For security architects, GRC analysts, and ServiceNow platform owners

The security-truth oracle for ServiceNow.

Independent audit of the platform-layer risks AI agents and human workflows depend on — framed as cross-domain attack chains, with the detection script behind every finding.

Empty ACLs, scoped-app cross-scope grants, AI agent role-mask gaps, audit forensic blind spots. Mapped to NIS2, DORA, and ISO 27001 at the article level.

See a sample assessmentJoin early access

Detection engine is open source — github.com/nowisor/instance-scan-pack · Apache-2.0

100+ Attack Scenarios
14 Security Domains
Open Source Detection Engine
NIS2 · DORA · CRA · EU AI Act · ISO 27001 · GDPR
The Risk

Gaps That Standard Reviews Miss

!

Configuration Blind Spots

Misconfigured ACLs, exposed endpoints, and sys_properties that create exploitation paths invisible to standard reviews.

§

Missing Compliance Evidence

NIS2, DORA, and EU AI Act require instance-specific technical evidence — not generic policy documents.

>_

Unreviewed Integrations

Every integration, MID Server, and OAuth token is a potential lateral movement path.

Why This Exists

Built by a ServiceNow Security Practitioner

After ten years as Principal Security Advisor in ServiceNow's Office of the CISO, I saw every enterprise hit the same blind spots. Nowisor makes that expertise accessible on demand.

Rachid Harrando — FounderFormer Principal Security Advisor, ServiceNow Office of the CISO (10 years) · Co-founder, Black Hat Arsenal · 100+ enterprise instances advised
Author of Securing ServiceNow: A CISO's Field Guide (Leanpub, 2026) →
Real Attack ScenariosGrounded in real table structures, GlideRecord queries, and confirmed exploitation paths.
Production-Ready ScriptsExact table names, field names, and API patterns — verified against real instances.
From the Author

Securing ServiceNow

Securing ServiceNow: A CISO's Field Guide — book cover

Securing ServiceNow: A CISO's Field Guide

248 pages. Platform hardening, API defense, and EU regulatory readiness — written by the founder of Nowisor.

Read on Leanpub →Buy on Amazon →
How It Works

Three Steps

1

Ask Your Question

Describe your concern in plain language — ACL gaps, integration risks, compliance requirements, attack paths.

2

Get Expert Analysis

Receive attack chains, detection scripts, and compliance mappings specific to your ServiceNow configuration.

3

Fix and Evidence

Deploy scripts, close gaps, and generate auditor-ready compliance evidence.

WHEN NEEDED
4

Escalate to a Specialist

Bring in a senior practitioner. Your full session context transfers automatically.

What You Get

What Every Query Delivers

OK

Verified against live ServiceNow

Every property name, table reference, and detection script is verified against a real Zurich-release ServiceNow instance — not generated from training data. If a configuration claim cannot be proven on a live PDI, vSME does not ship it.

{}

Independent verification, attack-chain framing

Instance Security Center, AI Control Tower, ISPM, and AISPM score the same configurations against ServiceNow’s own checklists. vSME audits them independently and frames them as cross-domain attack chains — empty ACLs combined with scoped-app cross-scope grants and AI agent role-mask gaps, not isolated checklist items.

>>

Attacker-relevant analysis

Findings are framed as attack paths an adversary would actually exploit, not as generic policy violations. Cross-scope privilege records, AI agent role-mask gaps, fabricated property recommendations from older guides — vSME surfaces what matters to an attacker.

§

Mapped to NIS2, DORA, ISO 27001, NIST CSF

Every finding maps to specific framework articles — NIS2 Article 21 sub-points, DORA Article 9, ISO 27001 Annex A controls, NIST CSF functions. Coverage scope is declared honestly: comprehensive where it is, partial where it is, never overclaimed.

>_

Detection scripts you can run yourself

Every finding includes the exact ServiceNow Background Script that produced it. Copy, paste, run on your own instance — no black box, no vendor dependency. The methodology is the deliverable as much as the findings.

=

Audit-ready evidence trail

Reports include verified configuration values, framework citations, and verification scripts — auditable artifacts your assessor or regulator can validate independently. Built for the moment a CISO has to defend a finding under questioning.

~

Exercised risk vs dormant misconfiguration

Findings tell you what is misconfigured; the twin-sensor log-export tells you which misconfigurations are actually being exercised. A sustained brute-force against an unprotected admin endpoint is not the same risk class as a dormant un-audited table. The Active Risk Report correlates each finding against 7 days of runtime activity (sys_audit, sysevent, syslog_transaction) and marks every verdict EXERCISED, DORMANT, NOISE, or INVESTIGATE — qualified by log-export coverage at every step.

Why nowisor can be trusted

Verification methodology, not promises

nowisor is built by Rachid Harrando — author of Securing ServiceNow, former Principal Security Advisor at ServiceNow's Office of the CISO, co-founder of Black Hat Arsenal. 25 years of practitioner-level findings, encoded into a system that refuses to ship anything it cannot prove against a live ServiceNow instance.

The verification methodology is public: every property reference is checked against a version-pinned ServiceNow schema dump (Zurich Patch 6, 3,585 properties, captured and archived). Every detection script is tested against a live PDI before it ships. Every finding cites its evidence.

The detection engine is open source under Apache-2.0 at github.com/nowisor/instance-scan-pack. Every check the advisor reads from your instance was produced by code you can inspect, fork, or run on your own without depending on nowisor.com at all. The advisor is the value-add; the detection is the floor — and the floor is yours.

Why You Can Trust The Answer

Guardrails, Not Guesswork

{}

Schema-Verified Scripts

Generated code is bound to a release-pinned catalog of 141 ServiceNow table schemas and 95 system properties. Fabricated tables, fields, or API names can't leave the pipeline.

9x

Hallucination Detectors

Every answer passes through nine automated detectors — uncited claims, unknown KB IDs, self-contradictions, prescriptions without diagnosis — before it reaches you.

=

Cited To The KB

Claims link back to specific knowledge-base articles with IDs validated post-response. If the source isn't there, the citation doesn't ship.

[]

Bound To Your Instance

On Enterprise, your tenant's actual schema is extracted on connect so scripts target your customizations — not a generic template.

X

Render-Time Redaction

Fabricated property names and unsupported claims are stripped before display — not quietly flagged in a log you'll never read.

#

Per-Message Scoring

Every response carries a quality signature tracked in the admin console. Regressions are visible; drift is auditable.

What's at Stake

Real Attack Scenarios From Real Instances

A SAML misconfiguration chained with a side-door endpoint giving an external attacker admin access
Integration credentials stored in plain text, one API call from lateral movement into your directory
A prompt injection that escalates through your AI agent to server-side code execution
A malicious code package promoted to production because no one reviewed the embedded scripts
For Consulting Teams

Scale Your ServiceNow Security Practice

>>

Deliver Faster

Run a full security assessment in hours, not weeks. Pre-built attack paths and detection scripts across 14 domains.

=

Consistent Methodology

Every engagement uses the same adversarial framework — repeatable, auditable, defensible.

§

Compliance-Ready Deliverables

Generate NIS2, DORA, and ISO 27001 evidence mapped to each client's configuration.

Access

Priced per instance. Not per message.

One ServiceNow security assessment by hand is three to five days of senior consultant time. Nowisor delivers it in hours — connect an instance, get attack-chain findings and auditor-ready NIS2/DORA/ISO 27001 evidence. Pay for the instances you audit, not the keystrokes.

Free

Recon

For practitioners and evaluators who want to see a real finding first.

€0

No credit card required

25 queries · 1 instance

  • All 14 security domains
  • 1 attack-path chain
  • Detection scripts — copy & run on your own instance
  • NIS2, DORA, CRA, ISO 27001, GDPR mappings
  • Open-source detection engine (Apache-2.0)
Start Free

Solo

Practitioner

For platform owners and solo security architects hardening one instance.

€149/ month

or €1,490/year — two months free

1 connected instance · unlimited advisor

  • Everything in Recon
  • Unlimited attack-path chains
  • 1 full automated scan / month
  • Instance integration (OAuth, read-only)
  • Interactive report + PDF export
Start 14-Day Trial
Most Popular

For consulting teams

Consultant

For boutiques and independents running client assessments. Pays for itself on the first engagement.

€499/ month

or €4,990/year — two months free

Up to 5 client instances · white-label

  • Everything in Practitioner
  • Up to 5 connected client instances
  • White-label PDF deliverables
  • Unlimited automated scans
  • Active Risk Report — finding × runtime verdicts
  • Repeatable adversarial methodology across engagements
Start 14-Day Trial

Internal teams

Enterprise

For security teams owning a production instance who need continuous, defensible evidence.

Custom

Talk to the founder — 30 min, no pitch

Production instance · SSO · continuous scanning

  • Everything in Consultant
  • Continuous automated 200-point scan
  • Real-time attack-path evaluation
  • Active Risk Report with log-export correlation
  • SSO / SAML, audit log, priority support
  • Tenant schema extraction — scripts target your customizations
Talk to the Founder

The math: a manual ServiceNow security review runs €5,000–7,500 in senior consultant time per instance; enterprise config-review engagements run €15,000–40,000. The Consultant tier covers a full year for less than one billable engagement — and turns every client instance into repeatable margin.

All plans include the open-source detection engine. Annual billing available on every paid tier. Switch or cancel anytime. EU data processing · GDPR compliant.

FAQ

Common Questions

Know Your Exposure

25 free queries. No credit card.

ASK YOUR FIRST QUESTION