Backed by mandō

Identity resolution
at the process level.

Signum maps every UID, GID, group, and security context across your fleet in real time. Zero-trust identity infrastructure β€” from kernel to dashboard.

Request Enterprise Demo Try the CLI β†’
4.2M Identities Resolved / Day
0.3ms Mean Lookup Latency
99.999% Uptime SLA
signum β€” identity graph
$ signum --resolve
uid=1000(alice) gid=1000(alice) groups=1000(alice),27(sudo),44(video),100(users)
$ signum --user --name
alice
$ signum --groups --name
alice sudo video users
$ signum --context
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
$ _

Trusted by security-first organizations

Capabilities

Seven identity primitives.
One unified graph.

Every flag from the original spec β€” hardened, distributed, and observable.

uid

Effective User ID

The -u primitive. Resolves the effective UID of the current process. Handles setuid binaries, privilege escalation contexts, and sudo transitions with zero ambiguity.

gid

Effective Group ID

The -g primitive. Returns the effective group ID for the running process. Critical for file permission resolution, shared resource access, and RBAC enforcement.

grp

Full Group Enumeration

The -G primitive. Enumerates all group IDs associated with the identity β€” primary, supplementary, and inherited. Complete membership graph in a single call.

β†’nm

Name Resolution Layer

The -n modifier. Translates numeric IDs into human-readable names. Pairs with -u, -g, and -G for audit-ready identity output across every context.

real

Real ID Introspection

The -r modifier. Returns the real ID instead of the effective ID. Essential for forensic analysis, privilege boundary detection, and identity drift auditing.

ctx

SELinux Security Context

The -Z primitive. Surfaces the SELinux security context of the current process. Mandatory access control visibility β€” user, role, type, and sensitivity level in one payload.

nul

Null-Delimited Output

The -z primitive. Delimits entries with NUL characters instead of whitespace. Built for pipeline-safe, machine-parseable identity streams at any scale.

Process

From kernel to dashboard
in four steps

Deploy enterprise-grade identity resolution without touching your auth stack.

01

Deploy Agent

Install the Signum agent on every node in your fleet. One binary, zero config. Auto-discovers user databases, NSS modules, and LDAP backends.

02

Map Identity Graph

Signum builds a real-time directed graph of every UID β†’ GID β†’ group membership relationship. Effective and real IDs tracked simultaneously.

03

Resolve on Demand

Query any identity primitive β€” user, group, all groups, names, real vs. effective, security context β€” via CLI, API, or SDK. Sub-millisecond response.

04

Audit & Enforce

Continuous identity posture monitoring. Detect privilege escalation, group drift, and context violations. Export to your SIEM. Enforce policies in real time.

Scale

Identity at enterprise scale

0
Identities Resolved Daily
0
Enterprise Deployments
0
%
Reduction in Identity Incidents
0
ns
P99 Lookup Latency
Comparison

Why Signum wins

Legacy identity tools weren't built for zero-trust, distributed infrastructure.

Capability Signum Manual id(1) DIY Scripts Legacy IAM
Real-time UID/GID resolution βœ“ βœ“ ~ βœ—
Full group enumeration βœ“ βœ“ ~ βœ—
SELinux context awareness βœ“ βœ“ βœ— βœ—
Distributed fleet coverage βœ“ βœ— ~ ~
Identity drift detection βœ“ βœ— βœ— ~
Audit-ready name resolution βœ“ ~ βœ— βœ“
Pipeline-safe NUL output βœ“ βœ“ βœ— βœ—
Real vs. effective ID tracking βœ“ βœ“ βœ— βœ—
Ecosystem

Integrates with everything

Plug into your existing identity and security stack.

LDAP
Active Directory
Okta
AWS IAM
GCP IAM
Azure AD
Kubernetes RBAC
PAM
SELinux
Splunk
Datadog
HashiCorp Vault
Plans

Transparent pricing.
No identity tax.

Start free. Scale with your fleet.

Community
$0/mo
  • Up to 50 nodes
  • UID / GID resolution
  • CLI access
  • Community support
Get Started
Most Popular
Enterprise
$12/node/mo
  • Unlimited nodes
  • Full identity graph
  • SELinux context awareness
  • API + SDK access
  • Drift detection alerts
  • SSO integration
  • Priority support
Request Demo
Sovereign
Custom
  • Air-gapped deployment
  • FedRAMP / IL5 compliant
  • Dedicated identity mesh
  • On-prem control plane
  • 24/7 white-glove support
  • Custom SLA (99.999%+)
Contact Sales
Customers

Trusted by identity-obsessed teams

"We replaced 14 custom scripts and two internal tools with Signum. One binary, one query, one source of truth for every UID across 3,000 nodes."

Lucia Romero
Lucia Romero VP of Platform Engineering, Stratos

"The SELinux context flag alone saved our compliance team 200 hours per audit cycle. Signum makes mandatory access control actually observable."

Ayesha Nazari
Ayesha Nazari CISO, Meridian Defense Systems

"The real vs. effective ID tracking caught a privilege escalation path we'd missed for two years. Signum is now a mandatory deployment across every environment."

Celeste Torres
Celeste Torres Director of Security, Helios Cloud

"We pipe Signum's null-delimited output directly into our SIEM. Machine-parseable identity streams at 4M+ events per day, zero parsing errors."

Victor Park
Victor Park Staff SRE, Lattice Infrastructure
Interactive

Try Signum

Explore the identity graph. Toggle flags to see real signum output.

signum β€” interactive
$ signum
uid=1000(alice) gid=1000(alice) groups=1000(alice),27(sudo),44(video),100(users)
FAQ

Frequently asked questions

What's the difference between effective and real IDs?

The real ID is the identity of the user who started the process. The effective ID is the identity the process is currently running as β€” which may differ due to setuid binaries or privilege escalation via sudo. Signum's -r flag lets you introspect the real ID at any time, while the default returns the effective ID. Understanding this distinction is critical for security auditing.

Does Signum replace my existing IAM solution?

No. Signum operates at the process level β€” it resolves the identity of the running process, not the user's organizational role. Think of it as the identity primitive that sits beneath your IAM stack. It integrates with LDAP, Active Directory, Okta, and PAM to provide ground-truth identity data to your existing toolchain.

How does the SELinux security context flag work?

The -Z flag surfaces the SELinux security context of the current process, formatted as user:role:type:sensitivity. This is mandatory access control metadata that exists independently of the standard Unix permission model. Signum makes it queryable via the same API as every other identity primitive.

What does null-delimited output mean?

The -z flag replaces whitespace delimiters with NUL characters (ASCII 0x00). This produces machine-parseable output that's safe for pipelines processing entries with spaces, special characters, or multi-byte encodings. Critical for high-throughput event streams and SIEM ingestion.

Can I resolve identity for a different user?

Yes. Signum accepts one or more usernames as arguments. Without arguments, it resolves the identity of the current process. With arguments, it resolves identity for each specified user β€” including their UID, GID, all groups, and optional security context.

Know who's running.
Know everything.

Join 847 enterprise teams shipping identity-first infrastructure with Signum.

SOC 2 Type II Β· ISO 27001 Β· No credit card required

Backed by mandō

Lyst Drift Locus Repliq Portage Voidal Scaffold VΓΈid Imprint Concat Stratum Folio Topline Tailstream Sieve Seekr Rewrite Trellis Sortable SINGULR Census Slice Morph FanOut Argonaut Reverb Formatik Epoch Solstice IDENT AFFIRMATIV Signum Quorum Pulsar Overseer Terminus PURGE Dispatch Sotto Limelight Persist Vantage Canopy AttachΓ© DΓ©tachΓ© Tether Aegis CLAIMR Cohort Archivex Deflate Unravel ArcVault XTRAKT Conduit Fetch VaultLink Teleport DeltaSync Heartbeat Hopscotch Resolver Namesake Uplink CONNEX Callsign Milieu Propagate Sourcery Persona SEVER Chronicle Codex Relevance Resolv Nomenclature MAGIQ Intrinsic Diverge Patchwork VIGIL Breeze Cadence Kronos Atelier SUPRA Mandate Turnkey Accession Reforge Collective PipeForge Netweave Panoptik Substrate Repose Verity FAULTR Provenance Chrono