tandemOPS
Initializing cortex
AI-NATIVE · ENTERPRISE RMM

Operations that think in tandem.

tandemOPS è la piattaforma di Remote Monitoring & Management con un'AI integrata che vede, decide, agisce. Server, workstation, VM, network — da 1 endpoint a 10.000.

Start free See it in action
12,847
Endpoints managed
99.97%
Uptime SLA
<30ms
Telemetry latency
SOC 2
Aligned
SRV-PROD-01CPU 34%
SRV-PROD-02CPU 41%
SRV-DB-04RAM 91%
SRV-WEB-07OFFLINE
→ AI investigating · 0.4s
↑ 12,840 ONLINE
! 14 WARNINGS
218 patches pending
Backup OK412 GB
scroll
What it does
01 / 08
01 — TELEMETRY

Monitor every device.

CPU, RAM, disk, network, processes, services, certificates, patches. Real-time telemetry under 30ms latency. Configurable thresholds. Drift detection. CIS hardening baselines.

LinuxWindowsmacOSVMNetworkSNMP discovery
Live fleet heatmap · 12,847 endpoints STREAMING
12,840
Online
34%
CPU avg
14
Warning
48ms
Latency
02 — REMOTE HANDS

Hands on, from anywhere.

Full shell, file browser, visual desktop via WebRTC with built-in TURN relay. Multi-display, clipboard sync, session recording. Native Tauri viewer and helper apps for macOS and Windows.

TerminalFile browserDesktopWebRTCTURN relayRecording
⬣ Remote · SRV-PROD-01.acme REC WebRTC · 18ms · 1080p · audio
Terminal · bash
$ systemctl status nginx
● Active: running
Memory: 124.3M
$ tail -f access.log
10.1.0.4 GET /api 200
10.1.0.7 401 retry
File Browser · /etc/nginx
📁 conf.d/
📁 sites-enabled/
📄 nginx.conf · 4.2KB
📄 mime.types · 1.1KB
✓ uploaded: deploy.sh
htop · live
CPU [▓▓░░] 34%
MEM [▓▓▓░] 62%
NET ↓ 142 KB/s
kbd active · clipboard synced · audit log recording session #f8a3 · 12m elapsed
03 — AUTOMATION

Scripts at scale.

PowerShell, Bash, Python across thousands of endpoints. Maintenance windows, update rings (Pilot → Early → Broad), reusable playbooks, watchdog self-healing for agent processes.

PowerShellBashPythonMaintenance windowsUpdate ringsPlaybooks
deploy.sh healthcheck.ps1 cleanup.py
01# tandemOPS playbook · rolling app deploy
02for host in $(tandem fleet --tag=prod); do
03  tandem run --on=$host "systemctl restart app"
04  if [ $? -eq 0 ]; then
05    tandem alert --ok "$host deployed"
06  fi
07done
08# risk: medium · ring: broad
SRV-PROD-01 · executed0.42s
SRV-PROD-02 · executed0.51s
SRV-PROD-03 · running...
SRV-PROD-04 · pending
WS-DEV-0001 · queued
04 — PATCH MANAGEMENT

Patch what's broken.

OS and application patches. Approval workflows. Deployment rings for safe rollout. CIS hardening checks. Configuration drift detection. Audit baselines for compliance.

OS patchesApp patchesCIS hardeningDrift detectionApproval flow
KB5034441 · Windows 11 cumulative
ring: BROAD · 142 of 218 endpoints · ETA 9 min
DEPLOYING
CVE-2026-1138 · openssl-3.2.1
ring: BROAD · 218 of 218 endpoints · done 02:14
COMPLETE
KB5039441 · Server 2022 security
ring: PILOT · 42 of 84 endpoints
PILOT
Chrome 124.0.6367 · macOS
approval queue · 38 endpoints · CIS aligned
APPROVAL
05 — BACKUP & DR

Snapshot. Verify. Recover.

Restic snapshots to S3-compatible storage. Bare-metal recovery for Windows. Hyper-V and SQL Server application-aware. Cloud-to-cloud M365 (Email, OneDrive, SharePoint, Teams). RTO < 1h, RPO < 15min.

ResticS3Bare-metalHyper-VSQL ServerM365 C2C
Snapshot history · ACME workspace RUNNING
408G
Mon
410G
Tue
411G
Wed
411G
Thu
412G
Fri · now
Sat
Sun
Creating snapshot · Friday 09:42 ENCRYPTING · UPLOAD
Restic dedupe 67%Encryption AES-256ETA 3 min
06 — SECURITY

Privileged. Paranoid.

Argon2id, JWT 15min, TOTP MFA, RBAC + PostgreSQL Row-Level Security forced, AES-256-GCM at rest, TLS 1.2+ in transit. Rate limit fail-closed. Audit log on every action. 5 SAST scanners in CI. SOC 2 aligned.

Argon2idTOTP MFARLS forcedAES-256-GCMAudit logSOC 2
Identity verified
cornel@cornelcaba.com
Argon2id passwordhash verified · 142ms
PASS
TOTP MFA6-digit code accepted
PASS
JWT signed · 15minRS256 · kid:k8a2
PASS
Row-Level Securitytenant=acme enforced by Postgres
PASS
Rate limitRedis sliding · fail-closed
PASS
AES-256-GCM payloadencrypted at rest
PASS
Audit log → S3actor + scope tracked
LIVE
07 — AI BRAIN

An AI that thinks and acts.

Claude Agent SDK integrated. Tool calling on every device. Risk engine classifies every action: Low auto-executes, Medium notifies, High requires approval, Critical is blocked entirely. The AI cannot bypass the engine.

Agent SDKTool callingRisk engineBYOKAudit trail
08 — INTEGRATIONS

Open to everyone.

Built-in MCP server with OAuth 2.1 + PKCE. Connect Claude.ai, ChatGPT, Cursor — any MCP-aware AI agent. EDR integrations (SentinelOne, Huntress) with risk-classified actions. PSA and documentation platforms coming.

MCP serverOAuth 2.1ClaudeChatGPTSentinelOneHuntress
MCP topology · OAuth 2.1 + PKCE● 6 clients
Claude.ai
ChatGPT
Cursor
SentinelOne
Huntress
M365
REQUEST FEED · LIVE
Claudelist_devices(filter=warn)200 · 24ms
S1 EDRisolate_endpoint(srv-07)queue · risk:H
Cursorget_patch_status200 · 12ms
Huntresscorrelate_incident(IOC)200 · 88ms
ChatGPTrun_script(cleanup)queued
M365backup_mailbox200 · 412ms
Claudecreate_remediationapproved
Try it · interactive demo

Click around. It's real.

A live mockup of tandemOPS with demo data — switch tabs, search devices, expand alerts, run remediation. Everything reacts.

tandemops.app/dashboard
CORTEX · ONLINE12.8k DEVICES

Good morning, Cornel

Last sync · 13 May 2026 · 09:42 UTC
Online
12,840
+12 last 24h
Critical
3
2 auto-resolved
Warnings
14
7 acknowledged
Patches Pending
218
in approval queue

Telemetry · CPU avg LIVE

09:2809:3209:3609:4009:42

Recent alerts

SRV-WEB-07 unreachable
ICMP timeout · 3 min ago
3m
SRV-DB-04 RAM 91%
threshold 85% · 12m ago
12m
SRV-MAIL-02 recovered
AI auto-remediated
18m
All Online Warning Critical
All Critical Warning Info
01 · The Brain

An agent that investigates, decides, and remediates.

Powered by Claude Agent SDK. Every action passes through the risk engine — enforced by the RMM, not the AI. The AI cannot bypass it.

Claude Agent SDK Risk engine Audit-logged
C
Why is SRV-WEB-07 offline?
AI
On it.
→ get_device_details(ws-07) ✓ 0.4s → get_event_log(1h) ✓ 0.8s → ping_check(ws-07) ✓ 1.2s

Kernel panic at 09:38. nginx.service failed-dependency on postgres. Postgres is back. I can restart nginx.

⚠ Risk: HIGH · service restart on prod
02 · The Fleet

Every device. Real time.

Hardware, software, network, security. Custom fields, tags, advanced filtering. Hierarchical configuration policies that cascade with override at any level.

03 · The Sentry

Sees it. Before you.

Health checks with configurable thresholds, drift detection, CIS hardening baselines, network discovery (ARP, ICMP, port, SNMP). Alerts routed by severity, webhook delivery, escalation policies, audit log.

Live alert feed

STREAMING · 12,847 endpoints
All Critical Warning Info
04 · Remote Hands

Shell into anything. Remote desktop. File browser.

Full shell, file transfer, visual remote control via WebRTC with built-in TURN relay for NAT traversal. Multi-display, clipboard sync. Audit log on every command, recorded sessions.

cornel@SRV-WEB-07 — bash — 80×24
REMOTE RECORDING AUDIT-LOG
05 · In Tandem

One brain. Every datacenter.

tandemOPS orchestrates across multiple regions, sites, organizations. The AI works in tandem with your team — never above, never alone. Cross-tenant intelligence, automated playbooks, proactive remediation.

LOW · auto-execute MEDIUM · notify HIGH · approve CRITICAL · blocked
06 · The Vault

Snapshot. Verify. Recover.

Restic-based endpoint snapshots to S3-compatible storage. Bare-metal recovery for Windows endpoints. Hyper-V and SQL Server application-aware. Cloud-to-cloud M365 for email, OneDrive, SharePoint, Teams. RTO < 1h, RPO < 15min.

Endpoint snapshots
Restic · dedupe · encrypted
412 GB · 11min
Bare-metal recovery
Windows endpoints · full disk restore
verified · 02:14
Hyper-V · SQL Server
application-aware · transactional
snapshot ok
M365 cloud-to-cloud
Email · OneDrive · SharePoint · Teams
12 tenants
Disaster recovery
RTO < 1h · RPO < 15min
3 sites failover
07 · The Wall

Privileged. So paranoid.

tandemOPS has root on every device it manages. Every layer is hardened — Argon2id, RLS, AES-256-GCM, audit log, fail-closed rate limit, signed agent binaries. SOC 2 aligned.

AUTH

Argon2id + TOTP MFA

Argon2id passwords, JWT 15-min expiry, TOTP MFA, SHA-256 hashed tokens, email verification on signup.

RBAC + RLS

Row-Level Security

PostgreSQL RLS forced on every tenant table. Even table owners can't bypass. RBAC with scope-based multi-tenancy.

CRYPTO

AES-256-GCM at rest

TLS 1.2+ in transit, HSTS preload, no plaintext secrets stored anywhere.

AGENT

Hardened agent

Bearer token SHA-256 hashed, 0600 config permissions, Ed25519 signed releases, optional Cloudflare mTLS.

RATE LIMIT

Fail-closed

Redis sliding-window on all auth endpoints and agent APIs. Fail-closed if Redis is unavailable.

VALIDATION

Zod schemas

Every external input validated: API requests, WebSocket messages, query parameters.

AI SAFETY

Risk engine

Risk-classified action engine. Dangerous operations require human approval. Critical operations blocked entirely.

SUPPLY CHAIN

5 SAST scanners

CodeQL, Gitleaks, npm audit, govulncheck, Trivy CVE scanning in CI.

AUDIT

Structured audit log

Actor tracking, org-scoped retention, S3 archival on every action.

ABUSE

Cross-tenant controls

Platform-admin suspend endpoint, email-verification gate, fail-closed token revocation.

OPS

Disaster recovery

Secret rotation runbooks, RTO < 1h, RPO < 15min, full restore verification.

COMPLIANCE

SOC 2 aligned

Full security whitepaper with SOC 2 mapping. Compliance evidence generation (LanternOps tier).

08 · The Nexus

Open the cortex to everything.

Built-in MCP server with OAuth 2.1 + PKCE. Connect Claude.ai, ChatGPT, Cursor — or any MCP-aware AI agent. EDR integrations with risk-classified actions. PSA & documentation platforms coming.

M
MCP Server · OAuth 2.1
Built-in. Connect any MCP-aware agent.
CORE
C
Claude.ai · ChatGPT · Cursor
Connect AI agents over OAuth 2.1 + PKCE.
READY
S
SentinelOne EDR
Incident correlation · risk-classified actions.
READY
H
Huntress EDR
Threat detection · automated response.
READY
P
PSA · ConnectWise · Autotask · HaloPSA
Ticketing & billing systems.
SOON
D
IT Glue · Hudu
Documentation platform integrations.
SOON
Pricing

Per user. No endpoint cap.

3 months free on Starter. Pro for individuals, Business for teams. All plans include the AI Brain, multi-tenant hierarchy, audit log, SOC 2 alignment.

Starter
Try every feature, no commitment
0for the first 3 months · then €7/mo
1 user · unlimited endpoints
  • Real-time monitoring · CPU, RAM, disk, network
  • Live alert feed · email + webhook delivery
  • Remote terminal (read-only)
  • Patch inventory (manual approval)
  • Community Discord support
  • No AI Brain
  • No automation playbooks
  • No backup & DR
Start free trial →
Pro
For solo sysadmins & freelancers
7/ month
or €70/yearSAVE €14
1 user · unlimited endpoints
  • Everything in Starter
  • AI Brain (BYOK) · Claude Agent SDK + tool calling
  • Remote desktop via WebRTC + TURN relay
  • Automation · PowerShell, Bash, Python playbooks
  • Patch management · maintenance windows + rings
  • Backup & DR · Restic, bare-metal, M365 C2C
  • EDR integrations (SentinelOne, Huntress)
  • Email support · 24h response
Get Pro →
Business
For teams & MSPs managing customers
30/ month
or €300/yearSAVE €60
Team workspace · unlimited users + endpoints
  • Everything in Pro
  • Team management · invite unlimited users
  • Multi-tenant · Partner → Org → Site → Device
  • RBAC · scope-based roles & permissions
  • SSO · SAML & OIDC
  • MCP server · OAuth 2.1 + PKCE for external AI
  • Compliance evidence · SOC 2, ISO 27001, HIPAA
  • Priority email + chat support · 4h SLA
Get Business →
All prices in EUR, VAT excluded. Annual billing saves ~17%. Cancel anytime during the free trial — no charge if you stop before day 91. See pricing FAQ.

Ready to operate in tandem?

14 days free. No credit card required. Cancel anytime.

Start free Book a demo

Create your workspace

3 months free on Starter. No credit card required.

Already have an account? Sign in