See It In Action
Certificate command center
Passive TLS discovery via Zeek. Health scoring across 24 rules. Interactive PKI analytics. Venafi integration. All from a single docker-compose up.
$ curl -fsSL https://raw.githubusercontent.com/net4n6-dev/cipherflag/main/scripts/install.sh | sh
Interactive PKI hierarchy — explore your entire CA landscape
CipherFlag watches your network passively, finding certificates on every port — including the ones nobody remembered to scan.
Zeek monitors a SPAN port or network tap and extracts every TLS certificate from live traffic — no agents, no active probing, no disruption.
24 security rules covering expiration, key strength, signature algorithms, chain trust, CT compliance, wildcard use, and crypto agility. Grades from A+ to F.
Interactive force-directed graph of your entire CA hierarchy. Click any node for blast radius analysis — see every cert a compromised CA has signed.
Push discovered certificates to Venafi Cloud or TPP automatically. Background scheduler with exponential backoff and dead-letter tracking.
Five analytics views — chain flow, ownership treemap, crypto posture, expiry forecast, source lineage — plus four drillable report types.
Drag and drop .pcap files for offline analysis. Upload a capture, Zeek processes it, and certificates appear in your inventory within seconds.
Every certificate is scored from 0 to 100 and assigned a letter grade. Findings include severity, category, point deduction, and remediation guidance.
Three containers, zero runtime dependencies beyond Docker. Ships as multi-arch images (amd64 + arm64).
Three commands. Five minutes. Full certificate visibility.