The Hounds NAVI AGENT COMMAND CENTER Β· HITL

connecting…
Writes (tags & ACR) need NAVI_MCP_ALLOW_WRITES=1 on your navi-mcp server. With it on, every agent + the contract apply live from here. The standalone repo (NAVI_ALLOW_WRITES=1) and chat also work. Any Export button hands a plan off as a runnable navi script. Γ—

🐾 On the Scent

The unknown-unknowns hiding in navi.db β€” press Run to pick up the trail, then click any tile to dig in.

Press β–Ά Run to query navi.db and surface the unknown-unknowns. Nothing runs until you ask β€” built for very large environments.

πŸ” Certificate failures β€” 12-month timeline

Certs expiring per forward month. Click a month to drill into the assets failing then and the cert plugins on them.

Press β–Ά Run above to build the certificate heatmaps.

πŸ” Certificate issues Γ— affected assets

Every plugin with β€œCertificate” in its name, ranked by distinct assets affected (live vulns query). Click a row to drill into the affected assets.

Press β–Ά Run above to load…

πŸ• Release the Hounds

The pack β€” every agent, what it does, and the lore behind its name. Execute runs it live against navi.db. Ask below to find the right Hound fast.

β€œI trust you” runs every tagging agent and auto-applies all proposed tags live (gated writes) β€” Cert (failures + cert issues by plugin), IoT, MITRE, EOL, AI, Custom apps, Identity, and Scan-eval credential failures. ACR is never run. Ownership Assignment & Software need your input, so they're skipped.

log ready…

🏷 Tagging log

Tag writes run in the background so the agent pages never block. This log shows what's queued, running, and finished this session.

#StatusCategoryValueSelectorDetailQueuedDurationResult
No tag jobs yet. Apply a tag from any agent and it appears here.
Covenant Hound

πŸ“œ AI Contract

Capture your policy once; the contract tags, sets ACR, waits, and re-runs on a loop β€” planning first, executing only when armed. With no per-agent policy it tags the risk-weighted top-N of everything.

…

Schedule & defaults

Per-agent policy

Blank policy β†’ risk-weighted top-N. e.g. IoT β†’ "tag all IoT but not Dell or Intel β€” those are laptops"; Custom apps β†’ "only /opt apps and jenkins matter".

ACR changes

✨ Describe ACR changes in plain English

The AI maps your instruction to ACR changes across the live tag list (navi explore info tags); preview them, then add them as contract rules below. No writes happen here β€” the contract applies them on its loop when armed. Falls back to a deterministic rule parser if on-device inference is unavailable.

Garmr Hound

πŸ—‘οΈ Tag removal

When armed, the contract removes these tags first, forces a pause, runs navi update, then re-runs the tagging workflow. Add tags from the Tag removal page, or type them below.

Plan preview

Click Plan to preview what the contract would tag.

Loop log

No cycles yet.

Heimdall Hound

βš›οΈ Post-Quantum Cipher Analysis

Heimdall watches the quantum horizon. Tenable's Post-Quantum Cipher Analysis plugins show where your estate still leans on quantum-vulnerable crypto (RSA / ECC). Tags the assets these plugins fired on as Post-Quantum : Cipher Analysis via navi --plugin. Gated Β· Tagging log.

πŸ” Certificate crypto analysis β€” live from the certs table

Classifies every certificate by quantum risk β€” RSA / ECC / DSA are broken by Shor's algorithm, and key length won't save them β€” then ranks harvest-now-decrypt-later exposure: long-lived certs on high-value assets whose protected data must stay secret past the arrival of quantum computers. Gated tagging + ACR.

πŸ”€ Transport crypto & agility β€” TLS / SSH key exchange + library readiness

Looks past certificates at the crypto negotiated on the wire β€” TLS supported groups, SSH key exchange, weak MAC/protocol β€” and how ready each host's crypto libraries are to adopt PQC (OpenSSH β‰₯ 9 ships hybrid sntrup761x25519; OpenSSL β‰₯ 3.2 adds PQ providers). Gated tagging.

🎯 Crown-jewel crypto correlation + migration roadmap

Fuses cert risk (#1/#2), transport risk (#3) and crypto-agility (#4) with asset ACR and CISA-KEV into one prioritized PQC migration backlog. Runs the cert + transport analyses first if you haven't.

πŸ—“οΈ CNSA 2.0 / NIST PQC migration timeline β€” reference

NSA's Commercial National Security Algorithm Suite 2.0 milestones β€” use to frame remediation deadlines. Verify against the latest CNSA 2.0 guidance for your sector.

ByMilestone
2024NIST finalizes PQC standards β€” FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), FIPS 205 (SLH-DSA).
2025CNSA 2.0: begin adoption; software & firmware signing should move to PQC (LMS/XMSS or ML-DSA).
2027PQC support expected in new acquisitions; hybrid ML-KEM broadly enabled in browsers & servers.
2030CNSA 2.0: PQC becomes the default for most National Security Systems; RSA/ECC deprecated for new systems.
2033CNSA 2.0: exclusive use of PQC across NSS; classical RSA/ECC key-establishment & signatures disallowed.
Laelaps Hound

πŸ›‘οΈ CISA KEV Tagging

Tags Known Exploited Vulnerabilities off Tenable's CISA-KNOWN-EXPLOITED cross-reference. Tag every KEV asset as CISA KEV : Vulnerable, or by catalog date as CISA KEV : <Mon> - <DD> - <YYYY>. Gated Β· tracked in the Tagging log.

Hunt CISA KEV β€” ask in plain English

Turn a question into a read-only SQL over navi.db / tags β€” e.g. "assets with a CISA KEV and ACR over 7", "KEV added in 2025 by hostname", "which assets already carry a CISA KEV tag". Review the SQL, then run it.

Sirius Hound

πŸ›°οΈ Agent Group Tagging

Tags every asset in a Tenable agent group with Agent Group : <name> β€” runs navi enrich tag --c "Agent Group" --v "<name>" --group "<name>" per group, on the background queue (Tagging log). Three ways below. Writes are gated.

Garmr Hound

πŸ—‘οΈ Tag Removal

Garmr lists every tag in the tenant. Pick the ones to strip β€” each removal runs navi enrich tag … -remove and shows in the Tagging log as a remove job. Send your picks to the AI Contract and it removes them first, pauses 30 min, runs navi update, then re-runs the tagging workflow.

0 selected

🧠 Advanced search cross-table NLβ†’SQL

Ask anything across the whole of navi.db and the model writes the joins for you. e.g. "assets in the Production tag with the highest EPSS score" Β· "critical vulns with EPSS over 0.5 on cloud assets" Β· "hosts running OpenSSL that also have an expiring certificate". Two-step: it drafts the SQL with joins, you review/refine, then execute (read-only).

πŸ”— Schema & join map

The tables present in your navi.db and how they join. The advanced search uses these keys automatically.

Certificates failing in the next 12 months

Live from certs table Β· window Β· tag Cert failure : <Mon>-<dd>-<yyyy>

Agent reasoning

The agent reasons over the failing certs with this prompt to triage & explain. Edit to change how it thinks.

ExpiryTag valueIPHostCommon nameDaysStatus
Run the agent to load…

IoT & application cache

Apps & IoT/appliance devices fingerprinted from cert fields (plugin 10863), for the IoT squad.

TypeVendorProductIPHostCert CNSig / keyTag
Run the agent to load…
Fenrir Hound

πŸ•ΈοΈ Attack Path Analysis

Fenrir chains exploitability Γ— identity Γ— reachability into likely attack paths: an attacker's foothold (exploitable or weak-auth asset) β†’ lateral movement (same-subnet reachability + credential pivots) β†’ crown-jewel target (high-ACR asset). Reachability is inferred from subnet adjacency + credential signals, not observed traffic. Gated tagging.

IoT Discovery Squad

Four agents live on navi.db: Discovery β†’ Expansion β†’ Cross-Reference β†’ QA. Two human gates: IoT tag approval, and new-detection approval (learning loop persisted in this view).

Gate 1 β€” discovered IoT devices

Agent 1 tags each IoT : <name> (ephemeral, remove=True). Approve to queue gated writes.

IoT nameVendorAssetsConfidenceStatus
Run the squad to load…

Gate 2 β€” proposed new detections

Agent 3 asks: promote these auto-discovered plugins to the default detection registry? Approve = persist & reuse; Reject = remembered, never re-proposed.

IoT namePluginAssetsPrevalenceDecision
Run the squad to load…

Cross-reference candidates

Other assets sharing the expanded plugin signatures β€” possible IoT Agent 1 missed. Inspect the matching plugin output to judge false positives, then tag the asset IoT:<name> (gated) or mark it a false positive.

IoT nameIPHostEvidenceDecision
Run the squad to load…

QA & detection registry

Run the squad to load…

ACR calibration

Adjust Asset Criticality Rating for all assets carrying a tag. Set an absolute 1–10, or nudge +N / βˆ’N (asset at 9, βˆ’1 β†’ 8; asset at 3, βˆ’1 β†’ 2). A business justification is required.

Bulk ACR β€” natural language

Describe what you want in plain English. The AI maps it to ACR changes across the live tag list; you preview every change before anything is written. (Uses on-device inference; falls back to a deterministic rule parser if unavailable.)

All tags

Live from navi explore info tags (not the tags table).

CategoryValueValue UUID
Load tags to populate…

Custom App Name Agent

Finds software the inventory misses by mining vuln routes and filesystem paths (live), then comparing to the software table. Candidates below aren't in the package inventory.

SourceCandidateEvidenceExample
Run discovery to load…

🚫 Ignore list

False positives β€” web pages and noise that show up as β€œapps”. Ignored terms are hidden from discovery on every run and stored locally. Match is by candidate name/keyword or substring.

Tag a custom app β€” natural language

Describe the app in plain English (e.g. Tag my custom app navi). The agent finds the name + searches both vuln_route (app name) and vuln_paths (path), shows what it matched, and tags Custom App : <name> only after you confirm β€” paths via --query, routes via --route_id.

MITRE ATT&CK tagging

Follows the navi tag-by-cve recipe: fetches the live ATT&CKβ†’CVE mapping, then tags each CVE in navi.db with its impact/technique via navi_enrich_tag(cve=…). Writes are gated.

Planned MITRE tags

Each row = one Mitre : <impact/technique> applied to every asset whose findings cite that CVE. Approve, then apply.

CVETag valueStatus
Build the plan to load…

High-risk assets (ACR > 7) with ATT&CK-mapped CVEs

These are the crown-jewel assets behind the β€œMITRE techniques on assets (ACR > 7)” insight β€” click to drill in.

HostIPACRMapped CVEs
Build the plan to load…

EOL / Unsupported software tagging

Finds Unsupported and End-of-Life software from lifecycle text in plugin names and tags affected assets via navi tag --name. Expands automatically as new EOL plugins appear.

πŸ“Š Dashboard builder

Describe a view in plain English, then pick a data source: navi.db (on-device inference writes one read-only SELECT over the local snapshot) or Tenable One (live counts via the Tenable MCP). Renders as KPI tiles, a bar chart, or a table. For anything we didn't ship a page for. Read-only β€” nothing is written.

Data source: Querying the local navi.db snapshot.

πŸ—‚ Custom Dashboard

Your promoted components on their own page. ↻ Refresh data re-runs each navi.db query so the board reflects the current snapshot.

🧠 AI inventory

Discovers AI/ML by content β€” the Tenable AI plugin family plus the software & cpes inventories and plugin output β€” and classifies each asset by role (GPU/Training Β· Model Serving Β· Vector DB/RAG Β· Notebook Β· MLOps Β· LLM client). Anything found outside the sanctioned set is shadow AI. Every row has a πŸ” Why β€” inspect the exact plugin output/software behind the detection and dismiss false positives. Tag by role via navi tag --query (gated).

AI assets

Assets running AI/ML software. Click a host to drill in, or β†— to open it in Tenable One. Use Tag to label them (rename the value first if you like).

or tag by role below Β· editable on apply
HostIPRoleAI softwarePlatform
Press β–Ά Run to load…

πŸ†” Identity inventory

Discovers identities by content, not a memorized plugin list β€” sweeps plugin names and raw output, then the high-value enumerators (passwd 95928, SMB users 10860, non-expiring 83303, host SID 10859, SNMP 41028). Classifies Human / Service-NHI / Machine, flags the risky ones (non-expiring, privileged, guest, default-secret), and headlines the coverage gap β€” hosts scanned without credentials. Tagged via navi tag --query; gated writes.

Identities

Each identity maps to the asset(s) it was enumerated on. Tag labels those assets; β†— opens the asset in Tenable One.

IdentityClassFlagsHostsAssetsPluginsPlatform
Press β–Ά Run to load…

πŸ“ˆ Scan evaluations

Reproduces navi scan evaluate β€” average scan time per asset by scanner, policy, and scan (plugin 19506) β€” plus credential-failure coverage (plugin 104410). Tag problem areas via navi (gated, rename on apply).

🏷 Tags β€” Tenable ⇄ navi.db

Every tag in the Tenable platform (via Tenable MCP) and in navi.db's tags table, side by side. The delta shows what's in one but not the other β€” i.e. what hasn't synced.

πŸ”Ž Assets

Search navi.db assets by hostname, IP, OS or network. Click a host to open its full detail.

HostIPOSACRPlatform
Search to load… (blank = first 200)

πŸ”Ž Vulnerabilities

Search findings by plugin name, plugin ID, CVE, or severity. Grouped by plugin β€” click to see affected assets.

PluginNameSeverityVPRCVSS 3Assets
Search to load…

πŸ”Ž Plugins

Every distinct plugin in navi.db β€” search by ID, name, or family. Click to see affected assets + outputs.

Plugin IDNameFamilyAssets
Search to load…

πŸ”Ž Routes

Application routes from navi.db (vuln_route) β€” search by app name or type.

App / routeTypeTotal vulnsPlugins
Search to load…

πŸ”Ž Paths

Filesystem paths discovered on assets (vuln_paths) β€” search by path text. Click a host to drill in.

PathPluginHostIP
Search to load…

Asset detail

Vulnerabilities & plugins

Click a plugin to see every asset it affects.

PluginNameOutputLast found

Certificates

Common nameOrganizationExpirySignatureKey

Plugin detail

Affected assets

Click an asset to see all of its findings and certificates.

HostIPScan outputLast found
Atlas Hound

🧭 Ownership Assignment

Pull users & groups (navi primary Β· Tenable MCP backup), then describe in plain English who owns which routes & paths. Each mapping tags every asset on the matched route/path with Owner : <group/user> (gated).

βš– Tenable MCP vs navi MCP

Two tools, one platform. What each surface is for, where they overlap, the limits that force a handoff β€” plus a live check of navi.db freshness and whether both point at the same account. If they disagree, refresh navi.db first β€” a stale snapshot is far likelier than two accounts.

Capability & routing matrix

Where each job naturally lives. βœ… first-class Β· β˜‘ possible Β· β€” not supported.

Jobnavi MCPTenable MCPRecommended

Limits & handoffs that matter

Mimir Hound

πŸ“¦ Software analyzer

Mines the software table to find version sprawl β€” the same product running at many versions across the estate β€” plus the most-deployed software, standardized vs fragmented apps, and rare single-install software. Tag any product or version (gated).

✨ Ask the software inventory (NLβ†’SQL)

Plain-English question β†’ one read-only SELECT over the software table, joined to assets / vulns β€” note software.asset_uuid is a list string, matched with LIKE, not equality. e.g. "openssl versions on assets with ACR over 8" Β· "products on hosts that have a critical CVE" Β· "most common software on cloud assets".

Tag detail

Assets in this tag

From navi.db tags β†’ assets. Click a host to open its full detail.

HostIPOSACRPlatform