DevSecOps Scanning for Every Repository, Every Container, Every Pipeline.

Every scanner available in Vanguard is available through Outpost: multi-language SAST across nine languages, secret detection with live credential validation, software composition analysis across npm, PyPI, Maven, Go, Cargo, and NuGet, container image scanning against CVE databases and configuration baselines, DAST with 10,000+ vulnerability templates, STIG compliance scanning for OS and application hardening, CIS Benchmark validation across cloud foundations and infrastructure, and API security testing for REST and GraphQL endpoints. Run scans locally from your terminal or through the platform workbench. Same scanners. Same quality. Same finding format.

Outposts are lightweight scan targets registered with Vanguard but not connected to any system or environment. They carry a name, a scan target reference (GitHub repository URL, container image reference, or CI/CD pipeline endpoint), and a full scan history. You get the same scanner quality, the same finding format, and the same remediation guidance as fully registered systems.

Outposts integrate directly into your development pipeline via the redoubt-forge/gate GitHub Action, the redoubt-ci GitLab CI template, or webhook-triggered scans for Jenkins and other platforms. Every commit triggers a scan. Every pull request shows findings inline. Pipeline gates can block merges when critical or high-severity vulnerabilities are detected.

The scan runs in an ephemeral, tenant-isolated container; only the results reach the platform. Your source code never leaves your pipeline environment. Results accumulate on the Outpost, building a continuous security history for every branch, every tag, every release.

Every Outpost maintains a timeline of scan results: date, scanner type, finding count by severity, new findings introduced, findings remediated since the previous scan. The trend is visible at a glance: improving (findings decreasing), stable (findings flat), or degrading (findings increasing). Drill into any scan to see what changed: which CVEs were fixed, which new vulnerabilities appeared, which false positives were marked.

Citadel aggregates Outpost health across your organization: "12 Outposts. 11 improving. 1 stable. 0 degrading." Security culture becomes measurable. Individual developers see their own progress; team leads see the trajectory across all repositories.

Developer tier ($49/mo) includes 10 Outposts. Guardian ($199/mo) includes 10. Team ($499/mo) includes 25. Business ($999/mo) includes 50. Enterprise ($2,499/mo) includes unlimited. Additional Outposts cost $9/mo per add-on. The limit is enforced at creation: attempting to create an 11th at Developer tier shows options to delete an existing Outpost, upgrade tier, or add a license.

This pricing makes security scanning accessible to solo developers, small teams, and startups. No six-figure contracts. No annual commitments required (though annual billing saves 20%). You can run fourteen scanners against your code for less than the cost of a single SaaS tool.

When an Outpost matures and the code or infrastructure is ready for production, you promote it to Garrison. The graduation flow: select the Outpost, map it to a system and environment in Garrison, confirm. Sentinel begins continuous monitoring. ScanFindings that were previously Vanguard-only now become eligible for compliance mapping.

At Guardian tier and above, every finding maps to controls across active frameworks. Evidence collection begins automatically per the Evidence Profile for that system. The resource enters the compliance workflow. Scan history is preserved: "Promoted to Garrison on March 12, 2026. Previous: 24 scans over 2 months. Trend: improving." The continuity matters. Your assessor sees that this codebase was actively scanned and improved before it entered production.

Create Outposts from the Vanguard UI, the CLI (redoubt outpost create --name team-api --repo https://github.com/org/repo --continuous), or the API. Configure scan mode: continuous (scheduled, automatic), on-demand (you trigger manually), or CI/CD-triggered (via webhook or pipeline integration). The dashboard shows all Outposts: name, target, last scan date, current finding count, severity breakdown, and trend indicator.

Export scan reports in SARIF (for IDE integration), JSON (for custom tooling), PDF (for stakeholder review), or CSV (for spreadsheet analysis). Deleting an Outpost removes it from active monitoring but preserves historical scan data in audit logs for compliance continuity.

A developer on the team-api project creates an Outpost for the main repository and one for the container image used in CI/CD. Every morning, the dashboard shows: "team-api-repo: 3 new findings since yesterday. 1 critical (CVE in lodash 4.x). team-api-container: 0 new findings." They click through, see the critical finding, update package.json, commit, and the pipeline re-scans. The finding is gone. The dashboard updates.

Over months, the trend line shows improvement: 45 scans, critical findings from 5 to 0, high from 12 to 3. When the team is ready for production deployment, they graduate the Outpost to Garrison. Personal security discipline becomes organizational compliance posture. The work a developer does at their terminal generates the evidence an assessor needs.