FIELD DOSSIER // MSSP OPERATOR PLATFORM

Omniscient
one operator. the whole fleet.

Many toolkits, one underlying data stream — idempotent, reversible, and what-if-able. Discovery, hardening, deception, and live adversarial validation, run and re-run from a single console.
Response Tiers
T0–T5configurable ladder
Deception Zones
5outer → crown jewels
Heartbeat
RSA-2048signed dead-man
Key Model
2-KEYauthority ÷ encryption
[ 01 // THE PROBLEM ]

Months Versus Seconds

The average intrusion sits undetected for months. Most managed security is a dashboard nobody watches and a hardening pass that happens once, then goes stale the day after it's written.

For an MSSP, that gap is the whole business risk. You put your name on a client's security posture, then find out about the breach the same week the client does — from a ransom note, not your own tooling. The tools that were supposed to catch it were busy generating alerts no one had time to read.

The industry's answer has been more: more sensors, more alerts, more dashboards, more analysts to triage the noise. That doesn't close the gap; it just moves the fatigue around. Every added tool is another vendor, another console, another integration seam for something to slip through.

The insight this platform is built on

Security isn't about stopping everything — nothing stops everything. It's about making sure that the moment an attacker does get in, they hit a tripwire immediately, and the response that follows is automatic, contained, and recorded. Detection measured in seconds, not months.

[ 02 // ARCHITECTURE ]

One Platform, One Data Stream

Omniscient is not five tools bolted together. It's many toolkits — recon, hardening, deception, access, red team — running as views and verbs over one governed data stream. That single design decision is what makes everything else safe to operate at scale.

Because it's one stream underneath, a mine trip, a heartbeat silence, and a network-drift event all land in the same feed, on the same incident thread. Nothing is stranded in a separate console. And that stream has three properties that, together, are the reason a single operator can run an entire fleet without fear:

Property 01
Idempotent
Run the same operation twice and land in the same state — no duplicates, no drift from repetition. Every door, rule, and decoy is named, so the system always knows what it did. You are never afraid to re-run.
Property 02
Reversible
Every action ships with its inverse in the same pass. Apply pairs with rollback, open with close. No one-way doors. Nothing you do to a client's production box is a commitment you can't walk back.
Property 03
What-If-Able
A pre-flight plan shows the exact consequence before you commit. Sentinel simulates before it arms. The box itself is the preview — so you operate confidently without a separate lab to rehearse in.

The Governance Model

Policy inherits down three levels, each mapping to something an operator already thinks in: National is the network — topology, segments, switches. Federal is the machine — system-wide hardening applied to every account unless overridden. State is the user — role-based policy, because a General Manager's workstation is not a line cook's.

When the engine finds a live account with no role mapping yet, it doesn't pretend the account isn't there — it's surfaced as ungoverned, with a one-click path to promote it into the model. Nothing stays invisible by accident.

Omniscient fleet map
FIG.01The fleet map — every managed machine, switch, and segment in one topology, with live counts for machines, users, admins, drift, and sync state. The National view: the whole estate on one surface.
[ 04 // RECON ]

See What's Actually There

Every engagement starts with what's actually on the wire — not what a client's documentation claims. Discovery flags drift: anything present that isn't in the governed model.

A fast parallel sweep maps the subnet; a deeper pass probes services. Whatever it finds that you didn't put there is surfaced as drift, with real MAC and vendor data — often the single most valuable thing you can show a new client: the devices on their own network that nobody told them about.

Discovery and drift map
FIG.12A live subnet sweep: managed endpoints resolve clean, everything undocumented is flagged as drift — each rogue device carrying its real MAC address and vendor fingerprint.
A credibility beat worth noticing

Run recon inside a NAT boundary and the platform detects it, explains the mechanism, and tells the operator how to get a true reading — instead of handing back a falsely clean scan. A tool that tells you when it can't see something is worth more than one that always shows green.

NAT-aware recon
FIG.21Recon correctly identifying a NAT boundary and explaining why the scan is limited — the tool refuses to fake a result it can't stand behind.
[ 05 // ACCESS ]

Get In Safely

Every managed box's resting state is hardened and closed. Remote access is the exception — and everything the platform opens is named, visible, and reversible. There is no "allow any."

The engine refuses wildcard and LocalSubnet firewall rules outright. Every door is locked to a specific office source, every route is scoped and auditable, and every port forward tears back down to exactly the state it started in.

Gateway access door
FIG.13Standing up a gateway access door — source-locked, NLA-required, torn down with the same one click it took to open.
[ 06 // HARDEN ]

Provision, Review, Fire

Nothing executes against a live box without a review step first — the plain-language summary, the exact commands, and an explicit confirmation. What-if-able, by construction.

Role-based presets carry sensible starter security for every position, with per-role web allowlists and application control layered on automatically. Admin accounts are structurally exempt from the lockdowns applied to everyone else — by design, not oversight. Every run is atomic and logged, so you can prove exactly what changed.

Pre-flight review
FIG.08The pre-flight review — every pending change shown, in plain language and as raw commands, before a single one fires. Cancel or Fire; nothing happens by surprise.
Live execution log
FIG.09Real execution output after firing: a per-item pass/fail tally — not a spinner that says "done." Auditable evidence of exactly what landed.
[ 07 // KEYS ]

Trusted With The Keys

Credential security rests on one deliberate decision: the key that proves you're the operator is never the key that decrypts credentials. One shared secret would be a single point of total compromise — so there isn't one.
Design note — two keys, split on purpose

The Operator Key gates authority actions — break-glass, overlay unlock, mine re-arm. PBKDF2-HMAC-SHA256 at 600,000 iterations, verifier-only, DPAPI-wrapped. The Vault Key decrypts the credential vault only, via a separate derivation, AES-256-GCM with CBC+HMAC. Cracking one gets you nothing toward the other.

Passphrases are never stored and cannot be recovered if lost — by design. No hash hard-coded in source, no bare fast hash, no plaintext fallback anywhere; each of those failure modes is explicitly forbidden in the platform's own engineering standard.

Secrets pane
FIG.22The Secrets pane — the two-key architecture in one view. Set-state and metadata only; no secret material is ever read into the display.
[ 08 // OPERATE ]

One Analyst, Magnified

This is the section a reseller should read twice. Omniscient is built so that one operator covers a fleet that used to need a team — and that multiplier is where your margin comes from.

Acting as a specific user is a single elevation, not a UAC prompt on every click — one authorization covers the whole visit, logged as one session. Live policy state is read straight off the box and compared against the model; divergence surfaces as drift. Nothing forces the operator to hunt box-by-box: the whole fleet's alarms and messages land in one triage feed.

Run in user context
FIG.16Running actions in a specific user's context — shell, browser, files, installs — all under that account's real token, hive, and effective policy, inside one authorized session.
[ 09 // SENTINEL ] — THE DIFFERENTIATOR

It Fights Back. Safely.

Hardening keeps an attacker out. Deception is what happens when one gets in anyway — and it changes the economics of attacking your clients.

Think about an intruder's cost. Today, once they're inside, their only real cost is time. They move laterally and explore at leisure, because nothing punishes movement. Omniscient inverts that. Every step an attacker takes through a protected environment raises their odds of triggering an automated, recorded containment event. You aren't just detecting them — you're making the environment too expensive to navigate.

Mechanism — absence as the alarm

Every endpoint writes a signed, sequenced heartbeat on a fixed interval. The clever part isn't the beat — it's what its absence means. An intruder can kill the agent, but they cannot forge the next beat; there is no signing key on the box to steal. Silence isn't a gap in coverage. Silence is the alarm — the one signal an attacker can't fake their way around.

The Containment Ladder

Touch a decoy and a response fires automatically. But it isn't one blunt action — it's a ladder, and where the decoy sat decides how hard the system hits back.

T0LogChain-of-custody entry. Always, no exceptions.
T1AlarmWarning-level alert the instant the decoy is touched.
T2EscalateCritical alarm, flagged for off-box escalation.
T3RevokeEvery live just-in-time access grant on the box is pulled immediately.
T4IsolateCloses the exposure the platform itself opened — never the operator's console, never the account.
T5DisableIsolates and disables the implicated account — but never the operator's own, and never the last admin.

Notice what the ladder doesn't do. It never destroys data. It never counter-attacks. Its most aggressive rung refuses to lock out the last way back in. That restraint is deliberate: this runs unattended on a client's production box, so its worst-case action has to be one you'd still be comfortable with at 3 a.m. Containment, not vengeance.

For the buyer who asks "can we tune it?"

Yes. The ladder ships pre-configured for safety, but every rung is configurable to match each client's risk appetite. A cautious client can cap the response low; a high-security client can arm the full ladder. Same platform, tuned per engagement.

Psychological Containment

When a loud mine trips, the response isn't only technical. The intruder's own session is taken over and told, in the most unambiguous terms the screen can manage, that they've been caught and the response has already started. You break the attacker's momentum by showing them, mid-move, that they're inside a trap that's already closing.

Live scenario — 17:49, unattended

A decoy credential file in the crown-jewels zone is modified. No analyst is watching. The engine acts on its own: the incident is logged with a tracked ID, the acting account and process captured, grants revoked, the session contained, the alarm written to the feed. By the time an operator next opens the console, the intrusion is already contained and fully documented — no 3 a.m. phone call required.

Breach detected takeover
FIG.27The moment of detection, as the intruder's own session sees it — a full-screen takeover carrying a tracked incident ID while the containment ladder fires underneath. Momentum broken.
Mine board five zones
FIG.24The mine board — five zones, five default response tiers. A decoy in perimeter bait raises an alarm; one in crown jewels triggers isolation and account disable. Blast radius scales with intrusion depth.
[ 10 // ADVERSARY ]

What It Takes To Beat It

An honest look at the attacker's problem — because a claim of "unhackable" is what amateurs sell, and the buyers you want will see through it instantly.

Against a fully-hardened, Sentinel-armed environment, a remote attacker doesn't get to fight the cryptography — they get pushed off it entirely:

So the attacker is forced off the math and onto the two most expensive problems in security: defeating a disciplined operator, and moving through a monitored environment without tripping anything. That's not impossible — nothing is — but it is slow, loud, and expensive, which is the entire point. You have changed the economics.

[ 11 // PROGRAM ]

Not A Snapshot. A Program.

A hardening report is a snapshot — stale the day after it's written. A deception layer is only as credible as the offense actually thrown at it. So validation isn't a one-time event; it's a continuous purple-team loop.

Omniscient ships with its own red-team capability, wired to the same engine as everything else, and enrollment is structured as a continuation program rather than a project with an end date. Under signed rules of engagement and explicit written authorization — enforced in the platform, not just promised in a contract — the exact hardening deployed is tested against, and every finding feeds the next pass.

Red team validation
FIG.17The red-team module — adversarial validation run under explicit authorization against the platform's own hardening. Offensive capability with rules-of-engagement built into the tool itself.

For a reseller, the continuation program is what turns a one-time sale into recurring revenue: the client's posture doesn't get set once and left to drift — it gets tested, tuned, and re-tested on a standing cadence, under your name, for the life of the contract.

[ 12 // SCALE ]

Add A Client, Not A Rebuild

The economics that make Omniscient worth reselling come from one architectural fact: because every capability is driven by the same data model, growth is additive, not structural.

Adding a machine is adding a profile. Adding a client is adding a set of profiles — not re-architecting anything. Role templates fold down to every user automatically, presets carry the hardening baseline, and the same engine drives one endpoint or a thousand. The operator's console doesn't change as the fleet grows; only the count on the fleet map does.

Grows by
Profiles
A new machine or client is data added to the model, not new code. Onboarding is configuration, not construction.
Folds via
Templates
Role and preset templates cascade to every user and machine they touch. Change one, it ripples correctly to all — idempotently.
Runs on
One Engine
The same engine drives one box or the whole estate. Your operators learn one tool and apply it to every client you take on.
[ 13 // ENGAGE ]

Two Ways To Put Omniscient To Work

// FOR MSSPs
License & Resell

Run Omniscient as the operator platform behind your own practice. One analyst covers a fleet that used to need a team; onboarding a client is configuration, not construction; and the continuation program turns one-time hardening into recurring revenue — under your brand, on your terms.

Licensing terms, operator training, and the boundaries of a client-facing view are scoped with you directly.

// FOR BUSINESSES
Enroll For Full Care

Have your fleet run through Omniscient by Barr Cyber directly — discovery, hardening, deception, and continuous purple-team validation, under one contract. The same discipline applied to the platform's own environment, applied to yours.

Scope is set to your environment and risk appetite. Nothing offensive ever runs without written authorization on file.

Start The Conversation

Whether you're evaluating Omniscient to resell or to be protected by it, the first step is a direct conversation about your environment — not a sales funnel.

Get In Touch →
WARREN BARR · 713-882-0902 · warren@barr-cyber.com
[ APX // GALLERY ]

Full Platform Gallery

Every screen referenced in this dossier, plus supporting views not called out individually. Click any to view full size.