continuously audits every account against breach data, and verifies which leaked credentials still actually work, all on the customer's own infrastructure.

What are PassVision's two modules?

PassVision has two modules. Active Directory Protection prevents weak, breached, and reused passwords at the moment of change and audits every account continuously. Web Credential Verification attempts a real login with a leaked credential to prove whether it still works, and sweeps reuse across the organization's apps.

What does "from leaked to live" mean?

"From leaked to live" is PassVision's term for confirming exploitability. A credential appearing in a breach dump doesn't mean it still works. PassVision attempts the actual login and reports only the credentials that genuinely authenticate right now, so teams act on real exposures, not dead ones.

Data & security

Where your data goes, and doesn't.

Does PassVision store or see our passwords?

No. On the Active Directory screening path, PassVision checks passwords as irreversible fingerprints: no plaintext password is stored, and none leaves your environment. Because PassVision is self-hosted, your credential data stays inside your perimeter.

Can PassVision run on-premises or air-gapped?

Yes. PassVision is self-hosted on-premises or in your own cloud, never multi-tenant SaaS. Active Directory Protection and the breached-password database can run fully air-gapped. Web Credential Verification reaches live external targets, so it requires outbound connectivity.

Is it legal and safe to actively log in with leaked credentials?

Yes, when scoped and authorized. PassVision confines live verification to applications the customer owns and authorizes, governed by a signed contract, scope document, and written authorization. It never bypasses CAPTCHA or anti-bot defenses and never attempts to defeat a second factor.

Comparisons

How PassVision is different.

How is PassVision different from Have I Been Pwned or a breached-password checker?

A breached-password checker tells you a password appeared in a leak. PassVision goes further: it prevents breached passwords at the moment of change, ties exposures to real accounts, verifies which leaked credentials still authenticate, and remediates to closure, orchestrating breach data (including HIBP) plus your own CTI.

How is PassVision different from Microsoft Entra Password Protection?

Microsoft Entra Password Protection blocks a limited global banned-password list. PassVision adds continuous re-checking against billions of breach records, structural-weakness detection, granular OU/group/user policy, automated remediation with reset verification, and live credential verification, all self-hosted.

How is PassVision different from SpyCloud or Outpost24?

SpyCloud and Outpost24 are primarily breach-data and dark-web monitoring services. PassVision is an enforcement, verification, and orchestration layer that runs on your own infrastructure, preventing weak passwords in Active Directory and proving which leaked credentials are live, rather than selling you more data.

Fit & buying

Where it fits and how to buy.

Does PassVision replace our Active Directory, IAM, or SIEM?

No. PassVision integrates with them. It enforces inside standard Windows password workflows, ingests your CTI feeds, and forwards password-risk events to your SIEM with full context, adding intelligence where those tools are blind.

Which breach and threat data does PassVision use?

PassVision uses a breached-password database billions of records deep (including Have I Been Pwned) and integrates with your organization's own CTI feeds. The goal is to orchestrate the intelligence you already have into prevention, verification, and remediation.

Is PassVision aligned with NIST 800-63B?

Yes. PassVision's policy engine is aligned with NIST 800-63B (blocking known-compromised passwords, removing arbitrary composition rules, and enforcing context-aware policy) and produces audit-ready evidence.

How is PassVision licensed and how do we buy it?

PassVision is licensed per user and sold through partners and MSSPs. Organizations typically start with the free assessment to size their exposure, then move to a full deployment through a partner.

Who is PassVision for?

PassVision is built for SOC teams, IAM and Active Directory teams, security architects, and CISOs, especially in mature, regulated organizations such as banks, financial institutions, and defense and public-sector bodies, and for MSSPs delivering it across clients.

What is the free PassVision Auditor?

The free PassVision Password Auditor runs on a domain controller and reports which accounts use breached, blank, or never-expiring passwords. It reads irreversible fingerprints only (no password leaves your environment) and produces a self-contained HTML report in minutes.

Still have a question? Let's map it to your environment.

Request a demo, or start with a free look inside your directory.

Request a Demo Get a Free Assessment