Hardened from the First Apply.

A framework pack is a versioned, immutable collection: control definitions, evidence requirements, assessment workflows, and scoring criteria bundled into a single deployable artifact. CMMC Level 2 ships with 110 practices. NIST 800-53 rev5 Moderate ships with 325 controls. FedRAMP High ships with 421. Each control definition includes the requirement text, supplemental guidance, assessment objectives, and the evidence types that satisfy it. When you add a framework pack to Rampart, the platform performs an immediate gap analysis against your current posture. Every control gets a status: Implemented, Partially Implemented, Planned, Not Implemented, Not Applicable. The assessment begins from reality, not from a blank spreadsheet.

Framework packs are living entities on a publishing lifecycle. Authored, peer-reviewed, schema-validated, version-tagged, published. When DISA updates CMMC assessment guidance or NIST releases a new revision, the Armory publishes a new version. Your existing assessments continue on their pinned version. No forced migration. No surprise changes mid-assessment. When you are ready to upgrade, the platform generates a migration diff: controls added, controls removed, evidence requirements changed. You review the diff, accept the migration, and your assessment updates. Deprecation is explicit and gradual. Packs carry 100 to 300 controls each, and every one maps to the source document paragraph and revision number.

Every IaC module in the Armory is a hardened Terraform component. VPC configurations with segmentation that satisfies SC-7. S3 buckets with encryption-at-rest that satisfies SC-28. IAM policies with least-privilege boundaries that satisfy AC-6. Logging pipelines that satisfy AU-2 and AU-3. Each module carries inline control mappings: comments in the Terraform source that reference the specific control IDs the configuration satisfies. When you deploy a module, Garrison registers the resources and Sentinel begins monitoring immediately. The control mappings flow into Rampart, where evidence links are created automatically. You do not need to manually map infrastructure to controls. The module already declares the relationship.

Modules cost $29 one-time. No subscription required. You purchase once, you own the source forever. Every module is versioned and pinned to a specific provider version range. Updates ship as new versions; you upgrade when you choose to. The full Terraform source is visible before purchase. No black boxes. No obfuscated configurations. You can read every resource, every variable, every output before you buy. Each module includes a software bill of materials with CVE tracking: provider versions, module dependencies, known vulnerabilities at time of publish. When a CVE affects a dependency, the Armory flags the module and publishes a patched version.

A capability pack is a curated bundle designed to solve a specific operational need. Take the "Compliance Logging Stack" pack: it includes CloudTrail configuration with multi-region coverage, CloudWatch log groups with retention policies, S3 audit buckets with object lock and versioning, and IAM immutability policies that prevent log tampering. Four IaC modules, wired together. But the pack includes more than infrastructure. It ships with framework-specific documentation that explains how each component maps to AU-2, AU-3, AU-6, AU-7, AU-8, AU-9, and AU-12. A runbook covers deployment prerequisites, post-deployment validation, and ongoing maintenance. And depending on your tier, the pack may include consulting hours for architecture review or deployment assistance.

Capability packs are included free with all subscription tiers. The modules inside them would cost more individually, but the pack bundles them at no additional cost because the platform benefits when your infrastructure is hardened correctly from the start. Tier-dependent features determine what ships with the pack: Developer tier gets the modules and documentation. Guardian tier adds the runbook and framework mappings. Team tier and above add consulting hour allocations. Each pack targets a specific compliance domain: logging, encryption, network segmentation, identity management, vulnerability scanning infrastructure. Deploy the pack. Your infrastructure satisfies controls. Your evidence chain starts immediately.

Some teams want the secure substrate handled for them. Managed Infrastructure in the Armory covers offerings where Redoubt provisions, operates, and supports the underlying platform on the customer's behalf. The current offering is Managed Account, where Redoubt provisions and owns a dedicated AWS account, lays down a complete hardened baseline covering account structure, networking, IAM, and logging, and runs patching, incident response, and SLA-backed support. Workloads run inside. The baseline stays enforced. Customers focus on applications, not account hardening.

Pricing is utilization-based: a percentage of the deployed AWS resource cost, metered through AWS Marketplace so your invoice draws down any existing EDP commitment. Team, Business, and Enterprise subscribers pay 10%. Additional managed offerings on the roadmap include Shared Managed Cluster, Dedicated Managed Cluster, and Managed Virtual Desktop, each tracked on the Redoubt Roadmap. When they ship, they join the Managed Infrastructure filter in the catalog.

Some problems need humans alongside the tooling. Professional Services in the Armory covers engagements where a Redoubt architect works on your assessment, your environment, or your program directly. Architecture Review is a focused one- to two-week engagement with a principal architect, delivering a written report with migration recommendations and findings, plus three months of Guardian included. Ongoing Advisory is a monthly retainer with 10 to 15 hours of architect time and Team tier included, for teams that want ongoing expert backup.

Every engagement is capacity-capped by design because the architect who works on your environment is the one who writes your report and answers your follow-up questions. No consulting pool, no offshore handoff. All engagements run inside the platform: the architect gets scoped access to your workspace, every action carries their identity and timestamp, and when the engagement ends, access revokes automatically. The work remains in your assessment. The audit trail proves exactly who contributed what.

The Armory serves two audiences simultaneously. Unauthenticated visitors can browse the full catalog: every framework pack, every IaC module, every capability pack, every service offering. They see pricing, control counts, framework coverage, module descriptions, and version history. This is deliberate. We do not gate product information behind a login. If you want to know whether the platform supports CNSSI 1253 overlays for National Security Systems, you can find that answer without creating an account. If you want to compare the CMMC Level 2 framework pack against the NIST 800-171 rev3 pack, the control-by-control mapping is visible. Transparency builds trust faster than gated demos.

Authenticated users see everything unauthenticated users see, plus operational context. Tier-based filters highlight what is available at your subscription level. Deployment status shows which packs are already active in your workspace. Purchase history tracks every module you own. Upgrade paths show what becomes available at the next tier. The catalog becomes both a marketing surface and an operational tool. Browse to discover. Deploy to act. The transition from browsing to deployment is a single action: select the pack, confirm the target system, and the platform provisions it. No procurement workflow. No waiting for license keys. Immediate deployment into your environment.

You select a pack or module from the catalog. The platform presents the Terraform configuration: variables, defaults, resource list, and the controls each resource satisfies. You modify variable values for your environment or accept the defaults. Before deployment, the platform runs the configuration through IaC security validation: static analysis against CIS benchmarks, STIG requirements, and custom policy rules. If the configuration fails validation, you see exactly which checks failed and why. No deployment proceeds until validation passes. This prevents misconfigurations from reaching your infrastructure. The hardening is enforced before a single resource provisions.

On successful validation, the platform creates a Garrison instance for the deployed resources. Every resource is registered in your hardware and software inventory. Sentinel begins monitoring immediately: configuration drift checks run every 6 hours. If a deployed S3 bucket loses its encryption configuration, Sentinel detects the drift, fires an alert, and Rampart re-evaluates the affected controls. The deployment flow is not a one-time action. It is the beginning of continuous monitoring. Deploy once. The platform watches forever. Your controls stay satisfied because the infrastructure stays hardened. Drift is detected, surfaced, and remediated before your next assessment.

Individual IaC modules cost $29 one-time. You purchase the module once and own the Terraform source forever. Updates ship as new versions that you can adopt at your own pace. There is no recurring fee. There is no expiration date. There is no usage cap. One payment. Permanent access. Capability packs are included free with all subscription tiers because hardened infrastructure benefits the entire platform: your controls are satisfied, your evidence chains are automated, and your posture score improves. The platform works better when your infrastructure is forged correctly from the start.

Consulting services are sold separately, scoped to specific engagements, and priced per the catalog listing. No hidden fees. No surprise charges. When you purchase a module or engage a service, the checkout page discloses the full cost, including any infrastructure utilization costs your cloud provider will charge for the resources the module provisions. We tell you what the Terraform will create, what it will cost to run, and what controls it satisfies. You make the decision with complete information. The Armory does not obscure costs to drive adoption. It presents them because informed decisions produce stronger security posture than impulse purchases.