Skip to content

How it works

One stream, both modules.

Leaked credentials arrive automatically from threat-intel feeds, or by manual upload. PassVision routes every record by what it contains, and audits your directory in parallel.

Request a Demo Get a Free Assessment
SELF-HOSTED, END TO END·CTI IN · SIEM OUT·EVERY RISK TRACKED TO CLOSURE

Routing

Every leaked record, routed where it's useful.

Leaked credentials arrive in real time from your CTI feeds, or by manual upload. PassVision routes every record by what it contains, and audits your directory in parallel.

Intelligence in
YOUR CTI FEEDS
REAL-TIME · AUTOMATED
MANUAL UPLOAD
CSV · DUMP FILES
ROUTED BY CONTENT
ONE STREAM · THREE SHAPES
LEAKED PASSWORDMatched against AD accounts to surface any user relying on it.AD_PROTECTION
LEAKED USERNAME / EMAILMatched against your directory to flag the exposed account.AD_PROTECTION
LEAKED USERNAME + PASSWORDTest-logged-in against your apps to prove which it still unlocks.WEB_VERIFICATION
IN PARALLEL · CONTINUOUS DIRECTORY AUDIT AGAINST THE BREACH DATABASE · EVERY CONFIRMED RISK TRACKED TO CLOSURE: RESET · NOTIFY · ALERT

Separately, PassVision continuously audits your entire directory against its breached-password database, catching exposure even before a feed names the user. New leaks trigger everything automatically; every confirmed risk becomes a tracked action (reset · notify · alert), followed to resolution.

Architecture at a glance

A self-hosted system, end to end.

Five parts, all inside your environment: where password changes happen, where policy is decided, and where the evidence lands.

01

Domain controllers

The real-time password filter and service run where password changes actually happen.

02

The Controller

The brain: policy engine, breach lookups, CTI orchestration, remediation tracking, and the dashboard.

03

Breach database

A self-hosted store billions of records deep; queried by irreversible fingerprint, updatable on schedule or in real time.

04

Verification workers

Web Credential Verification's automated login verification.

05

Integrations

Your CTI feeds in, your SIEM out.

One boundary, one outbound path.

Everything runs inside your environment. The only traffic that leaves is Web Credential Verification checking logins against applications you have registered and authorized.

LEAK INTELLIGENCE IN
Your CTI feeds & uploads
YOUR ENVIRONMENT
SELF-HOSTED, END TO END
PassVision + breached-password database
AIR-GAP CAPABLE
RESET · NOTIFY · ALERT
finds & fixes exposed accounts
Your Active Directory
PROTECTED AT EVERY PASSWORD CHANGE
THE ONLY OUTBOUND PATH
Web Credential Verification tests logins on your own registered apps · authorized by signed contract + scope
AD_PROTECTION + BREACH DATABASE: AIR-GAP CAPABLE · WEB_VERIFICATION: REQUIRES OUTBOUND CONNECTIVITY · AUTHORIZED BY SIGNED CONTRACT + SCOPE + WRITTEN AUTHORIZATION

Fits your stack

Feeds your workflows instead of adding new ones.

AD · NATIVE

Active Directory

Enforcement inside standard Windows password workflows; AD stays the control center.

CTI · REAL-TIME

CTI feeds

Ingests new leaks automatically and correlates threat-intel signals to prioritize the accounts attackers already know.

SIEM

SIEM

Password-risk events forwarded with full context: centralized logging, real-time alerts, audit trails, compliance evidence.

LEAK DATABASES

Leak databases

Cloud, on-premise, and air-gapped breach datasets, scheduled or real-time; no plaintext leaves your environment.

NIST 800-63B

NIST 800-63B

Blocks known-compromised passwords, removes arbitrary composition rules, enforces context-aware policy, reported as audit-ready evidence.

Deployment

Deployed on your terms.

On-prem or your own cloud

Self-hosted in your environment, never multi-tenant SaaS; air-gapped and HA supported.

AD-native control

Deploys across your domain controllers; no plaintext leaves the environment.

Secure by design

Irreversible fingerprinting, encryption in transit and at rest, role-based access and LDAP.

See our Trust & Security model →

FAQ

Deployment, answered.

Can PassVision run on-premises or air-gapped?

Yes. PassVision is self-hosted on-premises or in your own cloud, never multi-tenant SaaS. Active Directory Protection and the breached-password database can run fully air-gapped. Web Credential Verification reaches live external targets, so it requires outbound connectivity.

See all frequently asked questions →

See it running on your directory.

One stream, both modules, entirely inside your environment. We'll walk it through on your own directory.

Request a Demo Get a Free Assessment