Skip to content

TurboLens AI Intelligence

The TurboLens module provides AI-powered analysis of your enterprise architecture landscape. It uses your configured AI provider to perform vendor analysis, duplicate detection, modernization assessment, and architecture recommendations.

Note

TurboLens requires a commercial AI provider (Anthropic Claude, OpenAI, DeepSeek, or Google Gemini) configured in AI Settings. The module is automatically available when AI is configured.

Credits

TurboLens is based on the open-source ArchLens project by Vinod, released under the MIT License. The analysis logic has been ported from Node.js to Python and integrated natively into Turbo EA.

Dashboard

The TurboLens dashboard provides an at-a-glance overview of your landscape analysis.

Indicator Description
Total Cards Number of active cards in your portfolio
Avg Quality Average data quality score across all cards
Vendors Number of analyzed technology vendors
Duplicate Clusters Number of identified duplicate groups
Modernizations Number of modernization opportunities found
Annual Cost Total annual cost across all cards

The dashboard also shows:

  • Cards by type — Breakdown of card counts per card type
  • Data quality distribution — Cards grouped into Bronze (<50%), Silver (50–80%), and Gold (>80%) quality tiers
  • Top quality issues — Cards with the lowest data quality scores, with direct links to each card

Vendor Analysis

Vendor analysis uses AI to categorize your technology vendors into 45+ industry categories (e.g., CRM, ERP, Cloud Infrastructure, Security).

How to use:

  1. Navigate to TurboLens > Vendors
  2. Click Run Analysis
  3. The AI processes your vendor portfolio in batches, categorizing each vendor with reasoning
  4. Results show a category breakdown and a detailed vendor table

Each vendor entry includes the category, sub-category, number of associated applications, total annual cost, and the AI's reasoning for the categorization. Toggle between grid and table views using the view switcher.

Vendor Resolution

Vendor resolution builds a canonical vendor hierarchy by resolving aliases and identifying parent-child relationships.

How to use:

  1. Navigate to TurboLens > Resolution
  2. Click Resolve Vendors
  3. The AI identifies vendor aliases (e.g., "MSFT" = "Microsoft"), parent companies, and product groupings
  4. Results show the resolved hierarchy with confidence scores

The hierarchy organizes vendors into four levels: vendor, product, platform, and module. Each entry shows the number of linked applications and IT components, total cost, and a confidence percentage.

Duplicate Detection

Duplicate detection identifies functional overlaps in your portfolio — cards that serve the same or similar business purpose.

How to use:

  1. Navigate to TurboLens > Duplicates
  2. Click Detect Duplicates
  3. The AI analyzes Application, IT Component, and Interface cards in batches
  4. Results show clusters of potential duplicates with evidence and recommendations

For each cluster, you can:

  • Confirm — Mark the duplicate as confirmed for follow-up
  • Investigate — Flag for further investigation
  • Dismiss — Dismiss if not a real duplicate

Modernization Assessment

Modernization assessment evaluates cards for upgrade opportunities based on current technology trends.

How to use:

  1. Navigate to TurboLens > Duplicates (Modernization tab)
  2. Select a target card type (Application, IT Component, or Interface)
  3. Click Assess Modernization
  4. Results show each card with modernization type, recommendation, effort level (low/medium/high), and priority (low/medium/high/critical)

Results are grouped by priority so you can focus on the most impactful modernization opportunities first.

Architecture AI

The Architecture AI is a 5-step guided wizard that generates architecture recommendations based on your existing landscape. It links your business objectives and capabilities to concrete solution proposals, gap analysis, dependency mapping, and a target architecture diagram.

A stepper at the top tracks your progress through the five stages: Requirements, Business Fit, Technical Fit, Solution, and Target Architecture. You can click any previously-reached step to navigate back and review earlier phases — all downstream data is preserved and only cleared when you actively re-submit a phase. Your progress is saved automatically in the browser session, so you can navigate away and return without losing your work. You can also save assessments to the database and resume them later (see Save & Resume below). Click New Assessment to start a fresh analysis at any time.

Step 1: Requirements

Enter your business requirement in natural language (e.g., "We need a customer self-service portal"). Then:

  • Select Business Objectives — Choose one or more existing Objective cards from the autocomplete dropdown. This grounds the AI's analysis in your strategic goals. At least one objective is required.
  • Select Business Capabilities (optional) — Choose existing Business Capability cards or type new capability names. New capabilities appear as blue chips labeled "NEW: name". This helps the AI focus on specific capability areas.

Click Generate Questions to proceed.

Step 2: Business Fit (Phase 1)

The AI generates business clarification questions tailored to your requirement and selected objectives. Questions come in different types:

  • Text — Free-form answer fields
  • Single choice — Click one option chip to select
  • Multi choice — Click multiple option chips; you can also type a custom answer and press Enter

Each question may include context explaining why the AI is asking ("Impact" note). Answer all questions and click Submit to proceed to Phase 2.

Step 3: Technical Fit (Phase 2)

The AI generates technical deep-dive questions based on your Phase 1 answers. These may include NFR (non-functional requirement) categories such as performance, security, or scalability. Answer all questions and click Analyse Capabilities to generate solution options.

Step 4: Solution (Phase 3)

This step has three sub-phases:

3a: Solution Options

The AI generates multiple solution options, each presented as a card with:

Element Description
Approach Buy, Build, Extend, or Reuse — color-coded chip
Summary Brief description of the approach
Pros & Cons Key advantages and disadvantages
Estimates Estimated cost, duration, and complexity
Impact Preview New components, modified components, retired components, and new integrations that this option would introduce

Click Select on the option you want to pursue. If you return to this step after selecting an option, the previously chosen option is visually highlighted with a border and a "Selected" badge so you can easily identify your current choice.

3b: Gap Analysis

After selecting an option, the AI identifies capability gaps in your current landscape. Each gap shows:

  • Capability name with urgency level (critical/high/medium)
  • Impact description explaining why this gap matters
  • Market recommendations — Ranked product recommendations (gold #1, silver #2, bronze #3) with vendor, reasoning, pros/cons, estimated cost, and integration effort

Select the products you want to include by clicking on the recommendation cards (checkboxes appear). Click Analyse Dependencies to proceed.

3c: Dependency Analysis

After selecting products, the AI identifies additional infrastructure, platform, or middleware dependencies required by your selections. Each dependency shows:

  • Need with urgency level
  • Reason explaining why this dependency is required
  • Options — Alternative products to fulfill the dependency, with the same detail as gap recommendations

Select dependencies and click Generate Capability Map to produce the final target architecture.

Step 5: Target Architecture

The final step generates a comprehensive capability mapping:

Section Description
Summary High-level narrative of the proposed architecture
Capabilities List of matched Business Capabilities — existing ones (green) and newly proposed ones (blue)
Proposed Cards New cards to be created in your landscape, shown with their card type icons and subtypes
Proposed Relations Connections between proposed cards and existing landscape elements
Dependency Diagram Interactive C4 diagram showing existing nodes alongside proposed nodes (dashed borders with green "NEW" badge). Pan, zoom, and explore the architecture visually

From this step, you can click Choose Different to go back and select a different solution option, or Start Over to begin a completely new assessment.

AI-Assisted Assessment

This assessment leverages AI to generate recommendations, solution options, and a target architecture. It should be performed by a qualified IT professional (Enterprise Architect, Solution Architect, IT Leader) in collaboration with business stakeholders. The generated output requires professional judgment and may contain inaccuracies. Use the results as a starting point for further discussion and refinement.

Save & Resume

After reviewing the target architecture, you can save or commit your work:

Save Assessment — Persists a full snapshot of the assessment (all answers, selected options, gap analysis, dependencies, and target architecture) to the database. Saved assessments appear in the Assessments tab.

Resume a Saved Assessment — Non-committed assessments can be reopened into the interactive wizard with full state restored:

  • From the Assessments tab, click the Resume button on any saved assessment row
  • From the read-only Assessment Viewer, click Resume in the header
  • The wizard restores to the exact phase and state where you left off, including all AI-generated questions, your answers, selected options, and product selections
  • You can continue from where you stopped, choose a different approach, or commit to create an initiative
  • Saving again updates the existing assessment (instead of creating a new one)

Full Snapshot

A saved assessment is a complete snapshot of your wizard session. As long as it has not been committed to an initiative, you can resume it, pick a different solution approach, and re-save as many times as needed.

Commit & Create Initiative — Converts the architecture proposal into real cards in your landscape:

  • Initiative name defaults to the selected solution option title (editable before creation)
  • Start/end dates for the initiative timeline
  • Proposed New Cards with toggle switches to include or exclude individual cards, and edit icons to rename cards before creation. This list includes new Business Capabilities identified during the assessment.
  • Proposed Relations with toggle switches to include or exclude
  • A progress indicator shows creation status (initiative → cards → relations → ADR)
  • On success, a link opens the new Initiative card

Architecture Guardrails

The system automatically enforces architectural integrity:

  • Every new Application is linked to at least one Business Capability
  • Every new Business Capability is linked to the selected Business Objectives
  • Cards with no relations (orphans) are automatically removed from the proposal

Architecture Decision Record

A draft ADR is automatically created alongside the initiative with:

  • Context from the capability mapping summary
  • Decision capturing the selected approach and products
  • Alternatives considered from non-selected solution options

Change Approach

Click Choose Different to return to the solution options and select a different approach. All your Phase 1 and Phase 2 answers are preserved — only the downstream data (gap analysis, dependencies, target architecture) is reset. After selecting a new option, the wizard proceeds through gap analysis and dependency analysis again. You can save the updated assessment or commit when ready.

Security & Compliance

The Security & Compliance tab runs an on-demand scan against the live landscape and produces a standards-compliant risk report plus a regulatory gap analysis.

What it scans

  • CVEs — every non-archived Application and IT Component is looked up in the NIST National Vulnerability Database using the card's vendor, productName / version attributes. Results are contextualised by an AI pass that rates priority (critical / high / medium / low) and probability (very high / high / medium / low) using the card's business criticality, lifecycle phase, attack vector, exploitability and patch availability.
  • Compliance — the same landscape is checked against EU AI Act, GDPR, NIS2, DORA, SOC 2 and ISO/IEC 27001 by the configured LLM. Each regulation has a dedicated checklist; findings are either card-scoped (one specific card is the source of the gap) or landscape-wide (systemic issue).

Running a scan

Only users with security_compliance.manage can trigger scans (admin by default). The Overview tab shows two independent scan cards:

  • CVE scan — queries NVD + AI prioritisation. Safe to re-run often; leaves compliance findings untouched.
  • Compliance scan — AI gap analysis against the regulations you tick. Replaces compliance findings for the regulations you scoped in this run.

Each scan reports its own phase-aware progress bar (loading cards → querying NVD → AI prioritisation → saving, or loading cards → semantic AI detection → per-regulation check). The two can run concurrently.

Refreshing the page does not interrupt a running scan — the background task keeps going server-side, and the UI automatically reattaches the progress poll on reload.

Risk report structure

  • Overview — KPI strip (total findings, critical / high / medium counts, overall compliance score), a 5×5 probability × severity risk matrix, the top five critical findings, and a compact compliance heatmap you can click through to the details. The matrix itself is clickable: click a cell and the CVEs sub-tab opens filtered to that bucket, with a dismissible chip above the table so you can see (and clear) the active filter.
  • CVEs — filterable table showing card, CVE ID (linked to the NVD detail page), CVSS base score, severity, priority, probability, patch availability, and status. Each row opens a detail drawer with the description, CVSS vector, attack vector, exploitability / impact scores, references, AI-generated business impact and remediation, and a status action bar (Acknowledge → Mark in progress → Mark mitigated / Accept risk / Reopen).
  • Compliance — one tab per regulation with an overall score, and a card-style list of findings showing status, article, category, requirement, gap description, remediation and evidence. A small AI-detected chip highlights cards flagged as AI-bearing by the semantic detector even though they are not tagged as AI subtypes.
  • Export CSV — downloads the CVE findings in OWASP/NIST-style column order (Card, Type, CVE, CVSS, Severity, Attack Vector, Probability, Priority, Patch, Published, Last Modified, Status, Vendor, Product, Version, Business Impact, Remediation, Description).

Promote a finding to the Risk Register

Every CVE drawer and every compliance finding card includes a Create risk primary action. Clicking it opens the shared create-risk dialog with the title, description, category, probability, impact, mitigation and affected card prefilled from the finding. You can edit any field before submitting, assign an owner, and pick a target resolution date. On submit, the finding's row flips to Open risk R-000123 so the link stays visible — promotions are idempotent server-side. See Risk Register for the full TOGAF-aligned lifecycle and how owner assignment creates a follow-up Todo + bell notification.

EU AI Act semantic detection

AI features are frequently embedded inside general-purpose applications. The EU AI Act pass therefore does not rely on subtype filtering alone: it asks the LLM to flag every card whose name, description, vendor or related interfaces suggest AI / ML capabilities — LLMs, recommendation engines, computer vision, fraud or credit scoring, chatbots, predictive analytics, anomaly detection. Findings produced from this semantic pass are marked AI-detected so you can distinguish them from cards that were already classified as AI Agent / AI Model.

Progress and resume

Each scan writes phase-aware progress (loading cards → querying NVD → AI prioritisation → saving, or loading cards → semantic AI detection → per-regulation check) into its analysis-run record. The UI renders a live progress bar per scan. Refreshing the page does not interrupt a scan — the background task keeps running server-side, and on mount the Security tab queries /turbolens/security/active-runs and reattaches the poll loop.

NVD API key (optional)

Without a key, NVD allows only 5 requests / 30 seconds, which can make large-landscape scans slow. Request a free key at https://nvd.nist.gov/developers/request-an-api-key and set it via the NVD_API_KEY environment variable to raise the limit to 50 requests / 30 seconds.

Status workflow

Each CVE finding progresses through: openacknowledgedin progressmitigated (or accepted, when the team has formally accepted the risk). Reopening is always available. Status changes are owned by users with security_compliance.manage. For governance workflows (ownership, residual assessment, acceptance rationale, Todos and notifications) promote the finding to a Risk — the full lifecycle lives in the Risk Register.

Analysis History

All analysis runs are tracked in TurboLens > History, showing:

  • Analysis type (vendor analysis, vendor resolution, duplicate detection, modernization, architect, security_compliance)
  • Status (running, completed, failed)
  • Start and completion timestamps
  • Error messages (if any)

Permissions

Permission Description
turbolens.view View analysis results (granted to admin, bpm_admin, member)
turbolens.manage Trigger analyses (granted to admin)
security_compliance.view View CVE and compliance findings (granted to admin, bpm_admin, member, viewer)
security_compliance.manage Trigger security scans and update finding status (granted to admin)