Cipherwake will never crawl behind your login.

The single most common feature request we deflect is "can you log in and check the admin panel?" The answer is no — by design, not by limitation. Here's the full rationale, what we do instead, and which tool to use if you genuinely need behind-auth monitoring.

1. The credential problem inverts our trust model

To crawl your authenticated surface, Cipherwake needs one of:

• A session cookie we keep refreshing
• An OAuth refresh token + the ability to mint access tokens
• An API key with admin scope
• Admin username + password

Whatever the form, we'd be holding the keys to every paying customer's admin panel. The pitch we sell is "we watch your public trust surface and tell you when it drifts" — meaning we look at what the outside world sees. The moment we store credentials, we ARE part of the attack surface. A breach of Cipherwake hands attackers admin access to every customer at once. That's the same liability shape as a password manager — and a password manager's entire business model is dedicated to managing that risk. We'd be carrying it as a side effect of a deploy-gating product.

The security-conscious engineer who would pay $19.99/mo for Cipherwake is exactly the person who will refuse to hand us their admin cookie. Wrong-buyer rejection.

2. Login flows break the crawler constantly

What an authenticated-crawler would need to handle per customer:

• Email + password (rotating, hash variations, password manager auto-fill, "show password" buttons, hidden CSRF inputs)
• Google OAuth (refresh-token flow, consent screens, "select account" intercepts, scope changes)
• GitHub OAuth (device codes, scope changes, IP-based restrictions)
• SAML / SSO (per-IdP redirects, signed assertions, time-bound tokens, IdP-initiated vs SP-initiated flows)
• Magic links (one-time, time-bound, email-delivered)
• MFA (TOTP, SMS, WebAuthn, push notifications, recovery codes)
• CSRF tokens (rotate per session, embedded in HTML, embedded in headers)
• Session timeouts (varies wildly — 15 min, 8 hours, 30 days)
• Cookie domain / path rules
• Rate limits on login endpoints
• Bot detection that classifies our crawler as a bot

Every one of these is a per-customer integration nightmare. The crawler breaks on Wednesday because a customer rotated their OAuth consent screen, or enabled MFA, or shortened their session timeout. The on-call burden (us) eats the support cost. Our error rate destroys the "is it actually monitoring" trust that justifies the bill.

Pingdom and DataDog Synthetic handle this in dedicated teams with secret vaults. We're not. Building it badly is worse than not building it.

3. The signal-to-noise problem

Admin UIs are where active product development happens. Adding a column to a table, renaming a button, reorganizing a menu, A/B testing a new layout — these aren't security regressions, they're routine product work. A visual trust-diff against a constantly-changing admin surface generates noise, not signal. The customer churns because the gate cries wolf on every product update.

The valuable events behind auth — "an admin export endpoint was added that shouldn't exist," "a new admin action allows mass data deletion without confirmation" — need real semantic understanding, not visual diffing. That's a different product (closer to Data Security Posture Management) than what we sell.

4. The catastrophic events are catchable from outside

The high-severity event that customers actually fear is "did /admin become public on this deploy?" That's a status-code check from the outside. You don't need to log in to detect it — you need to probe the route without credentials and assert it's still gated.

That's exactly what route assertions do, with zero credential risk:

• If /api/admin/users/delete-all exists and is gated, the assertion catches it staying gated.
• If a deploy breaks the middleware and the route returns 200 to an unauthenticated probe, the assertion blocks the deploy.
• The customer declares the routes they care about in .cipherwake.json. Cipherwake never sees behind the auth boundary — it only verifies the boundary is still there.

We never needed to be inside.

5. Compliance + legal exposure we're not equipped to carry

The moment we store admin credentials, the world changes:

• SOC 2 scope explodes. Every customer's secrets are now in our compliance perimeter. We'd need controls, audits, and continuous monitoring of the credential store itself.
• GDPR / CCPA exposure. Customer data we can access on their behalf becomes data WE process. Subject access requests get complicated.
• Subpoena risk. "Cipherwake, give us the admin cookies for customer X" is a thing that could happen. We'd need legal policy for it.
• Cyber-insurance premiums increase. Insurers price the credential-leak scenario into our policy.
• Customer due diligence gets longer. Every prospective customer wants to know how we store their admin credentials, who has access, what the rotation policy is, etc. The sales cycle stretches.

Route assertions have ZERO of this. Just HTTP probes against routes the customer has told us about.

6. What's actually the right tool for behind-auth monitoring

If you genuinely need synthetic checks behind auth — actually logging in and verifying authenticated pages render correctly — these are the right tools:

• Pingdom Synthetic / DataDog Synthetic / Checkly — purpose-built, hold credentials professionally, integrate with secret managers, handle the OAuth/MFA matrix as a core competency. Use these.
• Custom Playwright synthetics in your own CI — secrets from your own vault, never leave your infrastructure, run on your schedule. For teams that want full control of the credential boundary.
• Sentry / Honeycomb / Datadog APM — observability on the inside of your app. If you want to know "did this admin action break in production?", instrument the action and watch the metrics.

If a customer asks us "can you also monitor my admin panel content?", we route them to these tools honestly. Recommending the right tool when it's not ours is part of the brand.

7. What this means for our roadmap

Authenticated-surface monitoring is on the permanent "will not build" list. Not "maybe later" — never.

What we WILL keep investing in instead:

• More expressive route assertions. Richer expected-state semantics: header-value assertions, redirect-target assertions, response-body-NOT-contains assertions for known-leak strings.
• Better auto-detection. Sitemap.xml parsing, Next.js / Rails / Django convention inference, framework-specific defaults.
• CSP violation reporting (separate roadmap item). A report-to endpoint that aggregates real-user browser-side blocked attempts. Continuous signal from production traffic without credentials.
• Threat feed. When a new supply-chain attack, browser security change, or deprecated TLS suite lands, proactively alert affected customers with the fix.

Every one of these stays on the right side of the credential boundary.

8. Lineage of this decision

This decision was made explicitly on 2026-06-05 when a customer dogfooded Cipherwake against an admin-heavy app for ~10 deploys and observed that Cipherwake stayed silent (correctly — the public surface didn't drift). The natural next ask was "what if you logged in?" The response, on review, was "no — that's wrong for the entire category." Route assertions shipped instead.

If we're ever tempted to revisit this, three things must change: (a) a way to hold credentials that doesn't centralize them on Cipherwake's infrastructure (e.g. customer-supplied per-scan tokens that expire in minutes); (b) a credential-handling team and audit posture we don't currently have; (c) evidence that route assertions + the other roadmap items aren't enough. None of those are likely.