Control plane for infrastructure change

Infrastructure changes
are inevitable.
Outages are optional.

Plan, approve, execute, and roll back infrastructure changes across cloud, network, identity, Kubernetes, endpoints, and security systems — from one control plane.

Nexplane is the control plane for infrastructure change.

80+change types
11integration domains
100%rollback coverage
Change Request · CR-4291
# Patch critical Linux hosts across fleet
change_type:  patch_os
targets:      tag:criticality=high  # 34 hosts
prechecks:    disk_space, service_health
postchecks:   reachability, service_health
rollback:     restore_snapshot

► Lifecycle:  Discover → Plan → Approve → Execute
► Blast radius: 34 hosts · 0 dependent services at risk
► Approved by: platform-lead@acme.com
✓ 34/34 hosts patched · services healthy
✓ Rollback snapshot retained · audit trail written

Works across your infrastructure

AWS GCP Azure Kubernetes Active Directory HashiCorp Vault Linux Windows Server Palo Alto Datadog
The Problem

Every infrastructure team has tools.
Nobody owns the change.

Terraform provisions. ServiceNow tickets. Datadog monitors. Backstage catalogs. Each tool owns a fragment. No system owns end-to-end infrastructure change execution — the gaps live between them.

🏗

Provisioning tools

Terraform, Pulumi, and CDK manage infrastructure state — but not operational changes, security remediations, or credential rotations.

🎫

Ticketing systems

ServiceNow and Jira track intent. They don't execute changes, verify results, or maintain rollback state. The gap between ticket and action is manual.

📊

Observability platforms

Datadog and Prometheus tell you when something broke. They don't tell you which change caused it or how to undo it safely.

The result: tribal knowledge, manual execution, no rollback plan, and an audit trail that lives in Slack.

How It Works

One workflow for every
infrastructure change.

Nexplane turns scattered infrastructure work into controlled, auditable, reversible change workflows.

01
Discover
Map what exists across cloud, network, identity, and endpoints
02
Understand
Graph dependencies, owners, and relationships before acting
03
Plan
Simulate blast radius, generate prechecks and rollback strategy
04
Approve
Risk-scored, human-gated approval before any change executes
05
Execute
Parallel execution across your fleet with live progress tracking
06
Observe
Postchecks confirm services are healthy after every change
07
Rollback
One-click undo returns infrastructure to last-known-good state
08
Document
Immutable audit trail with approvals, diffs, and rollback history
The Platform

Four questions.
One answer.

🗺
What do I have?
Infrastructure graph
A live, connected map of every asset, dependency, owner, and relationship across your entire infrastructure.
asset-graph
💡
What should I change?
Recommendations engine
Continuous scanning surfaces prioritized, actionable recommendations — stale rules, expiring certs, exposed credentials, missing owners.
recommendations
🎯
What will happen if I change it?
Impact simulation
Simulate blast radius, map dependency chains, and run prechecks before a single change executes in production.
impact-simulation
Can I safely undo it?
Rollback center
Every change ships with a typed rollback plan, last-known-good snapshot, and one-click undo. Verified against live infrastructure before it ships.
rollback-center
Use Cases

The changes you already know you should make.

Not the exotic stuff — the ordinary, high-stakes operations every team puts off because there's no safe way to do them. Here's each one, reviewable and reversible.

Everyday, high-stakes operations

Offboard a departing employee

Access has to disappear from everywhere — AD, SSH, cloud IAM, SSO, VPN — and "everywhere" is a list nobody has in full.

one reviewed change that revokes across every system, verifies nothing was missed, and can restore access if the wrong person got caught in it.

In design — talk to us

Rotate a credential without breaking everything that uses it

You can't safely rotate a shared secret until you know every service that reads it — and that list doesn't exist. Miss one and it fails silently, days later.

find every consumer, update them together, verify connectivity, and roll the whole thing back if anything can't reach the new secret.

Available

Patch production without holding your breath

The patch is easy. The fear is the reboot on the box nobody fully understands, with no tested way back if it doesn't come up.

capture the exact state first, patch with pre- and post-checks, and restore the prior state if a host doesn't come back.

Available

Tighten (or emergency-block) a firewall rule

The over-broad rule everyone knows is wrong — or an incident where you need to block something now. You can't prove what depends on it, and there's no clean undo.

a reviewed change with a real rollback — and for emergencies, a block that auto-expires so a temporary rule doesn't become permanent.

Available

Scope down an over-permissioned role

The role with far more access than it uses, that nobody will touch — because you can't see what it actually uses, and tightening it wrong breaks a job at month-end.

change it through a reviewed, reversible request, so a wrong guess is a quick undo instead of a 2am reconstruction.

Available

Rotate an expiring certificate

The cert expiring in three weeks that fourteen services quietly depend on. Rotate it wrong and you take those services down.

rotate with the dependents mapped, verify the chain end to end, and roll back if validation fails.

In design — talk to us
Modernization — the changes you don't get to schedule

You don't touch these for years — you expect them to keep working — and then an end-of-life date, a CVE, or a vendor forces your hand. The problem was never willingness. It's that there's no safe way back if it goes wrong.

Upgrade an end-of-life OS

The distro hits end of life — no more security patches — so you're forced to move, on the box nobody wants to reboot, running an app whose engineers are long gone.

capture the exact machine state, upgrade reversibly, verify the app comes back, and restore the prior state in minutes if it doesn't.

In design — talk to us

Containerize a legacy application

The 8-year-old app on dying hardware. Containerizing it is never just a Dockerfile — it's the dependencies, secrets, and state nobody documented, and you find out what you missed in production.

capture what the app actually needs, move it as a reviewed change, and keep the old one intact so you can fall back until the new one is proven.

In design — talk to us

Modernize the system nobody will touch

The brittle, load-bearing thing everyone routes around — until a dependency goes EOL, a CVE lands, or an auditor asks, and it's suddenly mandatory, on a deadline.

make the change reversible so you can actually start — snapshot, change, verify, roll back — instead of leaving it because touching it feels worse than ignoring it.

In design — talk to us
Infrastructure Memory

Ask why anything exists.

Every enterprise has forgotten why infrastructure exists. Nexplane remembers the approvals, owners, dependencies, timelines, and rollback plans behind every change.

Infrastructure Memory
$ Why is port 8443 open on prod-gateway-01?
Approved by J. Terrill · CR-1847 · 2024-03-12 · "Required for internal metrics pipeline to Datadog agent"
$ Who approved the firewall rule allowing 10.2.0.0/16?
Approved by K. Chen · CR-2203 · 2023-11-04 · Rollback available · Last verified 2024-01-18
$ Which applications depend on cert wildcard.acme.internal?
14 services · expires in 23 days · recommendation: rotate · owner: platform-team
$ Can prod-worker-07 be deleted?
⚠ 3 dependent services · last deployment 6 days ago · no rollback snapshot · requires approval
$ What changed in the us-east-1 VPC yesterday?
4 changes · 2 approved CRs · 1 auto-remediation · 1 rollback executed · full timeline available
Impact Simulation

Know what breaks
before it breaks.

Most tools tell you what happened. Nexplane tells you what will happen — before you execute. Simulate blast radius, map dependency chains, and validate rollback strategy before any change touches production.

Impact Simulation · CR-4418
change: remove firewall rule fw-0a4b · allow 0.0.0.0/0:443
12 assets affected
4 services at risk · api-gateway, auth-svc, cdn-origin, metrics-proxy
prechecks: 3 passing · 0 failing
rollback available · estimated 45s
approval required · risk: medium
confidence score: 91% · based on 14 similar CRs
Blast radius
Know exactly which assets, services, and users are affected before you act.
Dependency chains
Graph-aware simulation follows dependencies across cloud, network, and application layers.
Prechecks + postchecks
Automated validation before and after every change confirms systems are healthy.
Confidence scores
Risk scoring based on asset criticality, blast radius, and historical change patterns.
Infrastructure Graph

Inventory is flat.
Infrastructure is connected.

Relationships are what make changes safe or dangerous. Nexplane maps the connections between every asset so you understand dependencies before you act.

Nexplane
control plane
Compute
EC2 instances VMs Containers Serverless
Identity
IAM roles Users Service accounts Groups
Network
Firewall rules Security groups DNS records Routes
Secrets & Certs
API keys Certificates SSH keys DB credentials
Platform
K8s clusters Load balancers Storage Queues
Workflow
Tickets Source repos Monitoring alerts Owners
Recommendations

Dependabot
for infrastructure.

Continuous scanning surfaces prioritized, actionable recommendations. One click creates a change request — with prechecks, rollback plan, and approval gate already attached.

Critical
Patch critical Linux hosts
34 hosts · CVE-2024-3094 · kernel patch available
Create change request →
High
Rotate expiring certificates
wildcard.acme.internal · expires in 23 days · 14 dependents
Create change request →
High
Reduce IAM exposure
12 roles with AdministratorAccess · 6 unused for 90+ days
Create change request →
Medium
Remove stale firewall rules
8 rules · last matched traffic >180 days ago
Create change request →
Medium
Add missing owners
47 assets without an assigned owner · blocking rollback coverage
Assign owners →
Medium
Improve rollback coverage
19 change types missing rollback verification · live smoke tests pending
View coverage report →
Low
Archive inactive users
23 user accounts · no login in 120+ days · 3 with active permissions
Create change request →
Rollback Center

Infrastructure should
be reversible.

Every change should have a rollback plan, validation checks, last-known-good state, and audit trail. Most platforms claim rollback capability. Nexplane verifies it — every change type ships with a live smoke test that executes the change, triggers the rollback, and confirms the system returned to its prior state. Against real infrastructure, not mocks.

🔒
Lock IAM user
Restore previous policies
🔑
Rotate SSH key
Restore prior authorized_keys
🛡
Apply seccomp profile
Remove profile, restore baseline
🔐
Rotate DB credentials
Restore previous credentials
🡳
Update firewall rule
Delete rule, restore prior state
Modify security group
Restore previous security group
Kernel / OS upgrade
Restore pre-upgrade AMI snapshot
📚
Shared library upgrade (glibc, OpenSSL)
Restore prior packages + restart services

No other platform covers this ground

Nexplane Terraform Ansible ServiceNow AWS SSM
End-to-end change workflow ✗ (infra only) partial tickets only
Typed rollback per operation ✗ (destroy/re-apply) ✗ (write your own)
Impact simulation
Infrastructure memory state file only tickets only
Live rollback verification
MCP server for AI agents
MCP Server

Built for humans
and AI agents.

Everything available in the UI is accessible through Nexplane's MCP server. Claude, ChatGPT, Cursor, Codex, Windsurf, and internal agents can reason about and act on infrastructure — without direct cloud access.

How it works
💬
Agent proposes a change
"Rotate expiring certificates on prod cluster"
🔍
Nexplane validates via MCP
14 certs · blast radius · prechecks · rollback plan generated
Human approval gate
Risk: medium · Approved by: platform-lead
Controlled execution + rollback ready
14/14 rotated · services verified · audit trail written

The agent never touches infrastructure directly. It proposes. The control plane validates, approves, executes, verifies — and can always undo.

Ask Nexplane anything
MCP Server · nexplane
agent What systems depend on the payroll service?
8 upstream dependencies · 3 shared DB connections · 2 certificate chains
agent What will break if I rotate wildcard.acme.internal?
14 services affected · downtime risk: low · rollback: 45s · approval required
agent Generate a safe change plan to patch critical Linux hosts.
CR-4291 created · 34 hosts · prechecks configured · rollback: restore_snapshot
agent Which assets lack rollback coverage?
19 change types · 47 assets · coverage report available
Works with
Claude ChatGPT Cursor Codex Windsurf Internal agents
Integrations

Everything connects.

Organized by workflow domain — not a logo wall.

Cloud
AWS GCP Azure Oracle Cloud
Identity
Active Directory Okta Entra ID Keycloak
Network
Palo Alto Cisco pfSense iptables
Containers
Kubernetes Docker ECS Helm
Endpoints
Linux Windows Server macOS
Secrets
HashiCorp Vault AWS Secrets Manager Azure Key Vault
Certificates
Let's Encrypt DigiCert Internal PKI
Monitoring
Datadog Prometheus CloudWatch PagerDuty
Source Control
GitHub GitLab Bitbucket
Ticketing
Jira ServiceNow Linear
Compliance
CIS Controls SOC 2 FedRAMP ISO 27001
Get Started

Change infrastructure
with confidence.

We'll walk you through the platform against a real or demo environment. No pressure, no contract.

  • ✓ Live walkthrough against real or demo infrastructure
  • ✓ Direct access to the founding team
  • ✓ Shape the roadmap — tell us what's missing
  • ✓ Preferred pricing at GA