Configuration security monitoring · 8 providers

Know what changed.
Know what is exposed.

Your code has Git history. Your production settings do not. ConfigTrace gives production-critical settings a timeline and surfaces risky current states across cloud and SaaS tools like GitHub, AWS, Cloudflare, Stripe, Firebase, Supabase, Vercel, and Shopify.

View public demo → Start monitoring
Connect provider Baseline snapshot Detect drift Alert team Review & remediate

Metadata-only monitoring. No customer data, source code, secret values, payment details, or database rows.

Product walkthrough

Watch ConfigTrace in 70 seconds

See how ConfigTrace tracks configuration drift and surfaces risky current states across production settings.

Two modes, one control plane

Track what changed. See what is exposed.

Production-critical settings need both a history of changes and a view of risky current states. ConfigTrace gives you both, from the same connected providers.

Mode 01

Drift Detection

Track production-critical setting changes across cloud and SaaS tools. See what changed, when it changed, and why it matters.

  • Stripe webhook URL changed
  • GitHub branch protection changed
  • Cloudflare DNS / WAF changed
  • Firebase / Supabase rules changed
Mode 02

Security Exposure

Find risky current states from provider configuration metadata before they become operational or security review problems.

  • AWS database port open to the internet
  • Firebase public write rule
  • GitHub webhook using HTTP
  • Cloudflare weak SSL mode
  • Shopify webhook not using HTTPS
Active Exposures Exposure detail with confidence & safeguards Affected Assets Provider Coverage Diagnostics Security Rules Metadata-only Reports Alerts routed to the right teams

ConfigTrace evaluates provider configuration metadata. It does not inspect payloads, secrets, or customer data, and it does not claim breach detection or formal compliance certification.

In 3 minutes, you get:
01
A baseline snapshot
Capture your current configuration across AWS, Firebase, Supabase, Stripe, GitHub, Cloudflare, Vercel, or Shopify as your known-good starting point.
02
Scheduled drift detection
ConfigTrace re-syncs connected providers on a schedule and diffs field-by-field against the previous state. Sync Now is always available on demand.
03
A risk-classified timeline
Every change is labelled low, medium, high, or critical based on blast radius — not just whether something moved. Triage at a glance, not after the incident.
04
Alerts, review, and remediation
Slack, email, webhook, and browser push alerts. A Needs Review queue, change rooms, fix plan previews, and admin-gated GitHub draft PRs.
The worldview
Your code has Git history. Your settings do not.

Production does not only break because code changes. It breaks because someone changed a setting outside Git — in a cloud console, a vendor dashboard, a CLI, or a misconfigured Terraform run. Code reviews don't see it. CI/CD doesn't catch it. Logs only show the symptom.


ConfigTrace gives those changes a timeline, a risk engine, a review workflow, and a remediation path — the same discipline Git gives source code.

  • ×
    AWS security group opened to the internet An inbound rule widened in the console. No ticket, no review, no trail.
  • ×
    Stripe webhook URL silently changed Payment events start routing elsewhere. Reconciliation breaks days later.
  • ×
    GitHub branch protection weakened Required reviewers removed on the production environment. Direct pushes go undetected.
  • ×
    Supabase RLS policy disabled A row-level security policy is dropped. Data exposure found during audit.
  • ×
    Cloudflare WAF rule removed A bot-fight or rate-limit rule gets disabled. Attack surface widens with no signal.
  • ×
    Firebase Firestore rules loosened A rule change makes a collection publicly readable. Discovered days later.
  • ×
    Vercel production branch changed A project's production source branch silently flips. Deployments stop matching main.
  • ×
    Shopify checkout webhook dropped An order-notification endpoint stops delivering. Order pipelines go quietly stale.
The platform

Detect. Explain. Alert. Review. Remediate. Prove trust.

ConfigTrace is a closed loop across the lifecycle of a risky configuration change — from the moment it happens, to the moment it's reviewed, fixed, and explained back to your team and customers.

01 · DETECT
Detect drift
  • 8 provider integrations
  • Scheduled background sync
  • Baseline snapshots per provider
  • Field-level diff vs. last known state
  • Resources inventory across providers
02 · EXPLAIN
Explain impact
  • Risk classification (low → critical)
  • Blast radius view
  • Change correlation & risk clusters
  • Controlled Ask ConfigTrace assistant
  • Plain-English "why this matters"
03 · ALERT
Alert the team
  • Email digests of high & critical drift
  • Slack App with interactive buttons
  • Generic webhooks for any system
  • Browser / PWA push notifications
  • Routing per workspace and severity
04 · REVIEW
Review safely
  • Needs Review queue
  • Acknowledge, snooze, or escalate
  • Incident-style change rooms
  • Notes & activity log per change
  • Expected change windows for noise control
05 · REMEDIATE
Remediate with review
  • Plain-English remediation guidance
  • Fix plan preview
  • Dry-run remediation preview
  • Terraform fix suggestion preview (IaC mapping)
  • Admin-gated, review-first GitHub draft PRs
06 · PROVE TRUST
Prove trust
  • Provider Trust Center per workspace
  • Security packet export
  • Weekly security digest
  • Drift Control Score
  • Policy engine & approval workflows
The difference

From "something changed" to exactly what.

Without a security timeline, a production incident starts with a question nobody can answer. With one, the answer is already there.

Before · Without ConfigTrace

"Prod is degraded. Did code ship? Did DNS change? Did someone touch Cloudflare or Stripe? Was a webhook moved? Who has access? When did it happen?"

Incident open · root cause unknown · multiple consoles to check
After · With ConfigTrace
May 27, 2026 · 09:42 UTC — Sync #184
AWS SecurityGroup sg-prod-web · ingress 22/tcp Critical
− ip_ranges: ["10.0.0.0/8"] + ip_ranges: ["0.0.0.0/0"]
SSH widened to the public internet. Detected, classified, routed to Slack and email, queued for review.
Coverage

8 providers. The settings that actually break production.

Every sync is diffed field-by-field against the last known state — so you see exactly what changed, not just that something did. ConfigTrace reads configuration metadata only.

AW
AWS
Live
Connect with an IAM user or role scoped to read-only access. ConfigTrace monitors the security configuration that controls who can reach your infrastructure.
Monitors
  • EC2 security group inbound / outbound rules
  • IAM policy documents and attached policies
  • Route 53 DNS record sets
  • S3 bucket policies and public access settings
FB
Firebase
Live
Connect a Firebase project with a service account. ConfigTrace tracks the security rules and project settings that control who can read and write your data.
Monitors
  • Firestore security rules
  • Firebase Storage rules
  • Realtime Database rules
  • Project settings and OAuth providers
SB
Supabase
Live
Connect with your Supabase management API key. ConfigTrace tracks the policies that control database access and authentication behavior.
Monitors
  • Row-level security (RLS) policies per table
  • Auth configuration and JWT settings
  • API settings and CORS configuration
  • Project access and database settings
ST
Stripe
Live
Connect with a restricted API key. ConfigTrace monitors the webhook endpoints and product settings your payment flow depends on.
Monitors
  • Webhook endpoint URLs, status, and events
  • Product and price configuration
  • API key metadata (presence, not values)
  • Account and branding settings
GH
GitHub
Live
Connect a repository with a personal access token or GitHub App. ConfigTrace monitors settings that are invisible to Git — not code, but the rules that govern your repo.
Monitors
  • Branch protection rules and required checks
  • Environment protection rules and reviewers
  • Webhooks, secret names, and variables
  • Deploy keys and Actions permissions
CF
Cloudflare
Live
Connect a zone with a scoped API token. ConfigTrace monitors every DNS record and WAF rule — any reroute, deletion, or weakened rule is detected and risk-classified.
Monitors
  • A, AAAA, CNAME, MX, TXT, NS records
  • TTL and Cloudflare proxy status per record
  • WAF rules and firewall settings
  • SRV, CAA, and other record types
VC
Vercel
Live
Connect with a Vercel API token. ConfigTrace monitors the project settings and deployment configuration your production builds depend on.
Monitors
  • Environment variable names and targets
  • Deploy hooks and production branch
  • Project settings and framework config
  • Custom domains and deployment protection
SH
Shopify
Live
Connect with a Shopify API access token. ConfigTrace monitors the webhook configuration and shop settings your order and payment flows depend on.
Monitors
  • Webhook endpoints and subscribed topics
  • Checkout and shop settings
  • Payment gateway configuration metadata
Public demo · no signup

Try the public demo risk timeline.

A synthetic timeline showing risky drift across AWS, Firebase, Supabase, Stripe, GitHub, Cloudflare, Vercel, and Shopify — exactly as it appears inside ConfigTrace. Field-level diffs, risk classification, and a clear next step.

View public demo → Start monitoring
8 providers · synthetic data · no account required
Alerts & workflow

Get the change in the room where decisions happen.

ConfigTrace routes risky drift to the channels your team already uses — Slack, email, webhooks, and browser push — with the context needed to triage and review. Buttons trigger review actions, not provider mutations.

# infra-alerts
CT
ConfigTrace APP
09:43 UTC · Sync #184
⚠ Critical · AWS · SecurityGroup sg-prod-web
resource ingress 22/tcp
− ip_ranges: ["10.0.0.0/8"] + ip_ranges: ["0.0.0.0/0"] blast radius every EC2 instance attached to this group
Open change Acknowledge Snooze 24h View remediation

Slack buttons drive review actions inside ConfigTrace — open change, acknowledge, snooze, view remediation. They do not mutate provider resources or apply infrastructure changes.

SL
Slack App
Install the ConfigTrace Slack App. High and critical drift posts with field-level context and interactive buttons for Open Change, Acknowledge, Snooze 24h, and View Remediation.
EM
Email digests
A per-sync digest of high and critical changes lands in the inbox of every workspace member — with links to the timeline and Needs Review queue.
WH
Webhooks
Subscribe a generic webhook to receive signed JSON payloads for every detected change. Forward into your own runbooks, ticketing systems, or SIEM.
PN
Browser / PWA push
Opt-in browser push notifications via the ConfigTrace PWA — for on-call engineers who want a fast desktop signal alongside Slack and email.
Remediation

From risky drift to reviewed fix.

Every risky change comes with a remediation path — guidance, a fix plan, a dry-run preview, and where Terraform mappings exist, a draft GitHub pull request. Every mutation is review-first and admin-gated.

01
Suggested remediation

Each high or critical change ships with plain-English guidance on how to bring it back to a safe state — written for the on-call engineer, not just the cloud expert.

02
Fix plan preview

A structured plan of the exact steps that would restore the previous configuration — shown before anything runs, so a reviewer can sanity-check the intent.

03
Dry-run remediation preview

A read-only preview of what the fix would change, formatted as a diff against the current live state — no API mutations, no writes against provider resources.

04
Terraform fix suggestion preview

Where ConfigTrace can map a drifted resource to your IaC repo, you'll see the proposed HCL diff inline — surfaced as a suggestion, not an applied change.

05
Guarded GitHub draft PR

An admin can open a GitHub draft PR with the fix proposal as a patch file — explicit confirmation required, admin-gated, low- confidence mappings blocked, review-first by design.

PREVIEW aws/security_groups.tf · suggested fix
 resource "aws_security_group_rule" "ssh" {
   type = "ingress"
   from_port = 22
   to_port = 22
   protocol = "tcp"
  cidr_blocks = ["0.0.0.0/0"]
+  cidr_blocks = ["10.0.0.0/8"]
 }
ConfigTrace never runs Terraform and never mutates provider resources. Draft PRs are opened only when an admin explicitly confirms, the IaC mapping is high-confidence, and the change is review-first by design.
Open GitHub draft PR · admin-gated · review-first requires explicit confirmation
Governance

Turn noisy drift into governed review.

Drift detection alone isn't a workflow. ConfigTrace adds the structure around it — policies, windows, scoring, digests, and change rooms — so security work doesn't drown in alert fatigue.

Policy engine

Define rules for what counts as risky in your workspace — by provider, resource type, or field. Treat the same change differently in staging versus production.

Expected change windows

Mark planned maintenance windows so expected drift during a deploy or migration is suppressed from the alert path while still being recorded in the timeline.

Drift Control Score

A single workspace-level score that tracks how much risky drift goes unreviewed and how fast critical changes get triaged. A signal you can show leadership and customers.

Weekly security digest

A per-workspace weekly summary of drift, reviewed changes, outstanding critical items, and Drift Control Score trend — for the whole team and for security stakeholders.

Incident-style change rooms

For high-impact drift, ConfigTrace opens a change room — a dedicated page with the diff, blast radius, remediation path, notes, and full activity log for the whole team.

Needs Review queue

High and critical changes land in a single Needs Review queue with acknowledge, snooze, and escalate actions — and an audit trail of who reviewed what, when.

Risk classification

Not all changes are equal.

ConfigTrace weighs each detected change by its potential blast radius so your team can triage at a glance — not after the incident is already in progress.

Low
Domain verification TXT added
Vercel preview variable added
Stripe product description updated
Hardening, ownership proof, or non-sensitive addition. No routing or security impact expected.
Medium
New subdomain CNAME created
IAM policy attached to role
Firebase auth provider enabled
Expanded access surface or altered routing. Worth a closer look before it causes issues.
High
Stripe webhook endpoint changed
Supabase RLS policy modified
GitHub environment protection weakened
Production traffic, data access, or release controls may be affected. Needs prompt review.
Critical
AWS security group opened to 0.0.0.0/0
Firestore rules allow all reads
Root DNS record deleted
Infrastructure may be exposed, data potentially public, or the site may be offline. Act immediately.
Trust Center

Built for security review.

ConfigTrace is designed to support security review — both internal and with your customers. Configuration metadata in. No customer data, secret values, source code, payment details, or database rows out.

ConfigTrace never reads
  • × Customer data of any kind
  • × Secret values (only their names / presence)
  • × Source code or commit contents
  • × Payment details, charges, or transactions
  • × Database rows or query results
  • × Order contents or checkout payloads
  • × Logs, traces, or runtime telemetry
  • × File contents in object storage
Encrypted credentials

Provider credentials are encrypted before storage and never shown again after creation. Read-only or least-privilege scopes are recommended for every integration.

Revoke anytime

Disconnect a provider from inside ConfigTrace in one click, or rotate / revoke the credential from the provider side. ConfigTrace stops reading immediately.

Provider Trust Center

A per-workspace Trust Center page lists every connected provider, the exact scopes used, what ConfigTrace reads, and what it never reads — built to show to a reviewer.

Security packet export

Export a security packet describing data access boundaries, encryption posture, and audit history. Use it for internal review or customer trust conversations.

Workspace audit log

Every team action — invites, role changes, integrations, acknowledgements, draft PR creation — is recorded with actor, timestamp, and target.

Not another dashboard

What ConfigTrace is — and isn't.

Production drift sits in a gap between existing tools. ConfigTrace fills that gap — without trying to replace the systems your team already uses.

vs. Cloud provider logs
CloudTrail, Cloudflare Audit Logs, GitHub audit logs — each shows events within one provider, in vendor-specific schemas, with no cross-tool view.
ConfigTrace unifies drift across AWS, Firebase, Supabase, Stripe, GitHub, Cloudflare, Vercel, and Shopify in one risk-classified timeline.
vs. Git
Git tracks the code in your repository. It has no idea who flipped a Stripe webhook, removed an RLS policy, or opened an AWS security group in a console.
ConfigTrace tracks the risky settings that live outside Git, with the same review discipline pull requests give to code.
vs. Uptime & APM monitoring
Uptime checks and APM tools tell you something is broken or slow. They don't tell you what changed in your configuration that caused it.
ConfigTrace explains why production may have broken — which setting moved, when, by whom-shaped events, and what the blast radius looks like.
vs. CSPM tools
Cloud security posture management focuses on cloud infrastructure posture. It typically doesn't cover SaaS tools like Stripe, GitHub, Vercel, or Shopify.
ConfigTrace covers configuration drift across cloud and SaaS, in the workflow surfaces engineers actually use — Slack, email, PR drafts.
Why it matters

The moment ConfigTrace pays for itself.

It is not when everything is working. It is when production breaks and your team needs the answer to one question: what changed?

Without ConfigTrace

Three consoles. Three engineers. Zero answers.

On-call digs through AWS, Cloudflare, Stripe, GitHub, Vercel, and Slack — trying to reconstruct whether it was a security group, a DNS reroute, a deleted webhook, or a weakened Firestore rule. The clock keeps running.

With ConfigTrace

A timestamped record. Already in Slack.

The exact change — record, old value, new value, risk label — arrives in Slack and email within minutes of the next sync.

The result

Less guessing. Cleaner reviews.

Faster root cause. A clear record for the next incident review. A trail your customers and security reviewers can see.

  • Root cause in seconds, not hours
  • Clear answer for the incident timeline
  • History for the next time it happens
About

Why I'm building ConfigTrace.

A note from the founder.

Builder's note

"I'm building ConfigTrace because production systems now depend on dozens of dashboards, not just code. GitHub tells you what changed in the repo. It does not tell you who changed a DNS record, webhook URL, branch protection rule, OAuth callback, RLS policy, or cloud permission.

Your code has Git history. Your production settings do not. ConfigTrace is my attempt to give those settings the same discipline code gets from Git — a security timeline with diffs, risk classification, a review workflow, and a remediation path that stays review-first."

RS
Rohan Shah
UMass Amherst Computer Science student and founder of ConfigTrace
Get started

Give your production settings a security timeline.

View the public demo to see ConfigTrace in action with synthetic data across all 8 providers, or connect your first provider and capture a baseline before the next risky change happens.

View public demo → Start monitoring

8 providers · metadata-only monitoring · admin-gated remediation