PathixDataverse Forensics
How it works · Coverage model

What writes to your fields. Where the gaps are.

Pathix scans your D365 environment across thirteen component surfaces and emits an honest dependency graph. Every edge carries a parser source, a confidence level, and the boundary it observes, so you can tell at a glance which edges came from deterministic analysis and which came from a model.

Confidence levels: Declared (structural certainty), Parsed (deterministic, exact target resolved), AI-derived (read from decompiled code, always with attached evidence), and Unresolved (a write seen but not resolved to an exact field). AI never overrides what the deterministic engine proves.

Put plainly: Declared means the platform itself told us, Parsed means we read it straight from the component's own code, AI-derived means a model proposed it and a human should confirm, and Unresolved means we saw a write but could not pin the exact field.

When Pathix sees that a dependency exists but can't resolve the exact field (a dynamic or computed target), it emits the edge and says so, rather than guessing a column.

Book a demoSecurity architecture
The model

One scan, four stages, no record data.

A Pathix scan is a deterministic pipeline. Each stage operates on the output of the last; the metadata-only boundary holds throughout.

01
Ingest registrations
Pathix pulls component registrations directly from Dataverse: plugin steps, modern flows, classic workflows, dataflows, web resources, ribbon XML, security roles, custom controls, canvas apps, saved queries, forms.
02
Parse the bodies
Each component body is parsed in-process: Mono.Cecil for plugin IL, real AST parse for form scripts, structural walks for JSON / XAML / FetchXML / PowerFx / formxml. Customer code is read once, never persisted.
03
Extract dependencies
Static analysis emits column-level writes and reads, plus the structural metadata around them: entity, kind, conditional flag, confidence. AI-derived edges are tagged so reviewers can separate them from deterministic ones.
04
Stitch the graph
Edges land in a relational store keyed by (table, column). Cascade fanout, hierarchy rollup, ribbon binding fan-out, and form-script attribution glue the surfaces together so one-hop questions are direct answers.
SCAN TIME10–30 min · most envs
RE-SCANincremental · skip-unchanged
HISTORYevery scan delta retained · diff via SQL
Architectural boundaries

Three rules we don't break.

The metadata-only guardrails everything downstream rests on. Enforced in code, not just policy.

Pathix does not
Pathix does not store, transmit, or analyze customer record values.
Metadata-only by design. Pathix ingests structural metadata (schema, registrations, definitions) and behavioral configuration (plugin steps, workflow XAML, flow JSON, form scripts). Record values, audit log payloads, embedded literals from execution traces — never.
ROADMAP
Permanent.
Pathix does not
Pathix does not correlate against audit logs to discover observed-runtime writes.
Audit log ingestion is a separate plane with its own data-residency and retention concerns. v1 stays static-analysis-only.
ROADMAP
v2 candidate. Not committed.
Pathix does not
Pathix does not scan customer-owned source repositories (GitHub, Azure DevOps).
Out-of-Dataverse source ingestion is a separate scoping question with its own auth model.
ROADMAP
v2 candidate. Not committed.
The boundary list is enforced in code, not just policy. Read the schema yourself.Your data →
What's covered

Thirteen parser surfaces across three signal classes.

The components Pathix analyzes, grouped by how they participate in the dependency graph. Each group corresponds to a tier of parser engineering.

AUTOMATION
What writes to fields
  • Plugin steps & Custom APIs
  • Cloud flows (Power Automate)
  • Classic workflows · dialogs · actions
  • Dataflows (Gen2)
  • Business rules

Mono.Cecil walks compiled plugin IL for column-level Create / Update / Delete. Flow JSON parsed for the same. Dataflow source-to-destination mappings indexed per column. Classic workflow XAML and business-rule branches surface alongside.

UI & CLIENT CODE
Where users meet data
  • Form scripts (JavaScript)
  • PCF custom controls
  • Canvas apps
  • Ribbon & modern command bar

Real AST parse on every customer-authored JS web resource. PCF manifest bindings traced to forms. PowerFx walked across canvas apps. Modern command bar and legacy ribbon XML both covered.

READ DERIVATION
What the platform computes
  • Saved queries · charts · dashboards
  • Forms (formxml)
  • Formula columns
  • Calculated & rollup columns
  • Security model (roles · teams · hierarchy)

FetchXML, formxml, and PowerFx walked for column-level reads. Security inheritance traced through roles, teams, team-templates, and the manager / position hierarchy chains.

For evaluators

Want the per-surface DOES / DOES NOT matrix?

Pathix coverage is documented in detail in a per-surface technical brief: what each parser handles, where the boundaries are, and the roadmap label for every gap. Available on request to evaluators with a real Pathix conversation in flight.

Email brian@pathix.appBook a demo

See the coverage on your environment.

A Pathix scan runs in your subscription, parses every component above, and shows you the writers and dependents of any field within minutes.

Book a demoSecurity architecture
Pathix

Forensics for Dynamics 365 and the Dataverse.

See it on sample data →
USE CASES
PRODUCT
COMPANY
© 2026 Pathix · self-hosted · metadata-onlyNot affiliated with Microsoft. Dynamics 365, Dataverse, and Power Platform are trademarks of Microsoft Corporation.