BLACKGLASS by Obsidian Dynamics⌘K

Fleet dashboard

Production hosts · drift, integrity and readiness — prioritize attention items first.

Capture baseline

No high-risk drift in the latest sweep — continue monitoring notable hosts below.

Hosts checked

Telemetry coverage this window

High-risk drift

Needs operator review

Ready hosts

Baseline aligned posture

Evidence bundles

Stub bundles in Evidence (API catalog)

Telemetry coverage & freshness

Collectors

1 / 1online

Fleet heartbeat

2 May 2026, 17:26 UTC

Stale slices

No overdue telemetry slices.

Fleet overview

Healthy

Baseline captured — run a scan to detect drift

Notable items

No open drift in the latest window.

Drift volume (index)

No historical drift index yet — run scans on separate days to build a trend.

High-risk drift

Attention required

Open findings are grouped by integrity class — triage high-severity items first.

Top classes (new findings)

SSH posture (2)
Identity drift (1)
Network exposure (1)

Recommended actions

Action plan

Review baseline diff for host-03
Triage the drift queue for new signals
Export an evidence bundle for auditors if needed

Host spotlight

host-167-172-224-47 · blackglass-lab-01 · Ubuntu 24.04

AlignedOpen host

Readiness score from the latest scan — higher is closer to baseline alignment.

Fleet readiness score100%

Security overview — how BLACKGLASS works and protects your dataExpand

Integrity first, monitoring second

BLACKGLASS is not a SIEM, a vulnerability scanner, or a log aggregator. It is a configuration-integrity product. Its job is to answer one question: is this host still in the configuration we approved, and if not, what changed, when, and why does it matter? Every feature — baselines, drift detection, risk classification, evidence export — exists to answer that question reliably and with an auditable record.

What BLACKGLASS does for security

Baseline creation

A baseline is a point-in-time snapshot of a host's security-relevant configuration: listening ports, local users and group memberships, sudo rules, enabled systemd units, SSH daemon policy, firewall rules, installed packages, and kernel parameters. Without an explicit baseline, drift is undetectable — you cannot tell whether a new port or user is authorized or a sign of compromise. Baselines are also compliance evidence: proof that a system was in an acceptable state at a specific time.

Drift detection

At each scan, BLACKGLASS re-collects the same surface areas and diffs against the active baseline. Every changed, added, or removed item surfaces as a finding. Configuration drift is a well-documented attack vector — attackers abuse CI pipelines, provisioning scripts, and emergency access to make changes that are never reviewed or reverted. BLACKGLASS makes that drift visible and attributable.

Drift category	Example signal
Network exposure	New port 8080/tcp listening on 0.0.0.0 — not in baseline
Identity drift	New user deploy2 added to sudo group
Persistence	New systemd service enabled at boot — not in baseline
SSH weakening	PermitRootLogin changed from no to yes
Firewall regression	DROP policy on INPUT chain replaced with ACCEPT
Package drift	openssh-server downgraded from 9.3 to 8.9

Risk classification

Raw findings are classified into categories that map to standard security risk taxonomy: network exposure, identity drift, persistence, policy mismatch, and package / supply-chain changes. Classification tells a responder whether a finding is a potential lateral-movement vector, a compliance gap, or a sign of attacker activity — so teams can triage rather than guess.

Evidence and reporting

Host baseline report — structured record of what the host looked like at baseline time, suitable for a change record or audit questionnaire
Drift report — timestamped diff between baseline and current state, with risk classification and recommended response
Fleet posture summary — across all enrolled hosts: unacknowledged drift by category and severity, with trending
Evidence bundles (Pro / Enterprise) — exportable packages containing baseline, findings, acknowledgements, and operator notes for SOC 2, post-incident review, or CAB submission
Audit timeline — chronological view of what changed on each host across all scans

How BLACKGLASS protects your data

Encryption and transport

All UI and API traffic is served over HTTPS / TLS 1.3. There are no HTTP endpoints. Drift results, baselines, evidence bundles, and audit logs are encrypted at rest (AES-256). Encryption is always on — not an option.

Access control

Three built-in roles: Viewer (read-only), Operator (scan + acknowledge), and Admin (full access). API tokens (Pro+) are scoped to a role at issuance. Enterprise adds SSO / SAML / OIDC with MFA enforced at your identity provider.

Data minimisation and retention

BLACKGLASS collects only what is needed to compute drift — not file contents, not environment variables, not secrets. Retention is configurable per plan (30 days free, 180 days Pro, custom on Enterprise). Data is hard-deleted after the window closes — not hidden, removed.

Secrets and credential handling

SSH credentials are never stored. They are fetched just-in-time from a pluggable SecretProvider (Doppler, Infisical, Vault, or env vars for dev), held in memory only for the scan connection lifetime, and never written to disk or logs. The browser never sees raw credentials.

Audit logging

Every security-relevant action is recorded: authentication, scan execution, baseline changes, drift acknowledgement, evidence export, and user management. Logs are append-only at the application layer, encrypted at rest, and kept separate from raw operational output. No host configuration data is written to application logs.

Platform hardening

Production runs on DigitalOcean App Platform with network segmentation and SSH-key management access. All secrets are managed via Doppler — none are committed to source control. Dependencies are pinned and reviewed on a regular vulnerability cadence. Tenant data is scoped by workspace at the application layer.

Fleet dashboard

Production hosts · drift, integrity and readiness — prioritize attention items first.

Capture baseline

No high-risk drift in the latest sweep — continue monitoring notable hosts below.

Hosts checked

Telemetry coverage this window

High-risk drift

Needs operator review

Ready hosts

Baseline aligned posture

Evidence bundles

Stub bundles in Evidence (API catalog)

Telemetry coverage & freshness

Collectors

1 / 1online

Fleet heartbeat

2 May 2026, 17:26 UTC

Stale slices

No overdue telemetry slices.

Fleet overview

Healthy

Baseline captured — run a scan to detect drift

Notable items

No open drift in the latest window.

Drift volume (index)

No historical drift index yet — run scans on separate days to build a trend.

High-risk drift

Attention required

Open findings are grouped by integrity class — triage high-severity items first.

Top classes (new findings)

SSH posture (2)
Identity drift (1)
Network exposure (1)

Recommended actions

Action plan

Review baseline diff for host-03
Triage the drift queue for new signals
Export an evidence bundle for auditors if needed

Host spotlight

host-167-172-224-47 · blackglass-lab-01 · Ubuntu 24.04

AlignedOpen host

Readiness score from the latest scan — higher is closer to baseline alignment.

Fleet readiness score100%

Security overview — how BLACKGLASS works and protects your dataExpand

Integrity first, monitoring second

What BLACKGLASS does for security

Baseline creation

Drift detection

Drift category	Example signal
Network exposure	New port 8080/tcp listening on 0.0.0.0 — not in baseline
Identity drift	New user deploy2 added to sudo group
Persistence	New systemd service enabled at boot — not in baseline
SSH weakening	PermitRootLogin changed from no to yes
Firewall regression	DROP policy on INPUT chain replaced with ACCEPT
Package drift	openssh-server downgraded from 9.3 to 8.9

Risk classification

Evidence and reporting

Host baseline report — structured record of what the host looked like at baseline time, suitable for a change record or audit questionnaire
Drift report — timestamped diff between baseline and current state, with risk classification and recommended response
Fleet posture summary — across all enrolled hosts: unacknowledged drift by category and severity, with trending
Evidence bundles (Pro / Enterprise) — exportable packages containing baseline, findings, acknowledgements, and operator notes for SOC 2, post-incident review, or CAB submission
Audit timeline — chronological view of what changed on each host across all scans

How BLACKGLASS protects your data

Encryption and transport

Access control

Data minimisation and retention

Secrets and credential handling

Audit logging

Platform hardening