Linux CLI
Scan
Baseline Set
Preflight
Compare
Doctor
Repair Plan — v0.2
Watch — Pro
JSON Contract
Browser Scan
Roadmap
Build Sequence and Milestones
AuditWalk is being built toward a full-stack endpoint integrity platform, shaped by a simple but increasingly urgent premise: modern system security can no longer be framed only as prevention, detection, or cleanup. We believe the coming era will be defined by agentic tooling, autonomous workflows, machine-assisted decision systems, and stronger expectations around provenance, accountability, and verifiable trust.
At the same time, blockchain infrastructure is expanding what many people expect from security records and auditability. These shifts have pushed us to rethink the security model itself. Rather than treating trust as something implied by a scan, a dashboard, or an automated process, AuditWalk is built around the idea that trust must be explicit, deliberate, and reviewable.
That thesis is reflected in our focus on the last trusted state. As outlined in the AuditWalk white paper, we separate observation from trust, and trust from action. A system can be scanned, measured, and described in precise detail, but that alone does not make it trustworthy. Trust begins only when an operator deliberately accepts a known-good reference point.
From there, every later comparison, interpretation, and response can be grounded in something concrete. This is the foundation of the platform: a deterministic security model that asks not only what changed, but what changed relative to the last state the operator explicitly trusted. That distinction is central to how we think about integrity.
The long-term platform direction is designed around that foundation. AuditWalk is intended to grow into a broader cybersecurity tool covering filesystem evidence capture, explicit trust management, drift detection, agentic analysis, repair planning, and eventually blockchain-attested audit trails. In that model, deterministic local evidence remains primary, while cryptographic or blockchain-backed attestations can serve as additional layers of continuity, verification, and accountability.
We do not see these systems as replacements for disciplined endpoint analysis. We see them as complementary structures that become more meaningful when the underlying evidence model is already stable, bounded, and explainable.
The implementation sequence is therefore deliberate. The CLI ships first because it forces precision. It allows us to stabilize the core engine, the findings schema, the trust model, and the output contracts before introducing GUI complexity, platform packaging, or broader automation layers.
That order matters. If the core contracts are loose, then every downstream interface becomes harder to reason about, harder to verify, and easier to misinterpret. By locking the command behavior, state model, and output structure early, we create a system that can later support graphical clients, guided workflows, agentic tooling, and cross-platform distribution without losing coherence.
This same sequencing informs our platform roadmap across Linux, macOS, Windows, and mobile surfaces. We are not building outward from a marketing shell inward toward an uncertain engine. We are building outward from a deterministic core.
The goal is a system that can scale in capability without becoming vague in meaning: a platform where evidence remains factual, trust remains explicit, drift remains measurable, and higher-level analysis remains anchored to the last trusted state. That is the milestone logic behind AuditWalk.
Last updated March 3, 2026. This roadmap tracks implementation order, not marketing order. For site UI/UX reviews, see the Site QA Roadmap.
Product Scope
What AuditWalk includes today, and what is in development
AuditWalk is currently available as a Linux CLI built around the core integrity workflow: scan, baseline, compare, and interpret. Repair planning is on the near-term path and remains version-gated. That CLI foundation is the current product surface — available now, and the reference point for how the rest of the system is being built.
The desktop GUI shown in the concept views is not available yet. It is part of the short-term development path, not part of the current release surface. The same is true of the dock tool, mobile companion, and other expanded interaction layers. These are planned extensions of the same trust model and workflow contracts already established in the CLI, but they should be understood as in development.
Near-term development is focused on expanding the platform without changing its underlying model — desktop GUI, additional monitoring surfaces, and cross-platform CLI. As those surfaces arrive, they will inherit the same baseline-first trust model, finding structure, and output logic that define the CLI today.
Available now
Linux CLI
In active development
Desktop GUI — Dock tool — Mobile companion — macOS CLI — Windows CLI — Browser integrity layer
Longer-term direction
Blockchain attestation — Agentic analysis — Automated triage — Multi-host coordination
Dashboard — concept view. Not yet available.
Baseline management — concept view. Not yet available.
Milestones
Delivery Plan
macOS CLI
macOS Persistence Surfaces
LaunchAgent Detection
Apple Notarization
Parity Output Contract
Browser Scan — macOS
Windows CLI
Windows Persistence Detection
Registry Surface Coverage
Startup Enumeration
Noise Reduction
Parity Output Contract
Cross-Platform GUI
Desktop App — macOS, Windows, Linux
Visual Drift Review
Dock Tool
Mobile Companion
Same Schema as CLI
Platform Expansion
Blockchain Attestation
Agentic Analysis
Automated Triage
Signed Baselines
SIEM Integration
Enterprise Ticketing
Threat Intelligence Layer
Extended Automation
Multi-Host Coordination
Blockchain attestation gives every baseline and audit trail a tamper-evident, independently verifiable record. Agentic analysis closes the loop from evidence collection through automated triage and response suggestion — with operator sign-off still required at every trust boundary. This phase is where AuditWalk evolves from a disciplined integrity tool into a full-stack cybersecurity platform.
Phase 4 — In Development
Planned Interaction Surfaces
The cross-platform GUI and its companion surfaces are in development as Phase 4 of the build sequence. These extend the CLI's trust model into new interaction contexts without changing its underlying contracts.
Desktop application
A full-window GUI for the complete audit workflow — no terminal required. Navigate every stage from a left-panel sidebar, review findings with severity classification, manage baselines, run Preflight, and export structured reports. Targets macOS, Windows, and Linux. Runs entirely locally — no cloud sync, no telemetry.
Watch daemon + dock tool
Two components, one monitoring layer. The watch daemon schedules and executes background scans on a configurable cadence. The dock tool is its visible face — a persistent status indicator in the system tray reflecting current scan state at a glance. Amber while scanning. Green when clear. Red when findings require attention.
Mobile companion
Monitor scan progress, current findings, and baseline status from a phone while a scan runs on the desktop. Connects over local Wi-Fi with a QR-paired session — no account, no remote access, no cloud intermediary. Available to GUI users on iPhone and Android. The desktop remains the sole execution surface.
Desktop application — concept views
These are design placeholder concepts. The final GUI will reflect the same finding schema, trust model, and workflow contracts defined by the Linux CLI.