Frequently Asked Questions.

Redoubt Forge is a secure operations platform. It discovers your infrastructure, hardens it through layered defenses, monitors for drift continuously, and collects compliance evidence from running systems. Security posture comes first. Compliance proofs are generated as a byproduct of operating securely. The platform supports CMMC, FedRAMP, NIST 800-53, SOC 2, ISO 27001, HIPAA, PCI-DSS, and more. See the full list at Frameworks and Overlays. Nine integrated capabilities share data, findings, evidence, and context across your entire estate.

Defense contractors pursuing CMMC certification. Federal vendors and cloud service providers seeking FedRAMP authorization. Healthcare organizations managing HIPAA compliance. Financial institutions navigating SOC 2 and PCI-DSS. SaaS companies proving ISO 27001 to enterprise customers. State agencies implementing StateRAMP. AI companies building under NIST AI RMF. Any organization that needs to prove its security posture to assessors, partners, regulators, or customers. We serve every industry that takes compliance seriously enough to build it from actual security.

The platform scales from individual developers to large enterprises. Five tiers cover solo practitioners building secure from day one through organizations with dedicated security programs and custom framework requirements. Start with scanning and security posture. Add compliance when the requirement arrives. The platform grows with you. See tier details at Pricing.

Platforms like Drata and Vanta have expanded their framework coverage significantly. Both now support CMMC, FedRAMP, NIST 800-53, and NIST 800-171 alongside SOC 2 and ISO 27001. The framework overlap is real. The difference is what happens beyond framework mapping. Redoubt Forge covers the full compliance lifecycle: build compliant infrastructure through native scanning and hardened Terraform modules, sustain posture through event-driven continuous monitoring, and prove compliance with assessor-ready packages. Three specific gaps remain in commercial platforms. First, no native scanning: they aggregate third-party tools rather than running SAST, DAST, SCA, STIG validation, or CIS Benchmark scanning natively. Second, no overlay composition: DISA STIGs, CIS Benchmarks, DoD Impact Levels, ITAR, and DFARS are not supported. Third, no air-gapped or GovCloud deployment. For detailed comparisons, see Vanta, Drata, Secureframe, Sprinto, and Thoropass for SOC 2 platforms; PreVeil, Huntress, and Telos Xacta for defense and CMMC; or the full comparisons index.

No. Artificer, the platform's AI guidance layer, asks targeted questions and adapts based on what Sentinel discovers about your environment. You do not need to be a framework expert to start. The platform guides scoping, assessment, and evidence collection through conversational workflows. Technical depth is available for teams that want it: raw scan data, CLI integration, API access, and IaC modules. But the entry point is designed for compliance officers, security managers, and business owners who need results without reading 800 pages of NIST documentation first.

A secure operations platform is a control plane that discovers your infrastructure, hardens it through defense-in-depth, monitors for drift continuously, and collects compliance evidence from running systems. Unlike traditional GRC tools that start with checklists, a secure operations platform starts with actual security posture. Compliance proofs are a byproduct of doing security correctly. Sentinel runs continuous discovery and monitoring. Garrison tracks your connected estate. Rampart maps observed posture to framework controls. The result is infrastructure as evidence: your running systems generate the proof, not your compliance team.

Redoubt Forge supports CMMC, NIST 800-53, FedRAMP, SOC 2, ISO 27001, HIPAA, PCI-DSS, NIST CSF 2.0, CIS Controls v8, NIST 800-207 Zero Trust, NIST AI RMF, and more. See the full list at Frameworks and Overlays. Enterprise tier supports custom frameworks.

GRC tools start with checklists and work backward to evidence. Redoubt Forge starts with your actual security posture: hardened infrastructure, enforced controls, continuous monitoring. Compliance proofs are generated from observed state, not assembled from templates. Your assessor gets an immutable chain of evidence from your running systems, not a binder of narratives. The platform also bridges DevSecOps and compliance; scan results from Vanguard automatically map to framework controls in Rampart. No traditional GRC tool does this.

Where GRC platforms require manual evidence uploads and periodic collection cycles, Sentinel maintains continuous evidence streams with live connections to source-of-truth systems. Where GRC platforms treat compliance as a documentation exercise, Redoubt Forge treats it as a security engineering discipline. The platform monitors your entire estate through Garrison, detects drift the moment it happens, and re-evaluates affected framework controls automatically. Evidence decay is eliminated because evidence is never a static file. It is a live, immutable record from running infrastructure.

Posture-first compliance inverts the traditional model. Instead of starting with a checklist and working backward to security, you start with actual defenses: hardened infrastructure, enforced controls, continuous monitoring. The platform observes your security posture, maps it to framework requirements, and generates compliance proofs from what your systems actually do. Your assessor gets immutable evidence from running systems, not narratives from spreadsheets. This approach means compliance is always current because it reflects your actual security state, not a point-in-time snapshot.

The framework you need depends on who you sell to and what data you handle. Defense contractors working with Controlled Unclassified Information need CMMC Level 2. Cloud service providers selling to federal agencies need FedRAMP. Healthcare organizations handling protected health information need HIPAA. SaaS companies with enterprise customers typically need SOC 2 or ISO 27001. Financial institutions face PCI-DSS requirements. Many organizations need multiple frameworks simultaneously.

Artificer helps determine your requirements through a guided scoping conversation. It asks about your customers, contracts, data types, and regulatory environment, then recommends the applicable frameworks and overlays. You can also browse the full framework catalog to understand what each standard requires before committing to an assessment.

A small defense contractor typically starts with CMMC Level 1 (17 practices for Federal Contract Information) and works toward CMMC Level 2 (110 practices for Controlled Unclassified Information) as contract requirements demand it. The first step is understanding your data flows: what CUI you handle, where it lives, and who has access. From there, you define your system boundary and begin implementing controls.

Redoubt Forge makes this practical for small teams. Start with Vanguard scanning to establish a security baseline. Connect your AWS accounts and Sentinel discovers your infrastructure. Artificer guides you through scoping, helps identify which practices apply to your environment, and drafts the narratives your assessor will need. You do not need a dedicated compliance team to begin. The platform structures the work so that a small team can make steady progress toward certification. See tier details at Pricing.

Cloud environments can be connected and scanning within hours. Connect your AWS accounts and Sentinel begins discovery immediately. Vanguard runs initial scans against your repositories, containers, and infrastructure configurations. Within the first day, you have an inventory of your estate in Garrison and a security baseline from scan results. Framework assessments start producing results as soon as you activate a framework pack in Rampart. Artificer guides the scoping process so your team does not stall on where to begin. Organizations migrating from spreadsheets or existing GRC tools can import prior documentation and evidence to preserve their compliance timeline. No multi-week implementation project required.

Redoubt Forge is in active development. All tiers show "Coming soon" until general availability. Early access is available now. Request early access to join the waitlist, receive launch pricing, and participate in pre-release builds. Forward-looking items and target phases live on the Redoubt Roadmap.

Yes. Early access is available now. Request access at [email protected] to join the waitlist, receive launch pricing, and participate in pre-release builds. Early access includes direct access to the founding team for onboarding and feedback.

Redoubt Forge supports a comprehensive set of frameworks and overlays. Frameworks include NIST 800-53 rev5 (Low/Moderate/High baselines), CMMC Level 1/2/3, FedRAMP (Low/Moderate/High/LI-SaaS), SOC 2 Type I/II, ISO 27001:2022, PCI-DSS v4.0, HIPAA Security Rule, NIST CSF 2.0, CIS Controls v8, NIST 800-207 Zero Trust, CISA Zero Trust Maturity Model, NIST AI RMF, NIST IR 8596, RMF/FISMA, NIST 800-171 rev2/rev3, CNSSI 1253, and StateRAMP/TX-RAMP.

Overlays include DISA STIGs for 15+ platforms, DISA SRGs, CIS Benchmarks, DoD Impact Levels IL2 through IL6, CNSSI 1253 overlays, ITAR, DFARS, and sector-specific overlays for healthcare, financial services, education, and critical infrastructure. Enterprise tier supports custom frameworks with AI-suggested mappings that require human confirmation before activation.

Frameworks are independent control structures. Each framework defines its own set of controls, assessment criteria, and certification requirements. NIST 800-53 rev5 defines a catalog of security and privacy controls. CMMC defines maturity levels for the defense industrial base. FedRAMP defines baseline selections for cloud service providers. SOC 2 defines trust service criteria for service organizations. Each stands alone with its own assessment methodology and certification authority.

Overlays modify or extend a base framework. DISA STIGs add platform-specific implementation guidance on top of NIST 800-53 controls. CIS Benchmarks define hardening configurations for specific operating systems, cloud platforms, and databases. DoD Impact Levels (IL2 through IL6) specify additional controls based on data sensitivity. ITAR and DFARS add regulatory requirements on top of existing frameworks. In Rampart, you select a base framework and then layer applicable overlays. The platform resolves the combined control set and tracks each requirement distinctly. See the regulatory compliance guide for detailed overlay application patterns.

The derivation chain is the structural relationship between compliance frameworks. CMMC Level 2 IS NIST 800-171 rev2. NIST 800-171 derives from the NIST 800-53 Moderate baseline. FedRAMP baselines are specific control selections from the same NIST 800-53 catalog. SOC 2 Trust Service Criteria map to 800-53 control families through published cross-walks. ISO 27001:2022 Annex A controls have NIST-published mappings through the NIST Cybersecurity Framework. These relationships are deterministic and auditable. Work done for one framework simultaneously satisfies controls in every framework that traces back to the same NIST lineage.

Rampart maintains the cross-reference engine that resolves these derivation chains through five strategies: native control mapping, NIST 800-53 derivation chain tracing, NIST CSF 2.0 bridging, published cross-walks from authoritative sources, and AI-suggested mappings that require human confirmation. As you satisfy controls in one framework, Rampart computes your readiness percentage for every other framework in the catalog. The marginal effort to add each subsequent framework decreases because control overlap compounds through the derivation chain. One security posture. Every framework computed.

Yes. The Enterprise tier supports custom frameworks with full control definition, assessment criteria, and evidence requirements. Organizations can define frameworks that reflect internal security policies, sector-specific regulations, or customer-mandated requirements that do not map to a published standard. Custom frameworks participate in the same derivation chain as built-in frameworks: Rampart suggests mappings between custom controls and existing NIST 800-53 controls, enabling cross-framework leverage from day one.

Custom overlays are also supported at the Enterprise tier. Organizations can define ADD, MODIFY, and REMOVE operations against any base framework to reflect organizational policy requirements. A custom overlay might add controls for internal data handling procedures, modify evidence collection frequencies for specific control families, or remove controls that are not applicable based on the organization's operating environment. Custom frameworks and overlays integrate with Sentinel monitoring, Vanguard scan mapping, and Artificer guidance the same way built-in frameworks do.

Regulatory requirements like ITAR (International Traffic in Arms Regulations) and DFARS (Defense Federal Acquisition Regulation Supplement) are implemented as overlays in Redoubt Forge. DFARS 252.204-7012 requires contractors handling Controlled Unclassified Information to implement NIST 800-171 and report compliance through the Supplier Performance Risk System. ITAR imposes additional access restrictions on technical data related to defense articles. Both layer additional requirements on top of existing framework controls.

In Rampart, you activate regulatory overlays alongside your base framework assessment. The platform resolves the combined control set: CMMC Level 2 plus DFARS plus ITAR produces the full set of controls your organization must satisfy for a specific contract. Sentinel monitors compliance with overlay-specific requirements, such as ITAR access restrictions and DFARS incident reporting obligations. See the regulatory compliance guide for detailed implementation patterns across defense, healthcare, financial, and other regulated sectors.

Yes. The platform computes compliance posture across all active frameworks simultaneously from one source of truth. A single control implementation can satisfy requirements in CMMC, NIST 800-53, FedRAMP, and SOC 2 at the same time. The derivation chain traces every requirement back to its source, so organizations operating under multiple frameworks eliminate duplicate work. Change one control, and every framework that references it updates automatically. Evidence collected for one assessment is reused across all frameworks where the same control applies.

Overlays modify or extend a base framework for specific environments, sectors, or regulatory requirements. Available overlays include DISA STIGs (RHEL, Ubuntu, Windows, Kubernetes, PostgreSQL, and more), CIS Benchmarks (OS, cloud, container, database, web server), DoD Impact Levels (IL2 through IL6), CNSSI 1253 (classified systems), privacy overlays (NIST 800-53B, NIST 800-122 PII), AI governance (NIST AI 600-1), and sector-specific overlays for healthcare, financial services, education, and critical infrastructure. Enterprise tier supports custom organizational overlays. See the full list at Overlays.

CMMC Level 2 and NIST 800-171 rev2 share the same 110 security practices. The difference is the assessment model. NIST 800-171 relies on self-assessment with a SPRS score submitted to the DoD. CMMC Level 2 requires a third-party assessment by a certified C3PAO for contracts involving prioritized acquisitions. Both protect Controlled Unclassified Information (CUI). Organizations that have implemented NIST 800-171 are already implementing the CMMC Level 2 practices; the remaining step is the formal C3PAO assessment and any gaps the assessor identifies.

Rampart treats CMMC Level 2 and NIST 800-171 as related through the derivation chain, so work on one automatically computes progress toward the other. Artificer can compute your SPRS score from current control status and identify which practices need attention before scheduling a C3PAO assessment. The platform tracks both self-assessment readiness and third-party assessment readiness in parallel.

Yes. HIPAA Security Rule is one framework, but healthcare organizations often face additional requirements. The platform supports healthcare sector overlays that add HIPAA technical safeguards on top of base frameworks like NIST 800-53. Privacy overlays including NIST 800-53B Privacy Baseline and NIST 800-122 PII protections address the data privacy dimensions of healthcare compliance. Organizations handling both clinical and research data can layer multiple overlays to cover their full regulatory landscape.

Healthcare organizations selling to government agencies may also need FedRAMP or StateRAMP authorization. The derivation chain means HIPAA controls that overlap with NIST 800-53 satisfy requirements in both frameworks simultaneously. Rampart resolves the combined control set across all active frameworks and overlays, so healthcare organizations with complex regulatory environments manage a single security posture instead of maintaining separate compliance programs.

Yes. Alliance provides read-only access for external assessors, auditors, and C3PAOs. Your assessor logs in and sees your control status, evidence chains, system boundary documentation, and compliance posture across every active framework. They can verify evidence integrity, review control narratives, and trace findings back to source systems without requesting screenshots or file exports. The access is scoped: assessors see only what you grant them, and all assessor activity is logged in the audit trail.

This changes the assessment workflow fundamentally. Instead of assembling a binder and scheduling evidence walkthrough sessions, your assessor reviews live data at their own pace. Evidence carries cryptographic integrity hashes so the assessor can verify it has not been modified after collection. Rampart presents the compliance package in a structured format that maps directly to framework requirements, reducing the back-and-forth that slows traditional assessments.

When a framework publishes a new revision, Redoubt Forge releases an updated framework pack through the Armory. The updated pack includes revised control definitions, new assessment criteria, and updated mappings to other frameworks. Your existing assessment data is preserved. Rampart runs a gap analysis between your current posture and the new revision, showing exactly which controls changed, which new requirements appeared, and which existing evidence still satisfies the updated criteria.

This matters because framework transitions are disruptive without tooling. When NIST 800-171 rev3 introduced new requirements and restructured control families, organizations using spreadsheets had to rebuild their documentation from scratch. In Redoubt Forge, Artificer maps your existing control implementations to the new revision's structure and identifies the delta. You address only the net-new requirements instead of re-documenting everything.

Yes. Most organizations start with a single framework requirement and expand as contracts, customers, or regulations demand additional certifications. Redoubt Forge is built for this progression. Start with CMMC for your defense contracts. Later, add SOC 2 when an enterprise customer asks for it. Add FedRAMP when a federal agency requires authorization. Each new framework activates instantly and Rampart computes your current readiness based on work already completed.

The derivation chain means subsequent frameworks require less marginal effort. If you have already satisfied NIST 800-53 Moderate controls for CMMC, a significant portion of FedRAMP Moderate and SOC 2 requirements are already met. The platform shows your starting position for each new framework before you begin the assessment, so you know the actual scope of remaining work.

Evidence falls into several categories: configuration evidence from connected infrastructure, scan results from Vanguard, inventory records from Garrison, monitoring logs from Sentinel, and control narratives authored or reviewed through Artificer. Each piece of evidence carries a SHA-256 integrity hash, timestamp, source system identifier, and provenance metadata. Your assessor can verify that evidence has not been modified after collection.

Rampart organizes evidence by framework control, so your assessor reviews evidence in the structure they expect: grouped by control family, mapped to specific requirements, with clear status indicators. Continuous evidence shows that a control has been satisfied consistently over time, not just at the moment of collection. This is the difference between a point-in-time snapshot and a continuous compliance record.

Substantial overlap exists because these frameworks share common ancestry. CMMC Level 2 implements 110 NIST 800-171 practices, which derive from the NIST 800-53 Moderate baseline. FedRAMP Moderate selects from the same NIST 800-53 catalog. SOC 2 Trust Service Criteria map to NIST 800-53 control families through published cross-walks. The exact percentage depends on your specific implementation, but organizations with mature CMMC programs often find 60-80% of FedRAMP Moderate and 50-70% of SOC 2 requirements already addressed.

Rampart computes these percentages precisely based on your actual control status. When you activate a new framework, the platform shows your starting readiness score before you begin the assessment. This lets you scope the remaining work accurately and prioritize the controls that close the most gaps across multiple frameworks simultaneously.

Yes. Organizations with existing compliance programs can import current documentation, control narratives, evidence, and assessment results. Artificer maps imported artifacts to the platform's control structure and identifies where existing documentation satisfies framework requirements. Imported evidence is marked with its original collection date and source, preserving the compliance timeline. You do not start from zero.

The migration process also establishes a baseline for continuous monitoring. Once Sentinel connects to your infrastructure, it begins collecting live evidence alongside your imported historical records. Rampart shows where imported evidence is still current and where live evidence has superseded manual documentation. Over time, the platform replaces manual evidence with automated collection, reducing the compliance maintenance burden while preserving the historical record your assessor may need.

Yes. Redoubt Forge supports the FedRAMP Rev 5 program update (the 20x modernization), including updated baselines derived from NIST 800-53 rev5 and the shift toward OSCAL (Open Security Controls Assessment Language) for machine-readable compliance documentation. OSCAL enables automated validation of System Security Plans, assessment results, and Plans of Action and Milestones. The platform generates OSCAL-formatted artifacts that FedRAMP's automated review tools can process directly.

Rampart exports compliance packages in OSCAL format, covering the SSP, SAR, SAP, and POA&M document types. This is a significant advantage over manual documentation workflows where teams produce Word documents and spreadsheets that require manual review. OSCAL export means your authorization package is machine-validated before submission, reducing review cycles and rejection risk. Artificer assists with the narrative portions that OSCAL still requires in human-readable form.

Yes. A Business Associate Agreement (BAA) is available for organizations that handle Protected Health Information (PHI) and require HIPAA compliance. The BAA covers the platform's role as a business associate when processing compliance data that includes or references PHI. It addresses permitted uses, disclosure restrictions, breach notification obligations, and subcontractor requirements. Contact [email protected] to request the BAA before onboarding. The BAA is available at all subscription tiers that include Rampart compliance capabilities.

Sentinel, the automated monitoring capability, maintains continuous evidence streams with live connections to source-of-truth systems. Hash comparison detects the moment state changes. Evidence expiration warnings fire before gaps appear. Your assessor sees continuous verification confirming a control has been satisfied every day for the past 90 days, with the verification log to prove it. Evidence is not a file that decays. It is a live, immutable record from your running infrastructure.

Rampart stores every compliance event as an immutable record with a SHA-256 integrity hash, OpenTelemetry trace ID, user ID, session ID, and timestamp. The assessor can verify that evidence has not been modified after collection. This is cryptographic proof, not a trust assertion. Vanguard scan results feed the compliance engine continuously, with new findings automatically mapped to affected framework controls. Garrison tracks the complete infrastructure estate, ensuring the authorization boundary in your documentation matches the running environment.

Yes. Air-gapped environments participate through export and import workflows. Scan results and inventory data come in; remediation guidance and compliance artifacts go out. Garrison tracks air-gapped systems alongside cloud, hybrid, and on-premise infrastructure in a single connected estate. This supports defense contractors with air-gapped networks, healthcare organizations with isolated systems, manufacturing environments, and any network where direct connectivity is not possible.

Vanguard scan results from disconnected environments are imported and mapped to framework controls in Rampart the same way connected scan results are processed. DoD Impact Level requirements, CNSSI 1253 overlays for classified systems, and DISA STIG configurations all function within the air-gapped workflow. The platform generates remediation guidance and hardened Armory modules that can be transferred into the disconnected environment through approved data transfer mechanisms.

Desired-state convergence means the platform continuously observes current state, compares it to desired state, acts within policy, records what happened, escalates what requires judgment, and learns from decisions. Users declare what their systems should be: "This system should be CMMC Level 2 compliant on AWS with three environments." The platform continuously converges reality toward that declaration. It handles the 90% that is mechanical. Humans handle the 10% that requires judgment: intent, risk acceptance, policy choices, exceptions, review, and governance.

Sentinel detects drift and evaluates the compliance impact. Rampart re-evaluates affected frameworks automatically. Citadel surfaces the action queue with prioritized remediation tasks. For certain infrastructure drift scenarios, Sentinel can auto-remediate after approval: if a storage bucket loses its encryption configuration, Sentinel detects the drift and restores the compliant state within your defined change windows. The convergence loop operates continuously, not on a quarterly review cycle.

When infrastructure drifts from its desired state, compliance status can change instantly. A configuration change, a new resource, a modified policy: any of these can invalidate controls that were previously satisfied. Sentinel detects drift across your entire estate the moment it happens and evaluates the impact on your controls in real time. Rampart re-evaluates affected frameworks automatically. Posture degradation alerts trigger before small changes become real findings. Nothing decays silently.

This is the core difference between continuous compliance and periodic assessment. Traditional approaches collect evidence on a schedule; between collections, evidence decays and drift accumulates undetected. Garrison maintains a live inventory of every resource in your estate. When a new resource appears outside the declared authorization boundary, or an existing resource changes configuration, Sentinel fires an event and Rampart recalculates affected control scores across every active framework: CMMC, FedRAMP, NIST 800-53, SOC 2, and any others in your compliance portfolio.

Vanguard is the DevSecOps workbench. It supports multi-language SAST (static application security testing), secret scanning, linting, dependency analysis, container scanning, DAST (dynamic application security testing), STIG raw results, code quality analysis, coverage tracking, fuzzing, and API security testing. Scan targets that are not connected to a system live in Outpost and graduate to Garrison when promoted to a connected system.

The critical differentiator is the bridge between scan results and compliance controls. Vanguard findings automatically map to framework controls in Rampart. A vulnerability discovered in application code maps to flaw remediation controls. A secret found in a repository maps to credential management controls. A container image with a known CVE maps to system integrity controls. This mapping works across every active framework: CMMC, NIST 800-53, FedRAMP, SOC 2, and any others in your compliance portfolio. Sentinel schedules scans and tracks trends over time, ensuring continuous evidence from your development pipeline.

Redoubt Forge uses AI-guided compliance to accelerate assessment, remediation, and documentation. Artificer guides system scoping by asking targeted questions based on what Sentinel has already discovered about your environment. It drafts practice narratives, suggests control mappings, computes SPRS scores, and identifies which remediations deliver the greatest compliance improvement per unit of effort. AI handles the mechanical work. Humans handle the judgment: risk acceptance, policy choices, exceptions, and governance decisions.

AI-suggested framework mappings require human confirmation before activation. AI-drafted narratives are presented for review, not automatically published. AI-recommended remediations enter the action queue in Citadel as proposed tasks, not automated changes. The platform is designed so that AI accelerates the 90% of compliance work that is mechanical while preserving human authority over the 10% that requires judgment. Every AI-generated artifact carries provenance metadata identifying it as AI-assisted, ensuring full transparency for assessors and auditors reviewing your compliance package in Rampart.

Yes. Redoubt Forge supports deployment in AWS GovCloud (US-West and US-East) for organizations requiring ITAR, FedRAMP High, and DoD Impact Level 4/5 compliance. The platform also supports AWS Commercial regions, hybrid deployments spanning both, and on-premises environments. Managed infrastructure is available through the Armory for organizations that need Redoubt to operate the underlying AWS accounts. GovCloud deployments use the same platform capabilities with additional controls for defense contractors, federal vendors, and regulated organizations requiring FedRAMP, CMMC, or ITAR compliance.

Three deployment models are supported. SaaS: the platform runs in Redoubt-managed infrastructure with tenant isolation, encryption at rest (AES-256) and in transit (TLS 1.3+), and no customer infrastructure to maintain. Hybrid: the platform connects to your existing AWS accounts (Commercial or GovCloud) and Sentinel monitors your infrastructure remotely. On-premises: for air-gapped or restricted environments, the platform deploys inside your enclave with no external connectivity required. All models support the same nine capabilities and framework coverage. For managed deployments, Redoubt handles the infrastructure so your team focuses on compliance.

Continuous monitoring operates through Sentinel, which maintains persistent connections to your infrastructure and source-of-truth systems. Sentinel ingests AWS security service data (CloudTrail, Config, Security Hub, GuardDuty), runs scheduled Vanguard scans, and performs configuration checks against your declared desired state. When state changes, Sentinel evaluates whether the change affects compliance controls and fires events that Rampart processes in real time.

Monitoring frequency varies by evidence type. Infrastructure configuration checks run continuously through AWS Config rules. Vulnerability scans run on configurable schedules. Evidence expiration is tracked per control, with warnings before gaps appear. Citadel surfaces monitoring alerts in the action queue, prioritized by compliance impact. The result is a posture that your assessor can verify has been maintained continuously, not just at the moment of the assessment.

Evidence collection, control scoring, drift detection, scan scheduling, evidence expiration tracking, and compliance reporting are fully automated. Sentinel handles the collection and monitoring layer. Rampart handles scoring, mapping, and document generation. Vanguard scans run on schedules or trigger from CI/CD pipeline events. POA&M tracking updates automatically as controls change status. Cross-framework readiness percentages recalculate whenever underlying controls change.

Workflows that require human judgment are surfaced but not automated: risk acceptance decisions, policy exception approvals, control narrative review, and governance sign-offs. Artificer drafts narratives and suggests remediation priorities, but humans approve before anything publishes. The automation boundary is deliberate. The platform handles the mechanical 90% so your team focuses on the decisions that require expertise and organizational context.

Vanguard integrates with CI/CD pipelines through Sentinel pipeline gates. Scans trigger on code push, pull request, or deployment events. Results feed directly into the compliance engine. Failed gates block deployment when controls are violated. The platform supports integration through CLI, API, and native pipeline actions. Scan results from your pipeline map to framework controls automatically. A vulnerability found in CI does not just create a ticket; it updates your compliance posture in real-time. See Vanguard for supported scanner types.

The platform currently connects to AWS (Commercial and GovCloud regions) through APIs, native service connectors, and agent-based collection. Sentinel collects data across cloud services, identity providers, network configurations, storage, compute, databases, and security tools within your environment. Vanguard scans source code, dependencies, containers, infrastructure configurations, and runtime environments. DISA STIGs and CIS Benchmarks provide hardening assessments across operating systems, containers, databases, web servers, and cloud foundations. Azure and GCP connectivity is on the Roadmap. See Capabilities for the full scope of what the platform monitors and scans.

Five tiers are available, scaling from individual developers through large enterprise organizations. Each tier adds capabilities, seats, and system limits. All tiers include DevSecOps scanning, scheduled monitoring, and infrastructure deployment. Higher tiers add the full compliance engine, team collaboration, trust networks, custom frameworks, and dedicated support. See full tier details and pricing at Pricing.

There is no free tier. All tiers require a subscription. Early access pricing is available for organizations that join before general availability. Request early access at [email protected] for details on launch pricing and pre-release participation.

Every tier includes Vanguard scanning, Sentinel scheduling, and Garrison deployment. Higher tiers add Rampart (compliance engine with all frameworks), expanded monitoring and discovery, team collaboration, Alliance trust networks, API access, custom frameworks, and dedicated support. Each tier builds on the previous. See the full comparison at Pricing.

Yes. All tiers offer a 20% discount on annual billing. Annual plans are paid upfront for the full year. See current pricing at Pricing.

Your evidence, assessments, control narratives, audit trails, and configurations are retained for the full length of your active subscription with no time limit while the subscription stays active. While active, data remains in hot storage, immediately queryable, and fully restorable through the platform.

On cancellation, your tenant data enters a 90-day frozen grace period in cold storage. During this window you can request a data export through support or reinstate the subscription to restore everything exactly as it was: evidence, assessments, scores, configurations, and narratives. Transient data classes (scan results, Sentinel-collected evidence, Discovery inventory) are purged 30 days after cancellation as part of the reduced-state cleanup.

After the 90-day grace period with no reinstatement, data moves to long-term archive only if a formal legal or regulatory hold requires it. Otherwise it proceeds through the nine-step verified deletion process per the deletion schedule in your contract. Legal holds extend retention indefinitely until the hold is released. The deletion process is irreversible once executed. See the pricing page for commercial questions about subscription lifecycle and reinstatement.

Add-ons extend tier limits without upgrading. Additional seats, systems, and Outposts are available as monthly add-ons. IaC modules are available as one-time purchases without a subscription. Professional services include architecture reviews and ongoing advisory engagements. See all options and pricing at Armory.

Onboarding starts with connecting your infrastructure. For cloud environments, connect your AWS accounts and Sentinel begins discovery within minutes. For on-premises or hybrid environments, deploy collection agents to your network. The platform inventories your resources, runs initial scans, and establishes a security baseline. Artificer then guides you through framework selection, system scoping, and evidence mapping. No multi-week implementation projects. No professional services required to start, though advisory and managed services are available through the Armory.

All tiers include platform documentation, knowledge base access, and community support. Enterprise tier includes dedicated support with SLA commitments. Professional services including architecture reviews, ongoing advisory, and managed infrastructure are available through the Armory. Early access participants get direct access to the founding team.

Subscriptions are available on monthly or annual billing. Annual billing includes a 20% discount and is paid upfront for the full year. Monthly billing has no long-term commitment. You can upgrade tiers at any time. Downgrades take effect at the next billing cycle. See Pricing for current rates.

AWS Marketplace availability is on the Roadmap. Organizations that require marketplace purchasing for procurement compliance can contact [email protected] for alternative procurement arrangements in the interim.

Credit card and invoiced billing are available. Enterprise and Business tiers support purchase orders with Net 30 terms. Contact [email protected] for invoiced billing arrangements or custom procurement requirements.

The platform notifies you when you approach seat, system, or Outpost limits. If you exceed limits, you can add capacity through add-ons without changing tiers, or upgrade to a higher tier for expanded limits. No service interruption occurs while you decide. See add-on options at Armory.

Each tier includes a monthly allocation of AI credits for Artificer operations: narrative generation, gap analysis, remediation recommendations, and guided workflows. Credits refresh monthly. Usage beyond the included allocation is available as overage at a per-credit rate. Credit consumption varies by task complexity. See tier-specific credit allocations at Pricing.

Organizations using managed AWS accounts pay a utilization fee on the underlying AWS infrastructure that Redoubt operates on their behalf. This covers the cost of compute, storage, networking, and AWS service usage within the managed boundary. The utilization rate varies by tier. Organizations connecting their own AWS accounts do not pay utilization fees; they pay AWS directly. See Armory for managed infrastructure details.

Yes. Seats, systems, and Outpost limits can be increased through add-ons without changing tiers. Add-ons are billed monthly and can be added or removed at any time. This allows organizations to scale specific dimensions (more seats for a growing team, more systems for a new contract) without paying for capabilities they do not need. See all adjustable limits at Armory.

The subscription covers the platform, all framework packs, and the included AI credit allocation. Optional costs include: add-on seats, systems, and Outposts beyond tier limits; AI credit overage beyond the monthly allocation; managed AWS infrastructure utilization (only if Redoubt operates your AWS accounts); IaC modules (one-time purchases); and professional services (architecture reviews, ongoing advisory). All optional costs are published transparently at Pricing and Armory. No hidden fees.

Unlike platforms that charge per framework, per assessment, or per evidence artifact, Redoubt Forge includes all supported frameworks at the Guardian tier and above. No per-framework fees. No per-scan charges. No evidence storage surcharges. The platform covers the full compliance spectrum in one subscription. The pricing model scales with your team size and system count, not with the number of frameworks or assessments you run. See tier details at Pricing.

Contact [email protected] for special pricing programs. Government, education, and nonprofit organizations may qualify for adjusted rates depending on size and mission alignment.

Yes. Upgrades take effect immediately. You gain access to the higher tier's capabilities, seat limits, and system limits right away. The billing difference is prorated for the remainder of your current cycle. Downgrades take effect at the next billing cycle. No penalty for changing tiers in either direction.

Total cost depends on your tier, add-ons, and whether you use managed infrastructure. The subscription covers the platform, all framework packs, and AI credits. Organizations connecting their own AWS accounts pay no infrastructure utilization fees to Redoubt. The primary cost drivers beyond the subscription are additional seats and systems as your team grows. There are no per-framework fees, per-scan charges, or evidence storage surcharges. Professional services are optional. See Pricing for rates and Armory for add-on details.

The platform collects compliance data only. Your operational workloads, databases, and business data stay in your environment. Compliance data (evidence artifacts, scan results, control assessments, posture scores) is encrypted at rest using AES-256 and in transit using TLS 1.3+. Tenant compliance data is isolated at the infrastructure level. No data is shared between tenants, used for model training, or accessible to other customers. Access to production systems requires multi-factor authentication and role-based access controls. All access is logged and auditable. See our security policy for vulnerability reporting.

Compliance data is stored in AWS. Commercial tenants use US-based AWS Commercial regions. GovCloud tenants use AWS GovCloud (US) regions. Your operational data stays in your own environment; the platform only stores the compliance artifacts it collects. Data residency for compliance data can be restricted to specific regions based on your requirements. No compliance data leaves the selected region without explicit configuration. See our security policy for details.

Redoubt Forge is pursuing SOC 2 Type II certification. As a compliance platform, we hold ourselves to the same standards we help our customers achieve. Status updates on our own compliance certifications are published on the Roadmap.

Report vulnerabilities to [email protected]. Include a description of the issue, steps to reproduce, and potential impact. We acknowledge receipt within 48 hours, triage within 5 business days, and coordinate disclosure after remediation. Good-faith research is authorized and protected under our security policy. Researchers who responsibly disclose verified vulnerabilities are recognized on our acknowledgments page.

A Data Processing Agreement (DPA) is available for organizations that require one under GDPR, CCPA, or other privacy regulations. The DPA covers data handling, processing purposes, sub-processors, breach notification, and data subject rights. Contact [email protected] to request the DPA before signing.

Yes. The platform undergoes regular third-party penetration testing and vulnerability assessments. Results are available to customers under NDA upon request. Additionally, the platform's own security posture is assessed using the same frameworks and capabilities it provides to customers. Status updates on certifications and audit timelines are published on the Roadmap.

Redoubt Forge maintains a documented incident response plan covering detection, containment, eradication, recovery, and post-incident analysis. In the event of a confirmed security incident affecting customer compliance data, affected customers are notified within 72 hours. Notification includes the nature of the incident, data affected, containment actions taken, and recommended customer actions. Incident response details are covered in the Data Processing Agreement and can be reviewed before signing. Contact [email protected] to request the full incident response summary. See our security policy for the full responsible disclosure program.

Access to customer compliance data is restricted to authorized personnel on a need-to-know basis. All production access requires multi-factor authentication, role-based access controls, and is logged with full audit trails. Background checks are conducted for all employees with production system access. No customer compliance data is accessible to sales, marketing, or other non-operational teams. Access logs are available for customer review upon request. See our security policy for details on our security practices.

Yes. Redoubt Forge maintains cyber liability insurance covering data breach response, business interruption, and third-party liability. Coverage details and certificates of insurance are available to customers upon request during the procurement process. Contact [email protected] for insurance documentation.

Encryption keys are managed through AWS Key Management Service (KMS). Keys are rotated automatically on an annual basis. Each tenant's compliance data is encrypted with dedicated keys. Redoubt does not store or have access to customer-managed encryption keys used within your own AWS accounts. For managed infrastructure deployments, key management follows AWS KMS best practices with automatic rotation and audit logging.

The platform runs on AWS infrastructure (Commercial and GovCloud). AI capabilities use Anthropic's Claude models for Artificer guidance. No customer compliance data is sent to AI models for training. A full list of subprocessors is included in the Data Processing Agreement. Contact [email protected] to request the subprocessor list before signing.

Yes. All compliance data (evidence artifacts, control assessments, posture scores, documents, policies, and audit trails) can be exported in standard formats. Data export is available at any time during an active subscription and during the post-cancellation grace period. You own your compliance data. The platform does not restrict export or charge fees for data retrieval.

Redoubt Forge is not yet FedRAMP authorized as a cloud service provider. The platform helps organizations achieve their own FedRAMP authorization by managing controls, evidence, and assessment workflows. Pursuing FedRAMP authorization for the platform itself is on the Roadmap. Organizations requiring a FedRAMP-authorized vendor can deploy in their own AWS GovCloud accounts with Redoubt connecting via APIs, keeping the authorization boundary under their control.