Skip to main content
C4CI

C4CI turns your live Azure infrastructure into C4 architecture diagrams — and lets you change it back.

C4CI Platform — Live Azure architecture as C4 diagrams. Connect your subscription, get L1–L4 diagrams in under 2 minutes.
C4CI Group Belgium

Product

  • Features
  • FAQ
  • Pricing
  • Roadmap
  • Security & Compliance

Docs

  • Quickstart
  • Architecture and Metrics
  • Changelog

Company

  • Join waitlist
  • Developer Contract
  • Contact
© 2026 C4CI Group Belgium. All rights reserved.
v0.1.0·Read-only first·No infra mutation without human approval·NIS2 / DORA ready
C4CI
HomeFeaturesPricingDemoSecurityDocs
WaitlistContactSign in
// Security & Compliance

Reader role only.

C4CI turns live Azure into C4 diagrams without asking for Contributor or Owner access. The platform is read-only by default, and the reviewed write path stays behind explicit human approval.

That keeps the first security conversation simple: least privilege for discovery, an immutable audit trail for control-plane changes, and a platform that helps teams prepare NIS2/DORA evidence without broad Azure permissions.

✓ Trust signal

Reader role only — Azure discovery works without Contributor or Owner access.

✓ Trust signal

Read-only first — the write path stays behind reviewed human approval.

✓ Trust signal

Auditable by design — control-plane mutations are recorded in an immutable audit log.

Access Model

Least privilege for the first security review.

C4CI is designed to make the access conversation easy. Discovery runs with Reader access only, and the platform stays read-only by default.

  • ✓Azure discovery uses Reader role only — no Contributor or Owner permissions are required to build diagrams or run scans.
  • ✓Protected product flows run behind identity-backed authentication and tenant-scoped access checks.
  • ✓The write path is separate from discovery. Generated OpenTofu changes still require explicit human review and approval before apply.
Auditability

Security teams need an answer for what changed.

Buyers and auditors ask who approved a change, what changed, and when it happened. C4CI keeps that answer close to the product surface.

  • ✓Control-plane mutations are recorded in an immutable audit log for operational and compliance review.
  • ✓Organisation-scoped data access and audit events support tenant isolation across the platform.
  • ✓Pro and higher tiers add drift detection so teams can compare approved architecture against live Azure state.
Operations

Security posture includes how the platform is run.

The trust story is not only about access control. Platform operations, recovery planning, and deployment guardrails matter too.

  • ✓Production architecture is designed for multi-AZ resilience, backup coverage, and documented recovery objectives.
  • ✓Recovery objectives and operational runbooks are defined for the platform instead of being left as sales-only claims.
  • ✓Image scanning, policy guardrails, and reviewed deployment workflows help reduce avoidable platform risk.
Compliance posture

Supports NIS2 and DORA evidence.

C4CI helps teams keep architecture evidence current: live diagrams replace stale documentation, drift detection shows where live Azure no longer matches the approved model, and higher tiers add exportable compliance reporting.

That supports audit preparation and procurement reviews. It does not replace your wider legal, governance, or operational compliance program.

Buyer proof points

Security reviews usually start with access, auditability, and how the platform behaves under change. Here is the short version.

Buyer questionC4CI answerAvailability
Can we connect safely?Yes. Azure discovery works with Reader role only, so teams do not need to grant Contributor or Owner access to get value from the platform.All tiers
Can we prove what changed?Control-plane mutations are recorded in an immutable audit log, and drift detection highlights where live Azure no longer matches the approved architecture.Audit: platform-level. Drift: Pro+
Can we export evidence?Pro includes PDF and PlantUML exports. Enterprise and PAYG add compliance reporting designed for procurement reviews and audit preparation.Pro+ exports. Enterprise/PAYG reporting
Can the platform change infrastructure by itself?No by default. C4CI is read-only first, and the reviewed write path stays behind explicit human approval before any apply step.Read-only default. Reviewed write path: Enterprise/PAYG

Pro includes drift detection plus PDF and PlantUML exports. Enterprise and PAYG add compliance reporting and the reviewed write path.

Frequently asked questions

Does C4CI need write access to Azure?

No. C4CI discovers infrastructure with Reader role only. That means no Contributor or Owner access is required to generate diagrams or run the read-only discovery flow.

Is C4CI always read-only?

Discovery, diagram generation, and drift analysis are read-only. The write path remains a reviewed workflow: users see the generated OpenTofu changes and must approve them before any apply step.

Which tiers include drift detection and compliance reporting?

Pro and above include drift detection plus standard exports. Enterprise and PAYG add compliance reporting and the reviewed write path for governance-heavy workflows.

Is this a certification or legal guarantee?

No. C4CI helps teams build evidence for security reviews, procurement, and NIS2/DORA readiness. It does not replace your wider legal, governance, or operational compliance program.

Read-only first · Least privilege for Azure discovery · Contact us for security review

No credit card required

Start free.
Scale when ready.

See your Azure architecture in under 2 minutes. Diagram depth and features unlock as you grow.

Free, Pro, Enterprise, PAYG — cancel any time. Sovereign deployment options for regulated industries.

Start free — connect Azure →See pricing →Live demoQuickstart guideJoin waitlistContact