Where we are. Where we're going.
AscendCore is in private beta. 13 production runbooks, tamper-evident audit chain, multi-tenant credential isolation. Here's what's live today, what ships next, and where the platform is headed by 2027.
- SOC-2 Type II certification: full audit report available to enterprise prospects
- ServiceNow ITSM: bi-directional incident sync and change management automation
- CrowdStrike Falcon: real-time endpoint isolation and device compliance enforcement
- AWS IAM: scoped role grants, policy management, and access key lifecycle
- Customer-managed encryption keys (BYOK): bring-your-own-KMS for application-level data
- Single-tenant deployment option: dedicated infrastructure for full physical isolation
SOC-2 Type II report + ISO 27001 alignment: satisfies enterprise procurement requirements
ServiceNow: auto-create incidents, sync resolution status, attach full audit trail
CrowdStrike: device isolation on confirmed threat, compliance gating before access grants
AWS IAM: scoped role assignment, policy attachment, and access key rotation runbooks
Customer-managed encryption keys (BYOK): bring-your-own-KMS for app-level data encryption
Single-tenant deployment option: dedicated Netlify site or BYOC for customers requiring full isolation
99.9% uptime SLA with dedicated support tier for enterprise accounts
- BYO-LLM routing: Bedrock and Azure OpenAI for customers requiring inference inside their own cloud
- AI Workflow Builder: low-code canvas for building runbooks without YAML
- SIEM export: Splunk HEC and Microsoft Sentinel real-time streaming
- Pre-execution system-state snapshots: one-click rollback for reversible runbook actions
- SOC-2 Type I report: Vanta/Drata 90-day audit window completes
BYO-LLM routing: pluggable inference for customers requiring data residency in their own AWS / Azure account
Drag-and-drop workflow canvas with 40+ pre-built action blocks, no YAML required
AI next-step suggestions in canvas based on existing runbook library and ticket history
Real-time SIEM export to Splunk HEC and Microsoft Sentinel
Configurable audit log retention (90d → 7yr) to meet compliance requirements
Pre-execution system-state snapshots: capture-and-rollback engine for reversible actions
PagerDuty alert routing: auto-acknowledge low-severity, escalate high-severity
Google Workspace connector: Gmail, Drive, and Meet provisioning
- Independent penetration test: third-party assessment, reports under NDA
- Per-tenant customer-employee SSO: each customer's IdP signs in their own users (admin SSO already live)
- Multi-tenancy Phase 3: per-tenant Teams JWT audience enforcement (enterprise BYOB)
- Customer-managed billing portal: Stripe checkout sessions + customer-portal links + plan upgrade flows
- Documentation portal: self-serve runbook authoring guides and API reference
- Live status page: connector-level health indicators at status.ascendcore.ai
- Human-in-the-Loop 2.0: configurable per-step approval gates per runbook
Independent pen test: commissioned after multi-tenancy + Postgres land; reports available under NDA
Per-tenant customer SSO: each customer's IdP authenticates their own employees against AscendCore (distinct from the admin SSO already live since May 2026)
Multi-tenancy Phase 3: per-tenant Teams JWT audience validation, an enterprise BYOB requirement
Customer billing portal: Stripe-hosted checkout sessions + customer-portal links for plan changes; built on the live Stripe billing foundation shipped May 2026
Public docs site: runbook DSL reference, integration setup guides, API reference
Live status page with connector-level health indicators and incident history
HITL 2.0: per-step approval gates with Slack DM and email, not just per-runbook
Configurable HITL thresholds: auto-approve low-risk, require approval for privileged actions
Runbook YAML editor: inline schema validation and autocomplete
Analytics dashboard live: real deflection rate, resolution time, and labor cost savings
- SOC-2 Type I: Vanta enrollment kicks off the 90-day evidence-collection clock
- First design-partner LOI signed: #1 unlock for investor conversations
- Strategic runbook #2: design-partner-requested runbook (locked in after first LOI conversation)
SOC-2 Type I evidence collection begins via Vanta: control mapping, asset inventory, risk register
Strategic runbook #2: customer-driven build from the first design-partner conversation
Hardening polish on existing 13 runbooks: edge cases, customer-team customization paths
Datadog / PagerDuty alert webhook: auto-ack low severity, escalation cards for critical
- All 13 production runbooks LIVE: VPN Access Grant, Software Decommission, and Confluence Space Provisioning wired live, completing the runbook library
- OIDC SSO for admin login: Microsoft Entra and Okta supported (env-var configured)
- MFA enforcement via mandatory SSO: admin access brokered through customer IdP, which enforces MFA + conditional access
- Stripe billing infrastructure live: customer + subscription mirror in Postgres, webhook receiver with signature verification, plan-tier enforcement primitives
- Graduated API rate limits: free 60/min · pro 600/min · enterprise 6000/min (paid tiers receive higher limits automatically)
RB-004 VPN Access Grant: Slack + Teams approval flow → Entra security group add → optional Intune device sync (per-device, isolated failures); 19 unit tests
RB-010 Software Decommission: Slack + Teams approval flow → M365 license revoke + seat-pool delta + Intune device-discovery audit trail; 23 unit tests
RB-012 Confluence Space Provisioning: Slack + Teams approval flow → propose-time key-collision detection → Atlassian Confluence Cloud REST API v2 create; 25 unit tests
OIDC SSO admin login (Microsoft Entra + Okta): NextAuth v5 provider integration, email-allowlist gating, env-var-configured per deployment, fully additive to existing credentials path
Mandatory-SSO toggle (ADMIN_REQUIRE_SSO): when enabled, password login is server-side disabled and the login UI hides the credentials form. IdP becomes the sole admin sign-in path, matching the procurement-grade pattern used by enterprise SaaS for MFA delegation
Stripe billing foundation: customer + subscription tables in Postgres, webhook receiver at /api/webhooks/stripe with signature verification, plan-tier resolution from price IDs, enforcement primitives (requirePlan() + getEffectiveRateLimit())
Plan-tier enforcement: graduated API rate limits per tier (free 60/min, pro 600/min, enterprise 6000/min); admin-set per-key overrides honored verbatim; backward-compat invariant tested (free-tier behavior IDENTICAL to before)
Microsoft Intune integration foundation: shared Graph token module + Intune client (device configurations, managed devices, mobile apps, sync trigger); reuses existing Entra app registration with extra Graph permissions
Atlassian Confluence Cloud client: env-var fallback to JIRA_* for shared-Atlassian-tenant deployments, v2 API for space lookup + create
All 13 runbook /runbooks detail pages now show 'live' status (was 10 live + 3 templates at start of Phase 2)
Drizzle migration 0004 applied to production Neon: stripe_customers + stripe_subscriptions tables (caught up missed migration 0003 for webhook_subscriptions in same operation)
672 unit tests passing (was 493 at start of Phase 2; +179 across the 8 sessions)
Every Phase 2 change purely additive or 100% backward-compatible, with zero regression in existing functionality
- 13 production runbooks across Slack, Teams, and dashboard: identity, access, lifecycle, and group management
- Tamper-evident SHA-256 audit chain LIVE end-to-end: Postgres attached, every approve/deny appended to a verifiable hash chain
- Multi-tenancy Phase 1+2: per-org credential isolation and namespaced data wired through every handler
- Public /runbooks library: all 13 runbooks documented with YAML previews, prerequisites, and supported systems
- /dashboard/audit page: live chain reads with cryptographic hash markers, demo-aware for prospect demos
- Doppler ↔ Netlify production secrets: single source of truth, full rotation completed
Group membership runbook (RB-013): Entra security group add/remove with idempotent execution and full HITL parity in Slack and Teams
New employee provisioning enhanced: optional group assignments at propose time, deferred when user not yet in Entra
Public /runbooks library: 13 documented runbooks with SEO-optimized detail pages and YAML previews
SHA-256 hash-chain audit library: canonical JSON serialization, chain verification, CSV export, 98 unit tests
Audit chain handler wiring: every Slack interactive + Teams invoke approve/deny path calls logRunbookOutcome() with graceful no-op when DB unavailable
Neon Postgres attached: tamper-evident audit chain live in production (US East 2), single-column hash markers viewable in /dashboard/audit
/dashboard/audit live chain reader: paginated load-more, hash-prefix column for verification, demo-aware (fictitious Acme rows for prospect demos)
Multi-tenancy Phase 1+2: org-scoped credential vaults via Zod-validated schema, secret-ref resolution (env: / doppler:), resolvers wired into Slack/Teams/Okta/Entra handlers
Dual-mode dashboard security: real owner data vs public demo data on identical URLs, 4-layer enforcement (auth, middleware, client header, API guard)
Trust Center / /security page: implementation-accurate Live / In Progress / Roadmap split with sub-processor list and CISO FAQ
Idle-timeout (5 min, server-enforced) + closed-tab session termination, for SOC-2 CC6.1 alignment
Read-side RBAC isolation: demo / non-owner sessions never see real production telemetry
Per-IP rate limiting + idempotent action handling: no double-execution under retry, no abuse via public endpoints
AscendCore, Inc. C-Corp filed (Stripe Atlas, May 2026): forward-looking entity references in /privacy and /dpa now have entity backing
Datadog ↔ AscendCore integration live in production: webhook receiver + monitor mute API (us5 region)
Vitest infrastructure: 305 unit tests across hash-chain, multi-tenancy, classifier, runbooks, audit, format helpers, parser edge cases
Entra findUser() mail/proxyAddresses fallback: resolves users by email alias when UPN differs (B2B Member accounts, +addressing). Discovered via own smoke testing.
Slack/Teams group-name parser strips surrounding quotes: `/group-add user@x.com "My Group"` now works as users naturally type it
- Four automations live end-to-end: MFA reset, password reset, account unlock, and account offboarding
- Microsoft Teams bot: full HITL parity with Slack, Adaptive Card approve/deny flows
- Microsoft Entra ID connector: account unlock via Graph API, resolves in under 90 seconds
- Admin dashboard: live approval queue, activity feed, and source tracking across Slack and Teams
MFA reset (Okta): intent classified via Claude Haiku, HITL-gated, factor cleared and re-enrollment sent on approval
Password reset (Okta): admin approve/deny from Slack, Teams, or dashboard, with an Okta temp password set on approval
Account unlock (Entra ID): Graph API enableAccount call, resolves in under 90 seconds end-to-end
Account offboarding (Okta): user deactivation + group removal, HITL-gated with full audit trail
Microsoft Teams bot: registered in Azure (Bot Framework), JWT-verified, Adaptive Card HITL with approve/deny
All four automations available from Slack slash commands and Teams bot chat, with an identical approval flow in both
Source tracking: every request tagged as 'slack' or 'teams' through the full pipeline, visible in dashboard and audit log
Admin dashboard: live approval queue with confidence scoring, completed history, 5-scenario interactive walkthrough
Guided onboarding wizards: step-by-step credential setup for Okta, Entra ID, M365, Teams, Jira, and Duo Security
Lead capture and demo access flow: prospects get dashboard access in under 5 minutes
Claude Haiku classifier: 94%+ accuracy on identity requests; skips intent detection for plain email inputs
Teams Adaptive Card submit routing: fixed Action.Submit to route through handleInvoke, not handleMessage
Serverless function lifecycle extended via next/server after() to keep async Slack and Teams work alive post-response
