Credential health

A vault full of secrets is only as safe as the secrets in it. VaultTerm continuously assesses the health of what you store, watches for known breaches, and — on brokered sessions — catches secrets leaking into terminal output as it happens. All of it is audited.

Health scoring

The health scanner evaluates stored secrets and flags the ones that put you at risk:

• Weak secrets that are too short or low-entropy to stand up to guessing.
• Reused secrets that appear on more than one record.
• Old secrets that have not been rotated in a long time.

Flagged secrets feed straight into the guided rotation workflow described in Sharing and rotation, so a finding turns into a fix.

Breach monitoring

Beyond scoring, VaultTerm checks stored passwords against the Have I Been Pwned breach database to see whether a password has appeared in a known breach corpus.

• When a stored password matches a known breach, VaultTerm raises a CREDENTIAL_BREACH_DETECTED event.
• The event lands in the audit trail, so the finding is on the record and can drive alerting or rotation.

Exposure detection

The most distinctive health check applies to brokered terminal sessions. VaultTerm watches the SSH broker’s terminal output in real time for secrets that leak into the stream — for example a credential echoed to the console.

When a secret is detected in brokered output, VaultTerm:

• raises a CREDENTIAL_EXPOSURE_DETECTED event,
• auto-redacts the exposed secret from the session recording so the plaintext is not preserved there, and
• records the detection in the audit trail.

Entitlement

Exposure detection is a PRO+ capability, gated by the exposure_detection entitlement. Health scoring and breach monitoring remain available to flag problems even where exposure detection is not enabled.

Where to go next

• Turn findings into fixes with Sharing and rotation.
• See the events these checks raise in Audit logs.
• Understand how brokered output is captured in Session recording.