How it works
One stream, both modules.
Leaked credentials arrive automatically from threat-intel feeds, or by manual upload. PassVision routes every record by what it contains, and audits your directory in parallel.
Routing
Every leaked record, routed where it's useful.
Leaked credentials arrive in real time from your CTI feeds, or by manual upload. PassVision routes every record by what it contains, and audits your directory in parallel.
Separately, PassVision continuously audits your entire directory against its breached-password database, catching exposure even before a feed names the user. New leaks trigger everything automatically; every confirmed risk becomes a tracked action (reset · notify · alert), followed to resolution.
Architecture at a glance
A self-hosted system, end to end.
Five parts, all inside your environment: where password changes happen, where policy is decided, and where the evidence lands.
Domain controllers
The real-time password filter and service run where password changes actually happen.
The Controller
The brain: policy engine, breach lookups, CTI orchestration, remediation tracking, and the dashboard.
Breach database
A self-hosted store billions of records deep; queried by irreversible fingerprint, updatable on schedule or in real time.
Verification workers
Web Credential Verification's automated login verification.
Integrations
Your CTI feeds in, your SIEM out.
One boundary, one outbound path.
Everything runs inside your environment. The only traffic that leaves is Web Credential Verification checking logins against applications you have registered and authorized.
Fits your stack
Feeds your workflows instead of adding new ones.
Active Directory
Enforcement inside standard Windows password workflows; AD stays the control center.
CTI feeds
Ingests new leaks automatically and correlates threat-intel signals to prioritize the accounts attackers already know.
SIEM
Password-risk events forwarded with full context: centralized logging, real-time alerts, audit trails, compliance evidence.
Leak databases
Cloud, on-premise, and air-gapped breach datasets, scheduled or real-time; no plaintext leaves your environment.
NIST 800-63B
Blocks known-compromised passwords, removes arbitrary composition rules, enforces context-aware policy, reported as audit-ready evidence.
Deployment
Deployed on your terms.
On-prem or your own cloud
Self-hosted in your environment, never multi-tenant SaaS; air-gapped and HA supported.
AD-native control
Deploys across your domain controllers; no plaintext leaves the environment.
Secure by design
Irreversible fingerprinting, encryption in transit and at rest, role-based access and LDAP.
FAQ
Deployment, answered.
Can PassVision run on-premises or air-gapped?
Yes. PassVision is self-hosted on-premises or in your own cloud, never multi-tenant SaaS. Active Directory Protection and the breached-password database can run fully air-gapped. Web Credential Verification reaches live external targets, so it requires outbound connectivity.
See it running on your directory.
One stream, both modules, entirely inside your environment. We'll walk it through on your own directory.