I've spent years in both federal IT and the private sector. Different budgets, different compliance regimes, different acronyms. Same problem.
Nobody has a good answer for "what's expiring and when?"
The enterprise side
On the federal side, there's no shortage of tooling. CyberArk for privileged accounts. Venafi or AppViewX for certificate lifecycle. SailPoint for identity governance. ServiceNow for tickets. Splunk for logs. Each one solves a slice of the problem, and each one costs six figures.
You've got SSL certs managed in one platform, API keys tracked in another, vendor-issued licenses in a spreadsheet someone started three years ago, and service account passwords that live in someone's head, across different teams. The enterprise tools handle their slice — sometimes beautifully — but the seams between them are where things fall through.
None of them give you a single pane of glass across all of it.
I've watched teams with seven-figure security budgets miss certificate renewals. Not because they lacked tools — but because the cert that expired wasn't in the system that sends alerts. It was in the other system. Or it was in no system at all — just a sticky note on a wiki page that nobody updated after the last rotation. Google, Spotify, and Microsoft have all had outages from expired certificates. The problem scales with you.
I once saw a Splunk license lapse at a federal organization. Splunk — the tool that's supposed to be watching everything else. Nobody tracked the license renewal because it wasn't in any of the security platforms. It was a procurement thing, an admin thing, someone else's thing. The outage was short, but the embarrassment lasted longer. When your monitoring platform goes down because nobody monitored its own expiry date, the irony writes itself.
The tooling exists. The visibility doesn't.
The commercial side
On the private sector side, I lived the problem firsthand. Smaller teams, smaller budgets, and the tracking situation was exactly what you'd expect: a spreadsheet.
Sometimes it was a good spreadsheet. Columns for credential name, service, expiry date, owner, notes. Color coding for urgency. Someone might even set up conditional formatting. All of it worked until it didn't — which was usually when the person who maintained it went on vacation, or changed roles, or left the company.
The failure mode is always the same: silence. A credential expires at 3am on a Saturday and nobody knows until customers start calling. Not because anyone was negligent, but because the system for tracking it was a file that required a human to remember to check it.
Calendar reminders help, but they don't scale. Set a reminder for 5 credentials and you're fine. Set reminders for 50 and you start ignoring them. Set them for 200 across a team and you've just created noise.
The gap
Here's what struck me after seeing both sides: the problem isn't technical sophistication. Federal agencies have incredibly capable security teams. Commercial shops have sharp (and overworked) engineers who know exactly what needs to rotate and when.
The problem is that there's no simple, central answer to a simple question: what credentials do we have, when do they expire, and who's responsible?
Enterprise platforms answer parts of that question for the credential types they manage. But they don't cover everything, and they're overkill if you're a 10-person IT team managing a mix of SSL certs, API keys, vendor licenses, and service account tokens.
Spreadsheets answer the question too — until they go stale. And they always go stale.
So I built something
I started building ExpiryPulse to fill that gap. Not an enterprise platform. Not a secrets manager. Just a dashboard that tracks what you have, when it expires, and who owns it — with email (and Teams) alerts so you don't have to remember to check.
One design decision I made early and never reconsidered: ExpiryPulse doesn't store your actual secrets. No passwords, no API key values, no private keys, no certificate files. It stores metadata — the name of the credential, the service it belongs to, the expiry date, and who's responsible for it. That's it. Coming from a cybersecurity background — I've spent years working with DLP, incident response, and data protection — I know exactly what happens when sensitive data gets concentrated in one place. It becomes a target. I didn't want to be in the business of storing your secrets. That's what vaults and secret managers are for. ExpiryPulse answers a different question: what do you have, when does it expire, and who's on the hook?
The core is simple on purpose. Add a credential — any type, SSL cert, API key, license, token, whatever — set the expiry date, assign an owner (or two), and forget about it. You'll get alerts at 30, 14, 7, and 1 day before expiry. If it expires, you get follow-up reminders so nothing goes quietly into the night.
A few features came directly from the pain I'd experienced:
CSV import. Because if I'm replacing a spreadsheet with 40 credentials in it, I'm not manually entering them one by one. That's a dealbreaker. Drag and drop a CSV file, map the columns, and you're running in five minutes.
SSL certificate scanning. Paste a domain, ExpiryPulse connects via TLS, reads the certificate chain, and auto-populates the credential details. The scan runs nightly to keep expiry dates current automatically.
Teams/Slack webhooks. Email is fine, but half the teams I've worked with live in, Teams or Slack. If a credential is about to expire, the alert should show up where people actually look.
Audit logging. Every change is timestamped with who did what. Not because I love logging, but because when an auditor asks "can you show me evidence of credential rotation?" you need more than "yeah, we do that."
What I learned building it
Sysadmins are skeptical of new tools, and rightfully so. The first reaction I got was "I can do this with a spreadsheet." And honestly? They're right — you can. But a spreadsheet works until the person maintaining it gets pulled into a P1 incident, goes on PTO, or moves to a different team. The spreadsheet doesn't know that nobody's looked at it in three weeks. It doesn't chase you down when something's about to expire. It doesn't escalate to a backup when the primary owner is unreachable. It just sits there, quietly going stale, until something breaks. The difference is that ExpiryPulse doesn't depend on someone remembering to check it — it comes to you. And if you don't respond, it goes to your backup.
SSL chain scanning. I didn't think about certificate chains expiring until I built the scanner. When I dug into how SSL actually works end-to-end, I realized every intermediate cert in the chain has its own expiry date, and they can expire before the leaf! I looked at the tools in this space and most of them don't scan the full chain. They just check the domain cert. That gap has caused real outages — not from the cert you're watching, but from the one you didn't know to watch.
Where it stands
ExpiryPulse is live at expirypulse.dev. The free tier gives you 5 credentials — enough to get your most critical items tracked and see if the workflow fits.
For solo admins who need more room, the Power plan covers up to 30 credentials with all notification thresholds and priority support. For teams that need shared visibility, the Team plan adds multi-seat access, backup assignments, break-glass delegation, and more — so coverage doesn't disappear when someone's on vacation or leaves the company.
I'm using it to track my own keys — Stripe, Resend, Supabase, Azure, etc. If the tool that tracks credentials can't track its own credentials, well, you know the rest.
I'm not pretending this replaces CyberArk or Venafi for organizations that need those platforms. It fills the gap for teams that don't — and for the credentials that fall between the cracks even in organizations that do.
One thing no tool can fix: you have to put the data in. ExpiryPulse, a spreadsheet, CyberArk — none of it matters if nobody takes the time to inventory what exists and enter it into the system. The best tooling in the world is useless if nobody feeds it. That's the unsexy truth about credential management. The hard part isn't the alerts or the dashboards or the chain analysis. The hard part is the discipline of saying "we just provisioned a new API key — let me log it." Everything else builds on that habit.
If you're tracking credentials in a spreadsheet and/or a calendar right now, I built this for you. If you've got a system that works, genuinely, keep using it. The important thing is that something exists between "I'll remember" and nothing.
If you want to try it: expirypulse.dev. Free tier, no credit card. Happy to answer questions in the comments.
Top comments (0)