Now watching Cloudflare DNS · more providers incoming

Git for the config that actually breaks prod.

Most outages aren't caused by code — they're caused by a config change nobody saw. A DNS record flipped. A bucket went public. A webhook URL moved. ConfigTrace snapshots your infrastructure, diffs every change, and tells you how dangerous it was.

Connect your first provider → See how it works
configtrace diff · cloudflare-zone · sync #1284
CNAME api.example.comCRITICAL
- content: "prod.vercel.app"
+ content: "staging.vercel.app"
A example.com
- ttl: 3600
+ ttl: 60
→ 2 changes detected · 1 critical · live traffic may be rerouted
The blind spot
outside
GitHub.

The changes that take you down don't show up in a pull request. They happen in dashboards, CLIs, and consoles — with no history, no diff, and no review.

  • ×DNS record changed — silently, by anyone with access
  • ×S3 bucket became public — no alert, no trail
  • ×Firebase rule opened up — wide open overnight
  • ×Stripe webhook URL moved — payments quietly drop
  • ×OAuth callback broke — logins fail in prod
  • ×Cloudflare routing changed — traffic goes elsewhere
The full flow

Snapshot. Diff. Risk-assess. Repeat.

ConfigTrace treats your live infrastructure like a repository — every sync is a commit, every change is reviewable.

01 · CONNECT

Connect infrastructure

Give ConfigTrace a scoped API token and an account, zone, or project ID. Credentials are encrypted at rest and never shown again.

02 · SNAPSHOT

Capture state

ConfigTrace pulls the current configuration — every DNS record, rule, and setting — and freezes it as an immutable snapshot of that moment.

03 · SYNC

Re-sync over time

On a schedule or on demand, it fetches fresh state and lines it up against the last known-good snapshot.

04 · DIFF

Detect exact changes

A field-level diff engine surfaces precisely what moved: this record's content, this TTL, this rule — old value → new value.

05 · CLASSIFY

Score the risk

Each change becomes an event, scored from low to critical based on its blast radius. A TXT comment ≠ a rerouted CNAME.

06 · TIMELINE

See the history

A clear timeline of when, what, old value, new value, and risk — instead of "uhhh, why is prod broken?"

Risk engine

Not all changes are equal.

The intelligence layer. ConfigTrace weighs each change by its potential blast radius so you can triage at a glance.

Low
TXT comment changed
Cosmetic. No traffic or security impact.
Medium
New subdomain added
Expanded attack surface worth a look.
High
CNAME rerouted
Traffic could be flowing somewhere it shouldn't.
Critical
Root A record deleted
The entire site may be offline right now.
Integrations

One source of truth for every provider.

Start with DNS today. Connect the rest of your stack as ConfigTrace grows.

Cloudflare DNS AWS Stripe GitHub Vercel Firebase Supabase Shopify
Get started

Catch the change before the outage.

Connect a provider, take your first snapshot, and never wonder "what changed?" again.

Connect your first provider →