HOW IT WORKS

How PathWise reasons about a broken connection.

It walks the access path, grounds every claim in evidence you can check, and stops at a proposed solution for you to perform. It never changes anything on your systems.

Every connection crosses eight layers.

A layer is a stage every enterprise access crosses, whatever vendors you run. PathWise does not walk them in a fixed order. It picks the entry point from the error and follows the evidence.

Device
checksendpoint health and config, a valid IP, subnet, gateway, and a compliant posture.
goes wronga bad IP, the wrong subnet or gateway, a missing or non-compliant agent.
Local network
checksthe first hop out, the LAN, Wi-Fi, the local gateway, and the VPN tunnel.
goes wronga dropped tunnel, a bad local gateway, Wi-Fi that works in one spot and not another.
User
checksauthentication, who this is and whether they proved it, across AD, Kerberos, SSO, certificates, and MFA.
goes wronga failed SSO assertion, an expired Kerberos ticket, MFA not satisfied.
Rights
checksauthorization, across network policy and resource permission.
goes wronga firewall rule that never matched, a missing database grant, a share or NTFS permission.
Resolution
checksturning a name into an address, cache first, then the hosts file, then DNS.
goes wronga stale record, split-horizon returning the wrong view, a TTL that has not propagated.
Routing
checksreachability and transport, whether a packet can reach the target and the port is open.
goes wrongno route to the target, a closed port, nothing listening.
Session and trust
checksthe secure session, the TLS handshake, cipher, certificate chain, name match, and clock.
goes wrongan expired certificate, a name mismatch, a clock skew that breaks validation.
Destination
checksthe target service itself, that it is listening and healthy.
goes wrongthe service is down, or a backend dependency it needs is down.

It follows the evidence, not a script.

Start from the error
The error class sets the entry layer. A name that will not resolve starts at resolution, a refused login starts at user. No wasted checks.
Gather evidence, read-only
It reads the evidence it needs: data you export through modules, plus its own live read-only network probes. Every check is read-only. It looks, it never changes.
Ground every claim
Each finding carries its evidence, a confidence, and an honest note on what it could not verify. Nothing is asserted bare.
Stop at a proposed solution
It writes the finding and a proposed solution for you to perform, with cited evidence and a confidence level, then stops. A person decides and acts.

The answer is evidence you can check.

PathWise does not hand you a guess. Every answer is a structured record: the claim, the evidence behind it, a confidence, and what it could not verify. You can audit the reasoning before you trust it.

Claimwhat the engine concluded.

Evidencethe data behind the claim, named and quoted.

Groundingwhich layer and source the evidence came from.

Confidencehow sure it is, stated plainly.

Not verifiedwhat it could not confirm, said out loud.

Source trusthow much weight that source deserves.

pathwise · access-path trace

pathwise > trace "user cannot reach payroll-app"

access path device · local-net · user · rights · resolution · routing · session · destination

✓ device healthy ip 10.4.12.88/22, gateway reachable

✓ local network healthy LAN up, VPN tunnel established

✓ user authenticated SSO assertion valid, MFA satisfied

✗ rights blocked Check Point rule "permit-payroll" never matched

Identity Awareness has no IP to user mapping for 10.4.12.88

─ resolution skipped entry point set by error class

─ routing skipped

─ session skipped

─ destination skipped

finding the user is not mapped to their IP, so the identity-based permit rule never matches

evidence checkpoint.logs: drop on cleanup rule (confidence: high)

identity-awareness: no mapping for 10.4.12.88 (confidence: high)

not verified whether the user authenticated to the identity collector today

proposed solution (for you to perform):

re-run Identity Awareness mapping for the user, or have them re-auth to the collector

⚠ PathWise is read-only. It will not do this for you.

Built to paste into the ticket.

The answer renders as a structured report written for your ticketing system, Jira, ServiceNow, or Zendesk: the summary, the path checked, the finding, the evidence with its confidence, what was not verified, and the next step. The internal review details stay separate, so what you paste reads like a professional ticket update, not a debug dump.

Three guarantees, enforced in code.

PathWise is built so the worst case is a wrong answer shown to a person, never a wrong action taken by a machine.

How read-only is enforced, for the skeptic ›

Read-only enforcement

Read-only is enforced in the engine, not left to the model. Every module connection is marked read-only, and an untrusted-input wrapper contains prompt injection. A weak or hijacked model degrades the quality of the answer. It still cannot mutate anything, escape read-only, or auto-execute.

Evidence-grounded reasoning

Every claim ships with its grounding, a confidence, and an explicit note on what was not verified. The engine does not invent data, and it tells you where it is unsure.

A person always decides

PathWise stops at a proposed solution for a person to read and perform. Asking a question is not an action, so this holds even when you ask it to dig deeper. It never acts on its own.

Your vendors plug in as modules.

The eight layers are universal. Your specific tools, your firewall, your DNS, your identity provider, plug in as modules that read a layer. A module is a small folder of plain files describing one vendor or one layer. The DNS module reads resolution. The Check Point module reads rights.

Every module connection is read-only by contract. The engine handles the safety, so a module author cannot make it unsafe. The standard is free and open, and you can write your own.

See the modules ›Read the standard ›

Find the broken layer, with the proof.

Get PathWise$349 one-timeRead the docs ›

Who is it for?

Anyone with the right permissions stands it up. After that, anyone working an access ticket, help desk, IT ops, or developers, gets the same evidence-backed answer.

What exactly do I get?

The engine skeleton as a Docker image, the DNS and Check Point modules, and the command-line tool. A browser UI is planned. You supply your own model backend.

Does it change anything in my network?

No. It is read-only and advisory. It runs read-only checks, including its own live network probes, and proposes a solution you perform. It makes no changes.

What model does it run on?

You bring your own. Today it runs against the Anthropic API with your key. An OpenAI-compatible backend, and local or in-tenant placements, are planned. The model is a quality dial you set.

Is my data sent anywhere?

No Silo7 telemetry or phone-home. Your model does the reasoning, so today, in the Anthropic mode, your investigation data goes to your AI provider over your own key. Local and in-tenant placements that keep data in your boundary are planned. Probes send only the host or IP being checked.

What is a module?

A small folder of plain files describing one vendor or one layer. The standard is free and open, and you can write your own.

How is it licensed?

A one-time usage license. One organization, no modifications, no resale, as-is, copyright retained.