OW
OpenWatch
platform · the control plane

The fleet eye, heartbeat, and control plane for Kensa.

Continuous visibility into every transactional change across your Linux fleet. Proactive drift detection. Audit-ready evidence, automatically. For humans, compliance teams, and the AI agents that will operate production alongside them.

app.openwatch.dev
OpenWatch host management dashboard

Three identities, one system

The Eye, the Heartbeat, and the Control Plane.

01

The Eye

Comprehensive view

Every change Kensa has ever made, on every host and across every fleet, stays visible and queryable. Nothing is lost. The transaction log is the primary interface.

Continuous · auditable · exportable to OSCAL

02

The Heartbeat

Proactive awareness

OpenWatch scans on a schedule whether a human is watching or not, with cadence that adapts to host health. It detects drift from baseline and raises an alert, so you catch it before an assessment, not during one.

Drift detection · liveness · adaptive scheduling

◆ AI-READY03

The Control Plane

Where the fleet is operated

Describe a change across your fleet, preview exactly what will be captured, applied, and rolled back, approve, and OpenWatch orchestrates it. Humans approve; agents operate; OpenWatch mediates and records intent.

The surface AI agents talk to, not Kensa directly

Capabilities

What OpenWatch does

Continuous compliance posture

Adaptive scheduling keeps the dashboard live, with scan cadence that adapts to host health.

Temporal compliance queries

"What was our STIG posture on February 1st?" Answered from the transaction log, no re-scan needed.

Compliance drift detection

When a passing rule starts failing, OpenWatch raises an alert automatically and tracks it to resolution.

Governance & exceptions

Request, approve, reject, time-limit, revoke: structured workflows with a full audit trail. No more spreadsheets.

Audit-ready evidence

Every check captures the exact command, output, expected vs. actual. Export as CSV, JSON, PDF, or signed OSCAL.

Multi-framework, single scan

One scan maps to STIG, CIS, and NIST 800-53 simultaneously. Same evidence, many assessors.

Architecture

One engine underneath. No exceptions.

Every transaction runs through the Kensa primitive. There is no parallel scanning path. The transaction log in PostgreSQL is the single source of truth that humans, auditors, and agents all read from.

┌─────────────────────────────────────────────────────────┐
│  You · Your team · (future) AI agents                   │
└────────────────────────────┬────────────────────────────┘
                             │  Control Plane API
┌────────────────────────────▼────────────────────────────┐
│  OpenWatch · dashboard + API                            │
│  Transactions · Posture · Drift · Exceptions            │
│  Evidence · OSCAL export · RBAC · Audit                 │
├─────────────────────────────────────────────────────────┤
│  Kensa engine · scheduled workers                       │
│  scan · validate · rollback · drift · heartbeat         │
├─────────────────────────────────────────────────────────┤
│  Transaction log · single source of truth               │
└────────────────────────────┬────────────────────────────┘
                             │  SSH · port 22 · agentless
┌────────────────────────────▼────────────────────────────┐
│  Your Linux fleet · RHEL 8/9 · Rocky · AlmaLinux        │
└─────────────────────────────────────────────────────────┘

Security

Built for regulated environments.

Agentless by design, with an audit trail for control-plane actions: who approved what, and when.

Encryption at rest
AES-256-GCM
Authentication
RS256 JWT · Argon2id password hashing
Multi-factor auth
TOTP with backup codes
FIPS 140-2/3
Supported in FIPS mode
Authorization
Role-based access control
Audit logging
All auth, authz, and compliance events
Transport
TLS 1.2+
Target security
Agentless: SSH only, nothing installed

API-first · agent-ready

The Control Plane is the surface automation talks to.

Frontends and agents consume the same OpenAPI contract, with RBAC, idempotency, and audit built in. An automation client that wants to change production doesn't get a shell. It files a remediation request for one rule on one host, which enters the governance lifecycle with the projected compliance lift attached. A human signs off (separation of duties: the approver can't be the requester); execution runs through Kensa's Capture/Apply/Validate/Commit; the result flows back into the audit log.

Authorization enforced. Intent recorded. Evidence captured. Audit trail by construction.

control-plane-api
# An automation client requests a fix through the Control Plane,
# not by SSH-ing into the host directly. This call does not touch the host.

POST /api/v1/remediation/requests
Authorization: Bearer owk_<api-token>          # role-scoped service-account token
Content-Type: application/json
{
  "host_id":     "app-7-prod-uuid",
  "rule_id":     "ssh-disable-root-login",
  "scan_run_id": "scan-uuid"                   # optional provenance
}

→ 201 Created
  {
    "id":           "a1f3...-7f3a",
    "host_id":      "app-7-prod-uuid",
    "rule_id":      "ssh-disable-root-login",
    "status":       "pending_approval",
    "requested_by": "operator-uuid",
    "transactional": true,
    "reboot_required": false,
    "projected_lift": { "cis": "…", "stig": "…", "nist": null },
    "requested_at": "2026-05-06T14:22:10Z"
  }

# A different human approves (separation of duties enforced):
POST /api/v1/remediation/requests/{rid}:approve   →  status: approved

# Then execution is queued; Kensa applies the fix and journals each step:
POST /api/v1/remediation/requests/{rid}:execute   →  202 Accepted
# poll GET /api/v1/remediation/requests/{rid} for executed | failed
Kn
The engine underneath

Want the CLI instead of the platform?

Kensa is the compliance engine OpenWatch runs on: full CIS, STIG, and NIST 800-53 rule coverage, typed remediation mechanisms, automatic rollback, all over SSH. If you want a single binary for scripts and pipelines, start there.

Explore Kensa →

FAQ

OpenWatch FAQ

What is OpenWatch?

OpenWatch is a compliance operating system for Linux fleets. It provides continuous posture, drift detection, temporal queries, governance workflows, audit-ready evidence, and an API-first control plane.

How does OpenWatch relate to Kensa?

OpenWatch is the control plane; every change it orchestrates runs through the Kensa transaction primitive (capture, apply, validate, commit or rollback). Kensa is the engine, and OpenWatch is the fleet-wide dashboard and API on top of it.

Is OpenWatch agent-based?

OpenWatch drives changes through Kensa over SSH, so there is no separate persistent agent required on the managed hosts.

What evidence does OpenWatch produce?

Structured, machine-readable evidence for every check, including OSCAL output, so results can be handed to auditors directly.

See everything. Continuously.