Rule Explainability / NSG Analysis Source: 10.0.1.5 Destination: 10.0.3.12 Port: 5432 Protocol: TCP Analyse ALLOWED by rule #1040 on nsg-frontend · Priority 100 · Action: Allow PRIORITY ACTION SOURCE DESTINATION PORT STATUS 100 Allow 10.0.1.0/24 10.0.3.0/24 5432 MATCH 200 Allow VirtualNetwork VirtualNetwork Any Not matched 300 Deny Internet Any Any Shadowed 4096 Deny Any Any Any Default rule Rules evaluated in priority order. First match wins. NSG: nsg-frontend
Rule Explainability

Stop guessing which rule is doing what

Firewall rule sets grow over years, added by engineers who have since left, with no documentation on what they do. Nobody removes rules because nobody knows if something still depends on them. Siriqo evaluates applicable rules in correct priority order and shows you exactly which one matched — for any source, destination, port, and protocol.

  • Platform-correct priority evaluation across all providers
  • Full rule attribution — not just allowed or blocked
  • Audit-ready export of the complete evaluation chain
  • Safe rule decommissioning — verify before you remove
Request a DemoSee all features

The problem organisations face

Firewall rule sets are among the most complex and least understood artefacts in enterprise IT. They grow incrementally over years, with no single person understanding the full picture.

Nobody knows what half the rules do

Rules added years ago by engineers who have since left carry no documentation. Nobody removes them because nobody knows if something still depends on them. The rule set accumulates entropy.

Priority ordering is non-obvious

NSGs, Azure Firewall, AWS security groups, and on-premises firewalls all have different priority models. Predicting which rule wins when multiple rules could match requires detailed knowledge of each platform.

Audit evidence requires traceable rule attribution

"We have a rule blocking that traffic" isn't enough for a compliance audit. Auditors want to see the specific rule, its configuration, and evidence that it would actually match the relevant traffic.

Decommissioning rules is high-risk without visibility

Removing seemingly redundant rules carries risk when you can't verify they're truly unused. Teams leave rules in place "just in case" — and the rule set keeps growing.

What you get

  • Precise rule attribution

    Know exactly which rule matched, not just whether traffic is allowed or blocked — with direct links to the rule in your cloud console.

  • Priority chain visualisation

    See candidate rules in evaluation order — which rules were considered before the match, and which would have applied if the match hadn't fired.

  • Audit-ready exports

    Export the rule evaluation report as evidence for compliance audits, change management records, or security assessments.

  • Safe rule decommissioning

    Verify whether a rule is the active match for any traffic before removing it — so you can clean up rule sets with confidence rather than anxiety.

Request a Demo