Audit Command Centre
Demo engagement · select client above
Sovereign Readiness
68/100
↑ from 42 at intake
Tracks Complete
7/19
5 in progress · 7 pending
Critical Findings
14
3 require immediate action
Logs Collected
2.4M
1,247 flows/sec live
Audit Activity Log
Track 13 · AI Audit Critical
Today · 14:32
Track 02 · DNS complete Done
Today · 11:05
Midpoint check-in call
Yesterday · 15:00
Track 01 · Firewall complete Done
Day 6 · 09:18
Collection node live
Day 2 · 10:45
Top Critical Findings
CriticalTrack 13 · AI Exposure
OpenAI API key exposed in GitHub · 2.3 GB/day to US AI providers · No DPA · Training exposure
CriticalTrack 14 · WhatsApp for all client comms
Personal accounts · No DPA with Meta · GDPR Art. 28 violation · 42 unmanaged devices
CriticalTrack 15 · Backup keys held by AWS
30 TB in S3 us-east-1 · AWS KMS key control · Never restore-tested · US CLOUD Act
HighTrack 02 · Google DNS — full query exposure
8.8.8.8 used by 94% of devices · All DNS history visible to Google · Needs Nexus DNS
HighTrack 02 · 34% shadow IT via DNS
627 undocumented domains · 12 unapproved AI services · No data processing agreements
Track Completion — All 19
7 Complete
5 In Progress
1 Critical
6 Pending
Outbound Traffic by Jurisdiction
🇺🇸 United States (AWS, Google)
72%
🇮🇪 Ireland (Azure eu-west-1)
14%
🇩🇪 Germany (Hetzner)
4%
🇳🇱 Netherlands
3%
Other (12 countries)
7%
SaaS Sovereignty Risk Index
OpenAI / ChatGPT
98%
M365 Copilot
94%
WhatsApp
91%
AWS S3 Backup
78%
Nexus Core-IQ
0%
Engagements
All active and completed audit engagements
Connect API key to load engagements…
All Engagements
| Client | Ref ID | Sector | Country | Staff | Started | Status | Score | |
|---|---|---|---|---|---|---|---|---|
| No engagements loaded | ||||||||
New Audit Engagement
Collection Infrastructure
Live network collection nodes, SPAN ports, and log ingestion pipelines
Flows / Second
1,247
↑ from 920 baseline
Logs Today
847K
5.2M since Day 1
Unique Ext. IPs
2,847
+84 new in last hour
Node Uptime
99.8%
7d 14h 22m
Active Collection Nodes
Select an engagement or open Audit Setup Wizard.
SPAN Port Setup Guide
## Cisco Meraki MX — SPAN Port Configuration
1. Login to dashboard.meraki.com
2. Navigate: Security & SD-WAN → Switch → Switch Settings
3. Under "Mirror" create a new session:
Source: All LAN ports (or select specific VLANs)
Destination: Port 8 (dedicated capture port)
Direction: Both (ingress + egress)
4. Save configuration
5. Connect bayata collection node NIC to Port 8
✓ bayata-collector auto-detects and begins capture
6. Validate: check node UI for incoming flow count > 0
Estimated time to complete: ~30 minutes
Syslog Forwarding Configuration
FortiGate syslog forwarding to collection node:
# FortiGate CLI
config log syslogd setting
set status enable
set server 10.1.1.100 # ← collection node IP
set port 514
set mode udp
set facility local7
set format default
end
Windows Server DNS Query Logging:
PS> DNS Diagnostic Log Enable
Set-DnsServerDiagnostics `
-Queries $true `
-QueryPacketTransmissions $true `
-SendPackets $true `
-LogFilePath "C:\dns-debug.log" `
-MaxMBFileSize 500
✓ Log → syslog forwarder → collection node
Audit Setup Wizard
Connect collection infrastructure step-by-step · Analyst workflow
Live Log Stream
Real-time network flow analysis · Filter by category · ● Streaming
Flows / Sec
1,247
AI Uploads
48
In last 60 seconds
Large Transfers
7
> 1MB in last 60s
TLS Events
314
Live Flow Output
Showing filtered output · 0 lines
All 19 Assessment Tracks
Click any track to open its analysis tools
Track 01 · Firewall & Traffic Analyser
5.2M log lines · 7d 14h collection · Perimeter flow classification
Complete
Unique Ext. IPs
3,847
Foreign Countries
14
Denied/day
2,140
Avg Flows/sec
920
Top External Destinations (7d)
| Destination | Provider | Country | Flows/day | Volume | Risk |
|---|---|---|---|---|---|
| api.openai.com | OpenAI/Azure | 🇺🇸 USA | 12,480 | 2.3 GB | Critical |
| smtp.gmail.com | 🇺🇸 USA | 8,200 | 1.1 GB | Critical | |
| *.sharepoint.com | Microsoft 365 | 🇮🇪 Ireland | 74,000 | 890 MB | Moderate |
| telemetry.microsoft.com | Microsoft | 🇺🇸 USA | 5,440 | 44 MB | Moderate |
| api.whatsapp.com | Meta | 🇺🇸 USA | 2,940 | 28 MB | Critical |
| nexus.bayata.nl | Hetzner | 🇩🇪 Germany | 1,200 | 88 MB | Sovereign |
Protocol Distribution
HTTPS (443)
78%
DNS (53/853)
9%
SMTP/SMTPS
5%
HTTP (80) — Plaintext
3%
NTP (123)
2%
⚠ 3% unencrypted HTTP detected. 14 endpoints using plaintext including one SMTP relay.
IP Lookup & Sovereignty Classifier
$ bayata-geoip --classify [enter IP above]
Ready. Enter an IP, CIDR block, or domain name above.
Track 02 · DNS Telemetry Inspector
1,847 unique domains · 38K queries/hr · 34% shadow IT discovered
Complete
Unique Domains
1,847
Shadow IT
627
34% of all domains
AI Services
12
Detected via DNS
Resolver Risk
High
94% → 8.8.8.8
Top Domains by Query Volume
*.sharepoint.comFile StorageRisk74,200/day
api.openai.comAI — OpenAICritical12,480/day
smtp.gmail.comEmail/GoogleRisk8,200/day
api.whatsapp.comMessagingCritical2,940/day
notebooklm.google.comAI — GoogleCritical1,820/day
deepseek.comAI — ChineseCritical140/day
nexus.bayata.nlSovereign✓ OK1,100/day
Shadow IT Breakdown
AI Tools (Unapproved)12 services
ChatGPT, Perplexity, DeepSeek, Grammarly, Cursor, NotebookLM
Personal Cloud Storage8 services
Personal iCloud Drive, Google Drive, personal Dropbox
Unapproved SaaS34 services
Notion, Canva, Loom, Calendly, Typeform, Figma...
Personal/Social Use573 domains
Twitter/X, Instagram, YouTube, streaming from work devices
DNS Resolver & Sovereignty Classifier
$ bayata-dns --classify --sovereignty [domain]
Enter a domain above to resolve and classify for sovereignty risk.
Mail audit (SPF / DMARC)
Live SPF/DMARC via nexus-mail-audit
Track 03 · TLS & Traffic Audit
Passive SPAN capture · Certificate inspection · Application fingerprinting
Active
TLS Version Distribution
TLS 1.3 (current)
62%
TLS 1.2
31%
TLS 1.1 (legacy ⚠)
4%
HTTP (plaintext ⛔)
3%
⛔ 14 legacy TLS 1.1 connections · 3% plaintext HTTP including authentication. Remediation required before Nexus deployment.
HTTPS Destination Breakdown (via SNI)
Microsoft (M365, Azure)38% of HTTPS
Google (Workspace, AI APIs)24%
AWS infrastructure14%
AI providers (OpenAI, Anthropic)8%
Sovereign (Hetzner Germany)4%
Other / unclassified12%
TLS Certificate Scanner
$ bayata-tlscheck --full [domain]:443
Enter domain:port above to inspect TLS certificate and configuration.
BPF Packet Filter
$ tcpdump -i span0 -n [filter]
Ready. Enter BPF filter and click Capture.
Track 13 · AI Exposure Scanner
12 AI services · OpenAI API key exposed · 2.3 GB/day to foreign AI providers · No DPA
Critical Findings
🚨 Immediate action required: OpenAI API key found in GitHub repository (commit a1b2c3d). Active for 84 days. 2.3 GB of organisational data uploaded to OpenAI US servers without DPA. Client notified 14:32 today.
AI Services Found
12
3 with API data access
Data Uploaded/day
2.3 GB
To foreign AI providers
API Keys Found
4
2 without expiry
M365 Copilot
On
Full tenant data access
AI Services Detected
| Service | Traffic/day | DPA | Training Opt-out | Risk |
|---|---|---|---|---|
| OpenAI API | 12,480 / 2.3 GB | None | Partial | Critical |
| M365 Copilot | 8,400 / tenant-wide | MS DPA | No | Critical |
| Google Gemini | 3,200 / all Drive | Google DPA | Partial | High |
| GitHub Copilot | 2,100 / all code | None | No | High |
| Grammarly | 1,840 / all typed text | None | No | High |
| DeepSeek (🇨🇳 Chinese) | 140 / docs | CN Law | N/A | Critical |
| Nexus Core-IQ | 880 / local only | N/A | Sovereign | None |
API Key Scanner
$ bayata-scan --keys --deep github.com/bayata-lab/internal-tools
⚠ Scanning 847 files across 12 repositories...
CRITICAL: sk-proj-**** in /backend/config.py:34 (OpenAI)
Provider: OpenAI · Active: Yes · Created: 84 days ago
Permissions: Full API access · Expiry: None · Data: 2.3 GB
Also found in: /deploy/.env:8, /tests/fixtures.py:12
⚠ AWS_ACCESS_KEY_ID in /terraform/main.tf:45
✓ Nexus Core-IQ key — local, no exposure
2 critical · 1 warning · 1 ok · Scan complete
Nexus Core-IQ Migration Planner
Current foreign AI tools → Nexus Core-IQ replacements:
OpenAI ChatGPT / API
2.3 GB/day · No DPA · Training risk
GitHub Copilot
All source code to Microsoft
Grammarly AI
All typed text captured
Core-IQ deployment requirements:
Model: Qwen 2.5 14B✓ Supported
Server RAM: 16 GB min✓ Available
Hetzner AX102 provisioned✓ Done
Staff training: 2h sessionScheduled
Track 14 · Mobile & BYOD Assessment
42 devices discovered · 0% MDM coverage · WhatsApp for all client comms
Active
MDM Coverage
0%
0/42 devices managed
WhatsApp Usage
100%
All client comms via WA
Personal Cloud Sync
28
Devices → iCloud/GDrive
Mobile AI Apps
7
ChatGPT mobile, Claude
Mobile Device Inventory (from network traffic)
| Device | OS | User (est.) | MDM | Cloud Sync | Risk |
|---|---|---|---|---|---|
| iPhone 15 Pro | iOS 17.4 | CEO | None | iCloud Drive | High |
| Samsung Galaxy S24 | Android 14 | Finance Dir. | None | Google Drive | High |
| iPhone 14 | iOS 17.2 | HR Manager | None | iCloud Drive | High |
| +39 more devices | Mixed | Various | None | Mixed | High |
MDM Deployment Recommendation
🚨 Zero MDM coverage. Any departing staff member retains permanent access to all corporate email, documents, and contacts on their personal device.
Microsoft Intune (included in M365)Fast Deploy
On-premise MDM on Nexus VaultSovereign
JumpCloud MDMAlternative
Calls POST /api/v1/tools/pulse/analyse-devices for the selected engagement.
Track 15 · Backup & DR Sovereignty
AWS S3 backup · Provider-held encryption keys · Never restore-tested
Pending
Key Control
AWS KMS
Provider holds all keys
Restore Test
Never
No documented test
Backup Frequency
Daily
RPO: 24 hours
Backup Destination Sovereignty
AWS S3 (us-east-1)Non-Sovereign
30 TB · Daily snapshots · AWS KMS encryption · US CLOUD Act jurisdiction · AWS can decrypt under legal compulsion
Google Vault (email archive)Non-Sovereign
All email archived within Google infrastructure · Google-held keys
Nexus Vault (Hetzner FSN1)Target: Sovereign
Deployment in progress · Org-held keys · WORM immutable · RTO <4h · RPO <1h
Restore Test Scheduler
🚨 No restore test ever performed. Backups may be corrupt or incomplete — cannot be confirmed without testing.
Nexus Vault Migration Progress
Hetzner AX102 provisioned✓ Done
Nexus Vault installed✓ Done
Org-held encryption keys generatedIn Progress
Initial data migration from AWS S3Pending
POST /api/v1/tools/vault-inspector/check-backup
Track 17 · Certificate & Key Scanner
2 expired certs · 4 expiring <30d · 7 API keys without expiry
Pending
Expired Certs
2
Expiring <30d
4
Keys No Expiry
7
Wildcard Certs
3
Certificate Inventory
| Domain | CA | Expiry | Type | Status |
|---|---|---|---|---|
| *.audit.bayata.nl | Let's Encrypt | 2024-12-15 | Wildcard | Expired |
| api.audit.bayata.nl | DigiCert (US) | 2026-06-01 | SAN | 15d left |
| mail.audit.bayata.nl | Let's Encrypt | 2026-07-14 | Single | Valid |
| vpn.audit.bayata.nl | Self-signed | 2025-03-01 | Single | Expired |
| nexus.audit.bayata.nl | Let's Encrypt | 2026-08-20 | Single | Valid |
Live Certificate Scanner
$ bayata-tlscheck --full --ca-check [domain]:443
Enter domain:port above to inspect. Checks: validity, CA jurisdiction, cipher strength, HSTS, CT logs.
Track 12 · Compliance & Regulatory Mapper
GDPR · Kenya DPA 2019 · Ethiopia PDPP 1321/2024 · Cameroon Law 2024/017 · EU Horizon grant conditions
Active
Applicable Frameworks
GDPR (EU/EEA)3 Active Violations
Processing EU resident personal data (funders, partners)
Kenya Data Protection Act 20192 Non-Compliant
Primary jurisdiction for beneficiary data processing
Ethiopia PDPP No. 1321/2024Assessing
Partner organisations in Addis Ababa
Cameroon Law No. 2024/017Assessing
Field operations and partner data in Cameroon
EU Horizon Funder RequirementsReview Needed
Data management plan conditions attached to grant funding
AI-Powered Compliance Gap Mapper
$ bayata-comply --map --frameworks gdpr,kenya-dpa,ethiopia-pdp,cameroon-2024
Describe a data flow above to map against applicable regulatory frameworks.
Compliance Gap Table
| Finding | Framework | Article | Classification | Resolution |
|---|---|---|---|---|
| OpenAI API — no DPA with processor | GDPR | Art. 28 | Active Violation | Stop use or execute DPA · Migrate to Core-IQ |
| WhatsApp client comms — no Meta DPA | GDPR / Kenya DPA | Art. 28 / Sec. 30 | Active Violation | Deploy Nexus Communications |
| Beneficiary data in Google US servers | Kenya DPA 2019 | Sec. 47 | Likely Non-Compliant | Migrate to sovereign file storage |
| No Article 30 Data Processing Register | GDPR | Art. 30 | Likely Non-Compliant | bayata produces as Deliverable 4 |
| Backup in AWS us-east-1 | Kenya DPA 2019 | Localisation | Compliance Risk | Migrate to Nexus Vault (Hetzner EU) |
| Field staff records in US SaaS | Cameroon Law 2024/017 | Ch. IV (transfers) | Assessing | Document transfer safeguards or repatriate processing |
Sovereign Readiness Score
Live weighted score across all 19 tracks
68
/ 100
Aware
31–55 Aware · 56–79 Transitioning · 80+ Sovereign
7 critical findings suppress score. Resolving AI + mobile tracks = +18 pts minimum.
Score by Track (Weighted)
Pre vs. Post-Nexus Projection
68
Current
Aware
+ Core-IQ (Track 13)+18 pts
+ Nexus Comms (Track 14)+8 pts
+ Nexus Vault (Track 15)+7 pts
+ Nexus DNS (Track 02)+5 pts
+ Other Nexus components+10 pts
90
Post-Nexus
Sovereign
Certification Readiness
🥉 Tier 1: Sovereignty AwareNot Ready
Requires score ≥55 and all critical gaps resolved. 2 critical gaps blocking.
🥈 Tier 2: Sovereignty ConfirmedNot Ready
Requires score ≥80. Post-Nexus projection: 90. Timeline: 16 weeks.
🏆 Tier 3: Sovereignty by ChoiceNot Ready
Requires score ≥90 + HSM + DR tested. Achievable in 18–20 weeks.
Report Builder
Assemble, draft, and generate all 8 audit deliverables
Deliverable Status
| # | Deliverable | Status | Est. Pages | |
|---|---|---|---|---|
| D1 | Full Technical Audit Report | In Progress | ~80p | |
| D2 | Tool Replacement Matrix | In Progress | ~8p | |
| D3 | Sovereign Readiness Score Report | Ready | ~6p | |
| D4 | Data Processing Register | Pending | ~12p | |
| D5 | 16-Week Implementation Roadmap | Pending | ~10p | |
| D6 | Executive Summary | Pending | ~3p | |
| D7 | Compliance Gap Report | In Progress | ~14p | |
| D8 | Credential Deletion Certificate | Auto-generate | ~1p |
Generate report output appears here.
AI Report Drafter
b
Ready to draft any audit report section. I have full context of the Aurora Foundation findings. Which deliverable would you like to start with?
Credential Vault
AES-256-GCM encrypted storage · Auto-deleted on report delivery
⚠ All credentials are encrypted at rest (AES-256-GCM) in an isolated vault. Permanently deleted and a deletion certificate issued upon final report delivery.
Active Credentials
🛡️
Fortinet FortiGate Admin
admin@fw01.demo
••••••••••
Active
📧
Microsoft 365 Global Admin
audit-ro@audit.bayata.nl
••••••••••
Active
☁️
AWS Console (Read-Only IAM)
bayata-audit-ro
Access Key
Active
🔑
Internal AD DNS Admin
svc-audit@ad.demo
••••••••••
Active
👤
MDM Console
Not yet provided
—
Pending
Secure Submission Link
Expires 26 May 2026 · One-time use · TLS 1.3 · AES-256-GCM vault
AI Analyst ● Nexus Core-IQ · Hetzner DE · Zero external transmission
Sovereign AI analyst · engagement context loaded
Chat — Audit Analyst Mode
b
I'm Nexus Core-IQ running on your sovereign Hetzner server in Germany. I have the full Aurora Foundation audit context loaded. Ask me to analyse any finding, draft report sections, classify domains, map regulatory exposure, or generate client communications. Nothing you submit leaves bayata's infrastructure.
Quick Prompts
Core-IQ Status
ModelQwen 2.5 14B
LocationHetzner AX102 · FSN1
External API callsZero
Context loadedDemo audit data
StatusOnline
Communications Centre
Audit communications, status updates, client notifications, and email templates
Compose
Sent
Kick-off call confirmation
12 May · Delivered · Read
First-day traffic summary
13 May · Delivered · Read
Midpoint check-in briefing
19 May · Delivered · Read
URGENT: API key exposure
Today 14:32 · Delivered
Upcoming
Day 15 collection close27 May
Draft report for review4 Jun
Closing call invitation6 Jun