Every feature. Every domain.

Live discovery across AWS, Azure, GCP, and OCI. Compute, networking, storage, IAM, managed services, and serverless resources are normalized into a unified inventory schema with consistent metadata.

Clusters, namespaces, deployments, services, ConfigMaps, and workload metadata — including OpenShift and RKE2 environments — mapped into the cross-cloud resource graph.

Relational and managed database service discovery across cloud providers. Captures engine type, version, tier, connectivity configuration, and ownership metadata.

Infrastructure ↔ Platform ↔ Database dependency mapping. Understand the full blast radius of a change before executing — services, downstream consumers, and shared dependencies are surfaced automatically.

Context-aware automation scoping using live inventory state. Catalog items can target resources by tag, owner, environment, region, or dependency relationship — not just by hard-coded identifiers.

Policy-based configuration validation comparing live resource state against approved Stack definitions. Drift events trigger alerts and can initiate automated or catalog-driven remediation workflows.

Pattern recognition across execution history, telemetry, and inventory state to generate operational insights. Diagnostic agents surface probable causes and recommended actions without requiring manual log triage.

Behavioral anomaly detection across automation runs. Agents learn normal execution patterns per catalog item, environment, and team — surfacing deviations that indicate misconfiguration, drift, or security anomalies.

Inventory and execution search via natural language interface. Engineers can query resource state, execution history, and dependency relationships without constructing structured queries or writing scripts.

AI agents translate natural language intent into catalog execution — selecting the correct template, inferring parameters from inventory context, and validating scope before surfacing a structured execution plan for approval.

Pre-execution risk assessment combining inventory dependency data, policy evaluation results, and historical execution outcomes to produce a per-run risk score and blast-radius estimate.

AI-driven RCA correlation across logs, telemetry, and execution lineage. Agents generate ranked hypothesis chains with supporting evidence. Predictive operations capabilities identify emerging failure patterns before incidents occur.

Multi-step, stateful agent workflows with conditional branching, tool use, and human-in-the-loop approval gates. Agents can chain across domains — inventory lookup → risk scoring → catalog execution — in a single governed workflow.

30 Model Context Protocol servers providing agents with structured access to inventory, execution history, policy state, ITSM records, and observability data — without direct database or API access.

Cache-Augmented Generation (CAG) layer providing agents with grounded knowledge from runbooks, Stack definitions, policy documents, and execution history — reducing hallucination and improving contextual accuracy.

OpenAI and IBM watsonx model backends with model routing based on task type — conversational interfaces, structured data extraction, code generation, and risk scoring use purpose-optimized models.

ServiceNow Requested Items (RITMs) trigger governed catalog execution. Approval status, SLA timers, and fulfillment state are tracked in both Cortex and ServiceNow simultaneously.

Full change lifecycle alignment from CHG creation through execution and closure. Change records are automatically updated with execution evidence, run logs, and approval records.

Live CMDB Configuration Item (CI) data is injected into execution context. Automations are CI-aware — target scoping, impact assessment, and approval routing all use real-time CMDB state.

Execution results, output artifacts, and run summaries are written back to the originating ServiceNow record — closing the loop between request, execution, and fulfillment confirmation.

Automation-to-backlog linkage — catalog executions can automatically create or update Jira issues, providing sprint-level visibility into infrastructure and platform operations work.

End-to-end DevOps visibility linking Jira epics and stories to specific catalog runs, Terraform plan outputs, Ansible job IDs, and deployment events — from sprint planning to production change.

Automated documentation updates triggered by service provisioning events. Stack deployments, configuration changes, and inventory updates can be reflected in Confluence spaces without manual authoring.

Standalone, independently deployable diagnostics engine with its own API surface. Decoupled from the execution engine to ensure diagnostic workflows remain available during platform incidents.

Playbook-driven validation workflows delivering health checks, configuration audits, connectivity tests, and compliance scans as self-service catalog items with full execution history.

Diagnostics are delivered as parameterized catalog items — any team can run pre-approved diagnostic playbooks against their target resources without needing direct access to the underlying tooling.

Observability events from Datadog, Splunk, or Elastic can trigger catalog-delivered remediation workflows automatically — closing the loop from alert to action within the governed execution framework.

Telemetry pipeline integrations for real-time monitoring, execution metadata streaming, SLO burn tracking, and deploy event correlation. Each backend is independently configurable per environment.

Short-lived execution tokens issued per run with automatic expiry. Credentials are generated at execution time, scoped to the specific target resources, and revoked upon run completion.

Native integration with HashiCorp Vault, Akeyless, AWS KMS, Azure Key Vault, and GCP KMS. Secrets are retrieved at execution time from the authoritative source — never stored in the platform.

Secrets are injected into execution contexts at runtime — never embedded in catalog templates, Terraform variables, or Ansible inventories. Eliminates entire classes of credential exposure risk.

Detection of long-lived, expiring, or stale credentials across integrated systems. Drift events surface in the inventory layer and can trigger automated rotation workflows via the Service Catalog.

Deployed entirely within the customer's infrastructure and network boundary. Full control over data residency, upgrade cadence, and network isolation. Supports air-gapped environments.

Cortex-managed deployment with SLA-backed availability. Customers connect existing toolchains via secure outbound connectors — no inbound firewall changes required.

Control plane hosted by Cortex with execution agents deployed customer-side. Supports scenarios requiring data plane isolation while reducing customer operational overhead for platform management.