SE Validator finds the credentials sprawled across your repos, cloud accounts, and developer machines, then continuously checks them against public exposure and provider revocation without ever taking custody of the secret itself.
Validates secrets for
Full provider list at docs.sevalidator.com/providers
The first question any security buyer asks a credential-monitoring vendor is: "so I'm giving you all my secrets?" The answer is no. SE Validator is built so your raw credentials never leave your network.
The open-source agent runs inside your infrastructure. It computes a salted HMAC fingerprint of each secret locally, and only fingerprints are sent to our API. We literally cannot decrypt or replay them.
To check if a credential still works, the agent calls the provider's own validation endpoint (e.g., aws sts get-caller-identity) from inside your network. Result is a yes/no boolean, never the credential itself.
The agent's source is on GitHub. Wire format is documented; you can run it through a proxy and verify exactly what crosses the boundary.
On the Enterprise tier the entire stack (agent, validation service, and exposure-monitoring database) runs in your VPC. No data crosses your perimeter at all.
Verify yourself: read the threat model · audit the agent
Four jobs, one platform. Each can be turned on independently.
Continuously scans your repos, CI logs, container images, cloud config, and developer laptops for credentials. 90+ provider patterns, custom-pattern support.
Checks each credential against the issuing provider to confirm it's live, what scopes it has, and when it expires. Caught a stale token? It tells you which service still uses it.
Compares your credential fingerprints against public GitHub, paste sites, npm/PyPI packages, and our leaked-credential corpus. Hash-only, so your secret is never queried in plaintext.
Triggers rotation through your existing secrets manager (Vault, AWS SM, Doppler, 1Password) when a credential ages out, leaks, or fails validation. Zero-touch for supported providers.
Audit-ready evidence packages mapped to SOC 2 CC6.1, ISO 27001 A.9.4, PCI-DSS 8.2.1, and HIPAA §164.312(a). Export to PDF or push to Drata / Vanta / Secureframe.
Block PRs that introduce new secrets via the GitHub / GitLab app. Wire findings into your SIEM via webhook or our REST API. Full API reference.
Three commands. No agents to babysit, no inbound network rules.
Single binary. Run as a daemon, a Kubernetes DaemonSet, or a one-shot CI step. Static builds for Linux, macOS, and Windows will be available on GitHub Releases.
Pass a repo URL, a directory, an AWS account, or a Vault path. The agent walks the target, fingerprints credentials locally, and streams findings to your dashboard.
Slack, PagerDuty, Jira, GitHub Issues, or a generic webhook. Choose what severity triggers what action. Define an auto-rotation policy if you want zero-touch.
Priced by tracked credentials, not by seat or by scan. Annual billing available.
Solo developers and small open-source projects.
Growing engineering teams. The most popular tier.
Regulated workloads & compliance programs.
Air-gapped, self-hosted, large estates.
Free for accredited security researchers and OSS maintainers. Apply here.
The full trust center, including current pen-test summaries, sub-processors, vulnerability disclosure policy, and DPA, lives at trust.sevalidator.com.
Audited annually by an independent CPA firm. Report available under NDA via the Trust Center.
Request SOC 2 reportPerformed annually by an independent firm. Executive summary published; full report under NDA.
Read summaryAES-256 for all stored data. TLS 1.3 for every network connection. Per-tenant key isolation, with customer-managed keys (BYOK) on the Enterprise tier.
See the detailsA live list of every sub-processor we use, what data they touch, and their certifications. US, EU, and customer-region deployments.
See listUptime over the trailing 90 days, every incident we've had, and what we did about it.
status.sevalidator.comStandard Contractual Clauses, EU sub-processor option, signed DPA available before contract.
Download DPANo. The agent runs inside your network and computes an HMAC-SHA256 fingerprint locally using a per-tenant salt. Only the fingerprint, the provider type, and a few non-sensitive metadata fields are sent to our service over mTLS. We have no way to recover the original secret. Even under subpoena, all we could hand over is fingerprints.
An attacker who compromised our service would obtain (a) fingerprints they cannot reverse, (b) provider types, (c) the names and emails of customer admins. They would not obtain credentials. We publish our breach-response playbook at trust.sevalidator.com/incident-response.
Yes, on the Enterprise tier. Helm chart and Terraform module for AWS, GCP, and Azure. Air-gapped installs supported. We publish offline update bundles signed with our release key.
Those products focus on finding secrets in code. SE Validator does that too, but its primary job is validating and continuously verifying credentials end-to-end, including provider-side liveness checks, scope inspection, and auto-rotation. We're complementary to scanners and integrate with them via webhook.
Secrets Engineering. The discipline of treating credentials and tokens as first-class infrastructure (versioned, monitored, owned, rotated) rather than configuration afterthoughts.
SE Validator does business out of San Francisco, CA. Cap table summary, registered agent, and company background are available on request.
Yes. It's Apache-2.0 licensed at github.com/sevalidator/agent. Build it yourself, audit the wire format, run it through a proxy and verify exactly what crosses the boundary.
Install the agent against one repo. Get a free credential inventory and exposure report in under ten minutes. No credit card.
Start free trial