Enrichment & Verification Quality

Every alert is verified live and enriched with context. 20 verifiers confirm secrets are active before alerting. BPE tokenization achieves 98.6% recall. Context-aware scoring reduces false positives by 40% compared to entropy-only approaches.

Start Free Trial Request Demo →

Alert Fatigue Kills Secret Scanning Programs

Entropy-only scanners flood teams with false positives. Teams learn to ignore alerts, and the one real credential leak gets buried. Verification and enrichment transform noisy detections into actionable, prioritized incidents.

70.4%

Recall with entropy-only

98.6%

Recall with BPE tokenization

40%

Fewer false positives

Live verifiers

How Verification Works

Every detected secret goes through a multi-stage enrichment pipeline before an alert is raised.

# Enrichment pipeline

1.DETECT — BPE tokenizer + 497 patterns identify candidate secret

2.CLASSIFY — Identify provider, secret type, and format

3.VERIFY — Live verifier tests if secret is active (safe, read-only API call)

4.ENRICH — Resolve permissions, blast radius, age, and owner

5.SCORE — Context-aware severity: active + admin scope + internet-facing = critical

6.ALERT — Prioritized alert with full context for immediate triage

20 Live Verifiers Across 9 Providers

Provider	Verification Methods	Verifiers
AWS	STS GetCallerIdentity, IAM ListAccessKeys	3
Azure	Graph API token validation, Key Vault access test	4
GCP	OAuth2 tokeninfo, Service Account key validation	2
GitHub	PAT scope check, App installation verify, OAuth validate	3
GitLab	Personal token verify, Group token validate	2
Slack	auth.test API, Bot token scope check	2
Stripe	Balance retrieve (live key test)	1
SendGrid / Twilio	API key permission check, Account SID validate	2
Database	Connection string test (PostgreSQL, MySQL, MongoDB)	1

Enrichment Context

Provider Identification

Automatically identify which service issued the credential — AWS, Azure, GitHub, Stripe, and 40+ more. No manual tagging required.

Permission Scope

Resolve the exact permissions granted by the credential. For AWS: IAM policies. For GitHub: token scopes. For Azure: RBAC role assignments.

Blast Radius

Map every service, repository, database, and API the credential can access. Quantify exposure in terms of data records, not just permission labels.

Age Estimation

Determine when the credential was created and when it was last rotated. Flag credentials older than policy thresholds.

Quality That Eliminates Alert Fatigue

Capability	GitGuardian	GitHub Secret Scanning
BPE tokenization	—	—
Live verification (20 providers)		—
Permission scope resolution	—	—
Blast radius mapping	—	—
Age estimation	—	—
Context-aware severity scoring		—
98.6% recall	—	—
40% fewer false positives	—	—

Detection Engine

497 detection patterns with BPE tokenization and 98.6% recall

Auto-Remediation

One-click rotation, revocation, and deactivation with blast radius preview

Every Alert Verified. Every Secret Enriched.

Stop drowning in false positives. Start your 14-day Business trial and see the difference verification makes.