Free · Read-Only · No Data Leaves Your Network

Know Your DevOps Blast Radius
Before Someone Else Does

Scan your entire GitHub or Azure DevOps organisation in minutes. Uncover data loss exposure, AI agent risks, compliance gaps, and permission holes — all in a single, shareable report.

Works with GitHub & Azure DevOps Read-only access — zero write permissions PowerShell & macOS desktop app 14 compliance frameworks

Enter your work email to get the free tool — takes under 60 seconds to set up.

You're all set!

Your download should start automatically. If not, click below.

↓ Download Risk Assessment Tool
14
Compliance Frameworks
6
Risk Domains Scanned
13
AI Agents Detected
9.5
Max Blast Radius Score

Your Source Code Is Your Most Valuable Asset. Most Orgs Have No Idea What's Protecting It.

Git repositories hold years of institutional knowledge, infrastructure-as-code, CI/CD pipelines, API contracts, and secrets. Yet most organisations treat GitHub like a commodity tool with no recovery plan.

A single force-push, a disgruntled insider, a ransomware event, or even accidental deletion can wipe out assets that took years to build — and can't be recovered from local clones.

  • Force-push overwrites the default branch — all history gone
  • Service account deletes a repo — and its entire wiki and PRs
  • AI coding agent silently modifies IaC files across 50 repos
  • Ransomware encrypts your entire GitHub organisation
  • Auditor demands point-in-time recovery of production config from 18 months ago
  • Key engineer leaves and revokes their personal deploy keys
Sample Blast Radius Report
9.5/10
CRITICAL
Repository history depth 8.2 years
2FA enforcement Not required
Repos with no branch protection 34 repos
Outside collaborators 12 users
AI agent commit share 23%
IaC files at risk 847 files
Offsite backup None detected

Six Risk Domains. One Comprehensive Report.

Every check runs with a read-only token. Nothing is written to your organisation. Results are rated LOW / MEDIUM / HIGH / CRITICAL.

🎯

Blast Radius Analysis

Quantifies exactly what you'd lose if your org vanished today — years of commit history, contributor knowledge, IaC, API contracts, and build definitions that can never be recovered from a local clone.

history depth commit volume contributors IaC files API contracts monorepo detection org storage
🤖

AI Agent Exposure

Detects every AI coding agent writing to your codebase — by config files, bot account patterns, commit velocity spikes, and AI co-author commit trailers. Identifies which agents are active and in how many repos.

bot accounts commit velocity co-author detection AI config files agent identification
🔐

Access & Permissions

Audits your entire permission surface: org admin counts, outside collaborators, 2FA enforcement, branch protection rules, required reviews, admin bypass settings, and writable deploy keys or service connections.

org admins 2FA enforcement branch protection required reviews deploy keys outside collabs
📋

Compliance Readiness

Maps your current configuration against 14 regulatory frameworks and produces a gap analysis table with specific control references and remediation guidance. Perfect for board-level reporting or audit prep.

ISO 27001 SOC 2 NIST 800-53 FedRAMP DORA NIS2 +8 more
🔗

Supply Chain Surface

Maps your full dependency ecosystem — counting every package manifest and CI/CD pipeline definition across all repos. Shows exactly how broad the blast radius is if any pipeline or dependency is compromised.

npm Python Go Maven GitHub Actions Jenkinsfile Azure Pipelines
⚠️

Recovery Scenarios

Tests your organisation against 7 real-world failure modes — from force-pushes to ransomware — and rates your current ability to recover. Shows exactly what's unrecoverable without an independent backup.

force-push repo deletion IaC corruption pipeline wipe ransomware point-in-time recovery

AI Is Writing Your Code. Do You Know How Much?

GitHub Copilot, Cursor, Claude, Devin, and a dozen other AI agents are committing code to production repos right now. Most organisations have no visibility into which agents are active, what they're changing, or what happens if those changes need to be rolled back.

Our scanner detects AI agent activity through three independent signals — config file presence, bot account commit history, and co-author commit trailers — and identifies exactly which agents are operating in which repos.

Bot commit share > 20% CRITICAL
Bot commit share 5–20% HIGH
Commit velocity > 200/day CRITICAL
Commit velocity 50–200/day HIGH
AI config files detected MEDIUM

AI Agents We Detect

GitHub Copilot
Cursor
Claude
Devin
Codeium
Windsurf
Tabnine
Aider
Continue
Augment
Cody
Gemini
ChatGPT

What We Look For

Config files
CLAUDE.md, .cursorrules, .github/copilot-instructions.md, AGENTS.md, devin.md, .augment/, .aider/ and more
Bot accounts
Contributors matching AI agent login patterns across all repos
Co-author trailers
Co-authored-by trailers in commit messages across the last 100 commits per repo

14 Frameworks. One Gap Analysis Report.

The report maps your current GitHub configuration against every major regulatory framework that touches source code integrity and availability — with specific control references and the exact gap your organisation has today.

ISO 27001/27002
Annex A 8.13
Backup copies of information, software & systems
SOC 2 Availability
CC9.1
Recovery of source code, pipelines & IaC
NIST SP 800-53
CP-9
System-level and user-level backups
NIST SSDF
PO.3 / PS.1
Source code integrity & availability
FedRAMP
CP-9 (inherited)
Repos & IaC in recoverable system boundary
CMMC / 800-171
3.8.9
Protect backup CUI at storage locations
EO 14028
Supply Chain
CI/CD must be secured & recoverable
CIS Controls v8
Control 11
Automated backups for enterprise assets
SOX
IT General Controls
Tamper-evident financial software source integrity
PCI-DSS
Req 10
Audit logs for all access to cardholder systems
DORA
Article 12
Backup policies & restoration procedures
NIS2
Article 21
Backup management for essential entities
Essential Eight
ASD
Regular backups of business-critical data
UK NCSC CAF
D.1
Recovery of essential functions & source config

Your Permission Surface Is Probably Larger Than You Think.

Every excess admin, ungoverned outside collaborator, missing 2FA requirement, or unprotected branch is a vector for insider threat, account takeover, or accidental data loss.

👑

Org Admin Count

More than 2 org owners is rated MEDIUM; more than 5 is HIGH; more than 10 is CRITICAL. Most orgs have far too many.

👥

Outside Collaborators

External users with direct repo access who are outside your SSO and 2FA policies. Even one is MEDIUM risk.

🔒

2FA Enforcement

Not enforced org-wide? That's an instant CRITICAL. One compromised account without 2FA can wipe your org.

🌿

Branch Protection

Repos with no branch protection rules on their default branch are flagged CRITICAL. Required reviewers, force-push prevention, and admin bypass settings all checked.

🔑

Deploy Keys

Writable deploy keys on repos allow pushes that bypass your entire PR and review workflow. Each one is audited and rated.

🔌

Service Connections

Azure DevOps writable service connections (AzureRM, Kubernetes, Docker, AWS, GCP) are enumerated and risk-rated.

Up and Running in Under Five Minutes

No agents to install. No elevated access required. A single read-only token is all you need.

1

Download the Free Tool

Available as a PowerShell script (Windows) or a macOS desktop app. No dependencies, no install scripts.

2

Create a Read-Only Token

Generate a GitHub fine-grained or classic PAT with read-only org & repo access. Azure DevOps supports the same pattern.

3

Run and Get Your Report

The tool scans every repo in parallel and produces a self-contained HTML + PDF report with your full risk profile.

Get Your Free Risk Assessment Tool

Free, read-only, and runs entirely on your machine. No data leaves your network.

You're all set!

Your download should start automatically. If not, click below.

↓ Download Risk Assessment Tool