> ## Documentation Index
> Fetch the complete documentation index at: https://docs.tolmo.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Tolmo: Cloud Security CLI for Modern Security Teams

> Tolmo is the cloud security platform CLI. Query infrastructure graphs, manage security findings, and proxy requests to services like GitHub, AWS, and more.

Tolmo is a command-line interface for the Tolmo cloud security platform. It gives your team a single tool to query infrastructure graphs, manage security findings, and proxy requests to connected services — all authenticated through your organization's backend. This page explains what Tolmo does, who it's designed for, and how it fits into your security workflow.

## What is Tolmo?

Tolmo is a unified CLI that bridges your terminal to the Tolmo cloud security platform. Instead of juggling separate credentials and dashboards for each service, you work through a single interface backed by server-side credential resolution.

With Tolmo you can write SQL and Cypher queries against your organization's infrastructure data, create and triage security findings, and send proxied requests to integrated services like GitHub, AWS, Linear, Sentry, and Datadog — without ever touching the underlying API credentials yourself. Access is scoped to your organization, and named profiles let you switch between environments without re-authenticating.

Tolmo is built for security engineers, platform teams, and developers who want scriptable, automatable access to their organization's security posture from the command line.

## Key capabilities

<CardGroup cols={2}>
  <Card title="SQL & Cypher Queries" icon="database">
    Run SQL queries against the organization database and Cypher queries against the infrastructure graph. Use temporal fields like `firstSeenAt` and `lastSeenAt` to track resource changes over time.
  </Card>

  <Card title="Security Findings" icon="shield-exclamation">
    Create, update, triage, and delete security findings with full lifecycle management — severity levels, visibility controls, status transitions, and an audit trail of every status change.
  </Card>

  <Card title="Connected Service Proxying" icon="plug">
    Send proxied REST and GraphQL requests to GitHub, AWS, Linear, Sentry, and Datadog through the backend. The platform resolves credentials server-side so they never reach your machine.
  </Card>

  <Card title="Repository Management" icon="code-branch">
    List and clone repositories from your organization's storage. Supports GitHub and GitLab URLs, subdirectory clones, and bulk clone operations.
  </Card>

  <Card title="Threat Models" icon="triangle-exclamation">
    List threat model pipeline runs, download the latest run or a specific scan, and retrieve individual pipeline steps for detailed analysis.
  </Card>

  <Card title="Datadog Monitors" icon="chart-line">
    Create, update, and delete Datadog monitors that the platform manages on behalf of your org. Every monitor is tagged `managed-by:tolmo` and credentials are stored securely in the backend — they never reach your machine.
  </Card>

  <Card title="Agent Skills Integration" icon="robot">
    Install the Tolmo skill into Claude Code and other agent directories with `tolmo skill install`. Configure OTEL telemetry for Claude Code tool calls and assistant messages via `tolmo setup claude-code`.
  </Card>

  <Card title="Organization Management" icon="building">
    List all organizations you have access to and switch your active organization with `tolmo org switch`. Override the active org for any single command using the `--org` flag.
  </Card>
</CardGroup>

## How it works

When you run a Tolmo command, the CLI authenticates your request against the Tolmo backend using a stored profile or environment-variable token. The backend then resolves any third-party credentials — GitHub App tokens, AWS role credentials, Datadog API keys — from its own encrypted store and proxies the request on your behalf. Those credentials never leave the backend, so you never need to configure them locally.

Access is organized around organizations. Each profile is tied to an organization slug, and every query, finding, or proxy call runs in that organization's context. You can override the active organization for a single command with `--org <slug>`, or maintain separate named profiles for different orgs and environments (production, staging, and so on).

Named profiles are stored in `~/.tolmo/` and selected via the `--profile` flag or the `TOLMO_PROFILE` environment variable. In CI/CD pipelines you can skip profiles entirely and authenticate using `TOLMO_API_TOKEN` and `TOLMO_ORG_SLUG` environment variables.

## Next steps

<CardGroup cols={2}>
  <Card title="Install Tolmo" icon="arrow-down-to-bracket" href="/installation">
    Install the CLI via Homebrew, the install script, or a Debian package on macOS or Linux.
  </Card>

  <Card title="Authenticate" icon="key" href="/authentication">
    Log in with the browser-based OAuth flow, set up named profiles, or configure environment variables for CI/CD.
  </Card>
</CardGroup>
