finding · 0x4a2fCOST AVOIDANCE
Stranded Asset · VMware cluster vmx-prod-04
Zero running workloads for 94 days. License + power + facilities still billing.
annualized$412,000/yr
Phase 1 — CMDB + HAM — Live
Autonomous AI agents for
ServiceNow CMDB, SecOps & GRC.
A ServiceNow-native scoped app that deploys autonomous agents across your configuration, security, and compliance data. Every finding carries a defensible dollar value. No bolt-ons. No raw data leaves your instance.
Built onServiceNow Washington DC+·Scoped app
x_cortex_ai·Flow Designer · IRE API·Anthropic Claude (optional)$2.1M
Avg. value identified / pilot
Across Phase 1 financial crawler patterns
10k+
CIs scanned per agent run
Paginated, batched, scoped-app safe
0.91
Avg. finding confidence
Every finding carries a score 0.0–1.0
0
Writes to global CMDB tables
All remediation is human-approval or IRE-routed
Three layers · one product
One base class. Three domains.
Every Cortex agent extends CortexBaseAgent and moves through the same lifecycle — observe, analyze, propose, act. Cross-layer correlation is built into the framework, not a bolt-on.
Phase 1Live
CMDB + HAM
Health, data quality, and financial crawl across configuration items and hardware assets.
- →HealthMonitor — staleness, orphans, data gaps
- →DuplicateDetector — IRE-routed de-duplication
- →FinancialCrawler — refresh, stranded, contracts
- →IntegrationAuditor — source freshness & drift
Phase 2Weeks 9–16
SecOps
Vulnerability response and security incidents, quantified by business impact — not CVSS alone.
- →Cortex Priority Score
- →Exposure × asset criticality weighting
- →CMDB → VR correlation engine
- →Remediation routing workflows
Phase 3Weeks 17–24
GRC
Control-to-CI mapping, continuous evidence, always-on audit readiness.
- →Control → asset mapping
- →Continuous evidence crawler
- →Policy drift detection
- →Audit-ready dashboards
The thesis
Every finding comes with a dollar sign.
The CMDB isn't a data hygiene problem. It's a balance sheet problem. Stale records hide stranded leases. Duplicate CIs double-count licenses. Uncorrelated vulnerabilities sit on business-critical services no one has mapped.
Cortex agents don't just flag. They quantify. Every finding carries financial_impact and a confidence_score — defensible to a CFO.
- Financial types
- Cost avoidance · Cost recovery · Risk exposure · Compliance risk
- Every run audited
- records_scanned · findings_created · value_identified
finding · 0x7e11COST RECOVERY
Deferred Hardware Refresh · 1,240 endpoints
Past refresh window. Active maintenance contracts on out-of-warranty hardware.
recoverable$1,180,000
finding · 0xc08dCOST AVOIDANCE
Contract Renewal Optimization · 17 vendors
Auto-renew inside 90-day notice window. Consolidation across 3 master agreements.
annualized$555,300/yr
The loop
Observe. Analyze. Propose. Act.
The same four-step lifecycle governs every agent in every layer. It makes agents composable, auditable, and safe to run at scale.
- 01
Observe
Paginated GlideRecord reads across global CMDB, HAM, SAM, VR, SIR, GRC. Max 10,000 per query, batched at 1,000.
- 02
Analyze
Native heuristics first. Optional Anthropic Claude API for fuzzy reasoning — anonymized, aggregated, ≤10 calls per run.
- 03
Propose
Every finding gets severity, confidence, and financial_impact with a defensible derivation trail.
- 04
Act
Human-approval tasks or IRE API routing. Cortex never writes directly to global CMDB tables.
Guardrails
Built inside the scope boundary.
x_cortex_ai is a scoped app that reads global tables and writes only to its own. No shortcuts. No detours.
01
Read-only on global tables
Cortex never writes to cmdb_ci*, alm_*, sn_vul_*, sn_si_*, or sn_grc_* directly. All writes land in x_cortex_ai_* scoped tables.
02
Paginated queries, batched jobs
Max 10k per query, batch size 1k. Jobs over 50k CIs use GlideWorker async or Flow Designer batching.
03
Anonymized Claude payloads
Never raw serials, usernames, IPs, or hostnames. Aggregated and anonymized. ≤10 outbound calls per agent run.
04
Full audit trail
Every run logs to sys_audit and x_cortex_ai_audit_log. Every finding ties to an agent run and a derivation.
Learn the model
Not a brochure.
A playable CMDB.
The CMDB Factory Simulator teaches the CMDB/CSDM relational model as a video game. Customers run the factory, break the data, and watch agents heal it in real time.
education / 01Live
CMDB
Factory Simulator
CMDB Factory Simulator
Interactive teardown of the configuration model. Play through a broken factory and see how CIs, relationships, and CSDM layers actually behave.
education / 02
SecOps Simulator
Phase 2 · coming soon
education / 03
GRC Evidence Walk
Phase 3 · coming soon
education / 04
Financial Crawler Lab
Phase 2 · coming soon
Stop cataloging. Start collecting.
Phase 1 is in pilot now. Limited seats. Bring a ServiceNow instance, leave with a quantified balance sheet.