Daily monitoring of your cryptographic trust surface — DBR score, findings, and meaningful change detection.
Watched domains
Domains you're monitoring · per-tier cap · alert preferences.
Trust event history
Private scan history and meaningful changes for your monitored domains.
Trends + benchmarks
DBR trend, score-breakdown over time, and sector context.
Alert delivery
Email, webhook, and weekly digest — how Cipherwake notifies you of meaningful change. (Paste a Slack incoming-webhook URL in the webhook field if you want Slack delivery.)
Integrations
GitHub Action, CLI, API, webhooks, and approved-vendor enforcement.
Account + security
Plan, billing, security, and data preferences.
🎉
Welcome to Cipherwake
Activating your subscription…
What just unlocked:
Welcome
Cipherwake watches your domain's cryptographic trust surface — daily.
Cert rotations, new third-party scripts, posture drift, HNDL exposure — we run the checks every 24 hours and email you only when something meaningful changes. Free includes 1 monitored domain; the CLI and GitHub Action run unauthenticated.
Step 1 of 3
What domain do you want to monitor?
Yours, a vendor's, a partner's — any HTTPS hostname. We'll baseline it now and check daily.
Alerts and the weekly digest go to this address instead of your login email. No verification needed — your account login email stays the same. Change it any time from Profile → Alert delivery email.
Add Cipherwake to GitHub Actions to compare preview deploys against production. Catches new third-party scripts, header regressions, CORS changes, public-surface drift, and DBR score changes — before merge.
Today: baseline captured · trend begins after the next daily scan.
—today
Watching your domain. Most teams also monitor related hosts like api, app, and login. Monitor 5 with Founder Pro →
No domain monitored yet
Pick one HTTPS hostname to monitor — yours, a vendor's, a partner's. Cipherwake will baseline it now and check daily, emailing you only when something meaningful changes.
Setup status
Which Cipherwake surfaces are wired up for your account. None of these are required — they each cover different workflows.
Quotas & usage
What your tier is consuming this month. Resets on the 1st.
Domain of record
Your account's primary monitored domain. Claiming is optional — monitoring fires either way. It unlocks future owner-only controls (rebuttal text on public reports, faster takedown rights).
Primaryyour monitored domainPublic · monitoring active
Monitored sincetoday
No primary domain selected
Add a watched domain from Portfolio to anchor this account.
Subscription
Current tier
Included on your plan
Status
Next renewal
Stripe sub
Update card · cancel subscription · download invoices · pause — all self-serve. No email-the-founder cancellation flow. Charges appear on your statement as CIPHERWAKE (descriptor may include CIPHERWAKE LABS or similar). Billing disputes: the feedback form.
Before you cancel Founder Pro — what you'll lose:
Watched-domain cap drops (Founder Pro 5 → Free 1). Domains over the Free cap are kept in your account but stop monitoring + alerting until you re-subscribe or remove them.
Team seats are removed (Founder Pro included; Free 0). Member rows are retained but their access is suspended on Free.
API-key quota tightens (Founder Pro 5,000/mo → Free 100/repo/mo via OIDC).
Scan history retention shortens (Founder Pro 365 days → Free 30 days). Older entries roll off naturally as the retention window contracts.
Cross-tenant key map, CSV export, webhook alerts, custom CI fail-on thresholds, and persistent approved-vendor allowlist all stop being available on Free. Email alerts still fire on Free.
Cancellation takes effect at the end of the current billing period (no partial-month refunds — see /refund). To permanently delete your account + all data, use the Delete account flow in the Privacy section below — that's a separate action governed by GDPR Article 17.
API access
Free CI uses GitHub OIDC metering — GitHub Actions do not need a signed API key. Use this key for CLI / API calls where required.
Rotation displays the new key once — copy it immediately.
Quota by tier:
Free 100/mo per repo (OIDC) ·
Founder Pro 5,000/mo.
Launch pricing locked while subscription active.
— / —
Domains monitored
—
on your current plan
Scan cadence
Daily
re-scan within 24h
Alerts
Email
on meaningful change
Ownership
Public
unclaimed · monitoring active
Loading…
You're at your monitored-domain limit.
Free monitors 1 domain. Founder Pro ($19.99/mo launch pricing, locked while subscription active) covers 5 with 365-day history.
Send trust diffs to your endpoint with HMAC-SHA256 signing. Available on Founder Pro — paste a URL on the Alerts tab after upgrading.
Approved vendor scripts Founder Pro
Mark intentional third-party scripts (Stripe.js, Google Analytics, etc.) as approved. Vendor change alerts only fire on unapproved drift — filters the noise from benign vendor updates.
Free tier: you can dismiss individual vendor change findings via the dashboard, but persistent allowlists are a Founder Pro feature. Upgrade to Founder Pro ($19.99/mo) →
Loading…
Add approved vendor
Team members Founder Pro
Invite teammates by email. Each accepts via magic link and gets shared read or admin access to this account's portfolio + alerts. Tier caps: Growth 5 additional members · Scale 50. Only owners + admins can manage members; members are read-only.
Loading…
Scans recorded
—
across watched domains
DBR changes
0
in selected window
Cert / key
0
alerts in selected window
Script changes
0
alerts in selected window
Alerts emitted
0
across all event types
Trend view
Timeline
Chronological events grouped by date. Each row shows before → after values for DBR, cert, key, scripts, headers, or alerts.
Baseline analysis
Baseline captured for your monitored domain. Trend and change-density insights populate after future scans.
Baseline · today
your monitored domain
DBR baseline established · daily monitoring active.
Key exchange is typically the largest DBR driver until hybrid PQC key agreement is shipped.
Scan cadence
Daily monitoring activity for the last 90 days. Each cell = one day. Hover for details.
No dataScan completedScan + diff detectedMissed window
Finding categories
Categorized counts from the live scan. Lets you see at a glance whether risk is concentrated in TLS, email security, headers, or third-party scripts.
Certificate & CT activity
Observed certificate history from the public TLS handshake + Certificate Transparency logs. Real history even before private monitoring accumulates.
What would improve this score?
Prioritized technical fixes ordered by DBR impact + ease of implementation. Cipherwake doesn't push tickets — these are starting points for a posture review.
Loading prioritized fixes…
DBR trend
Decryption Blast Radius score over time for your monitored domains. Free shows 30 days; Starter 90; Growth/Scale 365.
Current avg—
30-day delta—
Domains—
✓
Awaiting score history. Trend appears here after at least 7 daily scans.
Change anatomy
Which DBR components moved most. Helps answer "why did the score change?"
No component-level changes detected in your private history.
Portfolio risk position
Where you sit vs the public-scan corpus + the biggest fix you can ship.
Your worst DBR——
vs corpus——
Last 7 days——
Biggest fix——
Percentile = your worst-domain DBR vs the latest score of every distinct monitored domain (last 30d). Biggest fix ≠ biggest DBR driver: the Drivers panel below identifies where your risk sits (e.g. key exchange); the Biggest fix card identifies where you can act first given effort (e.g. a DNS TXT record). Root-cert and PQC-server-stack findings are excluded from Biggest fix because they're vendor-dependent. Methodology →
Integrations
Cipherwake inside your release + monitoring workflow. CI gating, vendor enforcement, and portfolio export.
Your Cipherwake workflow
Paste this into .github/workflows/cipherwake.yml. No API key, no repo secret — Free tier uses GitHub OIDC for per-repo metering (100 calls/repo/mo).
For each of your watched domains, the SPKIs (public-key fingerprints) it serves + which other domains share that same key. CDN multi-tenancy is filtered out (Cloudflare/Fastly/etc. shared certs are tagged, not flagged).
See whether your TLS public key appears on other domains in the corpus. Why this matters →
Maps every SPKI (public-key fingerprint) your watched domains serve and surfaces other domains that share the same key. CDN multi-tenancy (Cloudflare / Fastly / Akamai) is tagged separately from unexpected key reuse — most overlaps are expected; the unexpected ones can indicate misconfigured wildcard certs or private-key reuse you weren't aware of.
Portfolio CSV export Founder Pro
Download your portfolio's operational data (score, grade, posture, alert counts) as CSV. Refresh-on-demand.
Portfolio CSV export Founder Pro · locked
🔒
Download your portfolio as CSV — Founder Pro
One CSV per refresh with every watched domain's current score, grade, posture, alert counts, and TLS/cert metadata. Refresh-on-demand. Ideal for monthly board reporting, internal dashboards, or pulling into Snowflake / BigQuery.
Unlocks with Founder Pro ($19.99/mo) — 5 monitored domains, 6-hour cadence, team seats, CSV export, 5,000 API calls/mo, webhooks.
Your account identity. Display name shows up in welcome emails + (future) team invites.
Email—
A verification email goes to the NEW address. The change isn't final until you click the link.
Display name
Security
Two-factor authentication + active session management. Recommended for accounts with paid subscriptions or admin access.
2FA (TOTP)Not configured
Scan this QR with Authy / Google Authenticator / 1Password / Bitwarden, then enter the 6-digit code below to verify.
Or enter this secret manually: —
Active sessions
Recent activityLoading…
Last 50 sensitive actions on this account (deletions, exports, team changes, API-key rotations, identity unlinks). Older entries roll off per the data retention schedule on /privacy.
Connected accountsLoading…
Transfer account ownership
Only the current account owner can transfer ownership. The new owner must have an active Cipherwake account (free or paid). We review every request and verify proof of corporate authority before completing the transfer; this isn't an automated flow.
New owner email
Justification
Proof method
Need to transfer ownership? Use the feedback form with proof of corporate authority and we'll work with you.
Preferences
UI theme + alert delivery timezone. Defaults follow your system settings.
Theme
Timezone
Global notification channels
Master switches for delivery channels. Per-domain alert settings only fire on enabled channels — turning off Email here mutes ALL email alerts even if a domain is configured to send them.
Email alerts
Webhook alerts
Webhook alerts
Monthly digest email
An end-of-month summary of your watched-domain posture changes, top regressions, and sector benchmarks. Separate from the weekly digest (which fires every Monday). Off by default.
Monthly digest
Privacy & data rights
Export your data anytime (GDPR Art. 15) or delete your account permanently (Art. 17).
Export your data
Includes account profile, watched domains, scan history (last 1,000), alerts (last 90 days), API-key metadata, and subscription history. Stripe customer ID excluded — request directly from Stripe.
Permanent. Cancels any active subscription immediately (not at period end). All watched domains, scan history, alerts, and API keys are deleted. Cannot be undone — signing up again with the same email creates a fresh account.
⚠ This permanently deletes your account.
All watched domains, scan history, alerts, API keys: deleted
Active Stripe subscription: canceled immediately (not at period_end)
Cannot be undone. Signing up again with the same email creates a fresh account.
Type DELETE to confirm:
Operator override
Visible only to allowlisted operator emails. dogfood = true bypasses tier entitlement checks so you can test paid features end-to-end without an active subscription.