Your codebase knows morethan your team does.Facet asks it.

Architecture and product intelligence from code.
Nine ISO 42010 views, business rules, threat models — in days, not months.

See what you get

Discuss your challenge

Architecture Analysis · Product Intelligence · Security Assessment · Migration Planning

Complete baseline
in days, not months

Nine ISO 42010 views
from one analysis

Product intelligence
extracted from code

facet-scan — architecture_overview.md

┌─ ARCHITECTURE_OVERVIEW.md
│
├─ components/
  ├─ AuthService.ts          [critical]  4 dependents
  ├─ PaymentGateway.ts       [critical]  3 dependents
  ├─ UserRepository.ts       [high]      2 dependents
  ├─ NotificationHub.ts      [medium]    1 dependent
  └─ CacheLayer.ts           [medium]    1 dependent
│
├─ data-flows/
  ├─ user-auth-flow          POST /auth → validate → token
  ├─ payment-flow            POST /pay → gateway → ledger
  ├─ notification-flow       event → queue → dispatch
  └─ cache-invalidation      write → purge → rebuild
│
├─ security/
  ├─ SEC-001  SQL injection       AuthService:47      ■ high
  ├─ SEC-002  Missing CSRF        PaymentGateway:12   ■ high
  ├─ SEC-003  Weak hashing        UserRepository:88   ■ medium
  └─ SEC-004  Verbose errors      CacheLayer:33       ■ low
│
├─ business-rules/
  ├─ BIZ-001  "Users must verify email before checkout"
  ├─ BIZ-002  "Refunds capped at 30 days from purchase"
  ├─ BIZ-003  "Rate limit: 100 req/min per API key"
  └─ BIZ-004  "Passwords expire after 90 days"
│
├─ risk-register/
  ├─ RSK-001  Single DB instance      likelihood: high
  ├─ RSK-002  No circuit breakers     likelihood: medium
  ├─ RSK-003  Unversioned API         likelihood: medium
  └─ RSK-004  Manual deployments      likelihood: low
│
└─ dependencies/
  ├─ express        4.18.2   ✓ current
  ├─ pg             8.11.3   ✓ current
  ├─ jsonwebtoken   9.0.0    ⚠ 1 CVE
  ├─ lodash         4.17.21  ⚠ deprecated methods
  └─ moment         2.29.4   ✗ EOL — migrate to dayjs

Component View

Data Flows

Security Controls

Business Rules

Risk Register

Dependencies

Why Facet

Architecture documentation decays the moment it ships

The people who built the system left. Diagrams are three years old. Business rules live in code nobody reads. The codebase is the only source of truth — and nobody reads it systematically.

Discovery burns the budget

Teams spend months mapping systems before transformation begins.

Product knowledge walks out

Use cases, business rules, and requirements exist only in code and in heads of engineers who left.

Security posture stays unknown

Vulnerabilities hide in authentication flows, dependencies, and access control — unreviewed.

Due diligence relies on memory

Assessments reflect what people remember, not what the code contains.

Not a SAST tool. SAST scans for known vulnerability patterns. Facet builds the structural and functional model of your system.

Not observability. Observability instruments running systems. Facet operates on the codebase itself.

Not a doc generator. Generators produce surface-level API docs. Facet produces nine architecture views, product specs, threat models, and migration roadmaps.

Architecture and product intelligence platform. Reads your codebase and replaces the manual engagement — senior architects and business analysts spending months — with AI agents operating on code.

How It Works

Four phases, standalone value at each

Each phase delivers independently — start with one repository and expand.

ExtractDeterministic tools

ScanPer-repo analysis

SynthesizeCross-repo unification

UpdateRe-run on change

Extract

SBOM, CVEs, complexity metrics, secret detection, license scanning. Deterministic tools run first to establish ground truth before AI agents begin.

Scan

Nine ISO 42010 architecture views, product specifications, quality assessment, risk register, and asset inventory — per repository. Three independent AI agents with 2-of-3 consensus.

Synthesize

Unified system model across all repositories. Reconcile naming conflicts, map cross-repo workflows, resolve data ownership, and build system-level traceability.

Update

Code changes trigger re-analysis. Merge a PR, re-run Facet, get updated documentation. Architecture docs stay current with the codebase.

Deterministic First

Dependency scanners, SBOM generators, vulnerability databases, complexity analyzers, secret detectors run before any AI agent. Every finding carries a confidence tag.

Multi-Instance Consensus

Three independent agents analyze the same code. Findings enter output only when two of three agree. Disagreements get flagged for review.

Nine ISO 42010 Views

Functional, component, data, deployment, technology, security, integration, operations, and history — each addressing a distinct stakeholder concern.

Read-Only

Facet reads source code. No modifications, no agents installed, no CI/CD integration required. No production access. No security objections.

What You Get

Every analysis delivers

Product Intelligence7

Product Description
Use Case Inventory
Business Rules Catalog
EARS Requirements
Capability Specifications
Entity Relationship Diagrams
Cross-Domain Traceability

Architecture Documentation4

Architecture Overview
9 ISO 42010 Views
Risk Register
Quality Assessment

Inventories4

Asset Inventory
Software Bill of Materials
Security Control Inventory
Findings Registry

Security & Compliance3

Threat Model
Vulnerability Report
Interface Contracts

Migration & Modernization3

Modernization Roadmap
Migration Plan
Gap Analysis

Manual vs Facet

Manual approach vs Facet

Dimension	Manual Approach	Facet
Timeline	3–6 months	Days
Source of truth	Interviews + old diagrams	Code
Coverage	Selective (what people remember)	Complete (every file, every dependency)
Product intelligence	Workshops with SMEs	Extracted from code
Accuracy over time	Decays immediately	Current on every re-run
Multi-system	Rare (too expensive)	Standard
Security analysis	Separate engagement	Included
Inventories	Manual spreadsheets	Automated with confidence tags
Repeatability	Start over each time	Re-run on demand

When teams use Facet

Planning modernizationCTO

Complete baseline + target architecture + migration roadmap

Product discovery on legacyCPO, product team

Use cases, business rules, requirements extracted from code

M&A due diligenceBoard, PE, acquirer

Evidence-based technical assessment in days

Security auditCISO, compliance

STRIDE threat model, vulnerability inventory, security posture

Tech debt quantificationCTO presenting to board

Risk register, quality metrics, prioritized remediation

New team onboardingEngineering lead

Complete system and product documentation

Java and .NET codebases receive dedicated 10-dimension audits on top of standard analysis. All other languages — COBOL, Python, TypeScript, Go, PHP — receive full architecture analysis with nine ISO 42010 views.

For Your Role

For your specific concerns

CTO

Before you commit to a target architecture, you need a baseline that reflects what you have — not what the last architect thought you had. Facet reads your code and produces complete current-state documentation, gap analysis against your target, and a migration roadmap with capability traceability. Discovery phase: days, not months.

You already have documentation? Documentation decays the day it is written. Your code does not.

CISO

Auditors ask for evidence. Penetration testers find what they find in a week. Facet reads your entire codebase and produces a STRIDE threat model, attack surface map, dependency vulnerability inventory, and security control assessment — derived from code, not interviews.

You have a SAST tool? SAST finds known vulnerability patterns. It does not produce a threat model or a security architecture view.

CPO

Your product runs on a codebase nobody fully understands. Use cases, business rules, and domain logic are locked in implementation — not written down anywhere a product team can read. Facet extracts product specifications from code.

You think the engineers know? They know their module. Nobody holds the full product model.

M&A / Due Diligence

Technical risk affects valuation. Technical surprises surface post-close. Facet produces an evidence-based technical assessment in days — covering architecture, security posture, dependency health, technical debt, and integration complexity.

Your technical advisors do this manually. Manual assessments sample the codebase. Facet reads every file.

Compliance / GRC

Auditors require architecture documentation. Engineering teams resist producing it. Facet derives ISO 42010-compliant architecture views, asset inventories, data flow documentation, and interface contracts directly from your codebase — without consuming engineering time.

Re-run before each audit cycle. The output reflects the current system.

Discuss your architecture challenge

Brownfield? Start here. Start with one repository. See what Facet produces. Each phase delivers standalone value.

Email us

Book a call

Or email us directly at hello@end.game