The platform
Active Directory at the core, extended outward.
PassVision is built around your directory. Active Directory Protection does the heavy lifting inside AD; Web Credential Verification extends the same intelligence outward to prove real-world exploitability. One platform, both sides of the door.
Both sides of the door
Two modules, one door, one stream.
Active Directory Protection holds the inside of the door; Web Credential Verification tests it from the outside. Both draw on the same breach and CTI intelligence: one platform watching both sides.
Active Directory Protection
Guards your workforce where identity actually lives.
The weak password never exists, and the exposed one never hides.
Explore Active Directory Protection →Real-time policy & prevention
Blocks leaked, reused, and non-compliant passwords the instant they're set, NIST 800-63B aligned.
Forbidden-words enforcement
Company-specific terms, personal data, and predictable patterns denied at the point of change.
Always-on detection
Every account screened continuously against a breach database billions of records deep.
Automated remediation
Forced reset, reset verification, notify, and alert: every risk driven to closure.
Web Credential Verification
Extends the same intelligence outward.
Act only on live credentials, not dead exposures.
Explore Web Credential Verification →What sets it apart
Five capabilities at the core.
Everything PassVision does turns on five things: four guarding the directory, one proving exploitability from outside.
Always-on password tracking
Every account monitored continuously; existing and new passwords re-checked as leaks surface.
NIST 800-63B compliance
Granular, NIST-aligned policy replaces static complexity rules; audit-ready by default.
Real-time forbidden words
Blocks company-specific terms the instant a user tries to set one.
Real-time CTI correlation
Ingests threat-intel feeds continuously, flagging exposed accounts the moment a leak lands.
Live web verification
Attempts the real login to prove which leaked credentials still work. No policy tool can.
Four capabilities guard the directory from the inside. The fifth reaches outward to prove real-world exploitability: the difference between knowing a credential leaked and knowing it still works.
See how the stream is routed →Fits your stack
Adds intelligence where your tools are blind.
PassVision doesn't replace AD, IAM, or SOC tooling; it plugs into them, feeding existing workflows instead of adding new ones.
Native Active Directory enforcement
Runs inside standard Windows password workflows; AD stays the control center.
Real-time CTI ingestion
New leaks flow in automatically and correlate against your directory.
SIEM-ready events
Password-risk events forwarded with full context for centralized logging and alerts.
Cloud, on-prem & air-gapped leak databases
Breach datasets deploy where your posture allows; no plaintext leaves your environment.
Audit-ready NIST 800-63B evidence
Continuous, evidenced enforcement, not point-in-time compliance claims.
Go deeper
Explore each module, and how they run together.
Active Directory Protection
Real-time prevention, granular policy, continuous auditing, and remediation to closure.
Explore Active Directory Protection →Web Credential Verification
Attempts the real login to prove which leaked credentials still open the door.
Explore Web Credential Verification →How It Works
One stream routed by content, the self-hosted architecture, and deployment.
See how it works →Platform questions
Two questions we hear most.
What are PassVision's two modules?
PassVision has two modules. Active Directory Protection prevents weak, breached, and reused passwords at the moment of change and audits every account continuously. Web Credential Verification attempts a real login with a leaked credential to prove whether it still works, and sweeps reuse across the organization's apps.
Can PassVision run on-premises or air-gapped?
Yes. PassVision is self-hosted on-premises or in your own cloud, never multi-tenant SaaS. Active Directory Protection and the breached-password database can run fully air-gapped. Web Credential Verification reaches live external targets, so it requires outbound connectivity.
One platform, both sides of the door.
Weak passwords blocked on the inside. Live credentials exposed on the outside. Every door locked before someone else tries it.