Self-hosted · Air-gap ready · Zero trust

Compliance that runs
on your infrastructure

Automated assessments, risk quantification, and incident response for SOC 2, ISO 27001, and CMMC. Deploy with Docker in minutes.

Start 30-Day Free Trial Read the Docs
SOC 2 Type II 61 controls
ISO/IEC 27001:2022 93 controls
CMMC Level 2 110 controls
NIST CSF 2.0 83 controls
HIPAA Security Rule 25 controls
PCI DSS v4.0.1 63 controls
GDPR 30 controls
Sovereign GRC Dashboard

Everything you need for continuous compliance

A modular platform covering the full GRC lifecycle.

Automated Assessments

AI-powered control evaluation with Steampipe cloud queries. Assess SOC 2, ISO 27001, CMMC, NIST CSF 2.0, HIPAA, PCI DSS 4.0.1, and GDPR from one platform. Connect your own LLM key (NVIDIA, Workers AI, or vLLM); cloud queries use the optional Steampipe sidecar.

Incident Response

NIST 800-61 compliant workflow with SLA tracking, automated OPA playbooks, and regulatory breach notification.

Risk Quantification

FAIR methodology with Monte Carlo simulation. KRI monitoring with configurable thresholds and trend analysis.

📄

Policy Management

Administrative policy lifecycle with review tracking, approval workflows, and OPA Rego policy linking. Automated OPA evaluation uses the optional policy-engine sidecar.

👥

Vendor Risk (A2A)

Agent-to-Agent attestation protocol for automated vendor compliance data exchange. SOC 2 and ISO 27001 report ingestion.

📁

Evidence Repository

Versioned, hash-verified evidence with WORM object lock for audit-defensible immutability. Connect your own S3-compatible object storage (Cloudflare R2, AWS S3, or the bundled MinIO).

🔗

Ticketing & Integrations

Two-way ticket sync keeps a single comment thread in step with your tracker. Connect Jira, ServiceNow, or any tracker via the HMAC webhook provider.

🔒

Tamper-Evident Audit Log

SHA-256 hash chain with cryptographic integrity verification. Every action recorded and verifiable.

Simple, transparent pricing

Self-hosted on your infrastructure. No data leaves your network.
See how we compare to Vanta, Drata, AuditBoard & more →

Trial

Free · 30 days
Full platform for a month. No credit card.
  • Up to 5 users
  • All 7 frameworks
  • AI-powered assessments
  • Risk quantification (FAIR)
  • Incident response workflows
  • PDF, XLSX, HTML reports
Start Trial

Starter

$499/mo
Self-serve for teams running their first audit.
  • Up to 25 users
  • All 7 frameworks
  • Steampipe cloud queries
  • Policy management
  • Tamper-evident audit log
  • Email support
Start Free Trial

Business

$60k/yr
For companies with an active vendor program.
  • Up to 500 employees
  • Everything in Starter
  • A2A vendor attestation protocol
  • Continuous scheduling + KRIs
  • SSO (Okta, Entra, Google)
  • Standard SLA + chat support
Contact Sales

Sovereign

$150k+/yr
Self-hosted & air-gapped for regulated buyers.
  • Unlimited users
  • Self-host in your VPC or SCIF
  • Local vLLM — no cloud LLM dependency
  • FedRAMP Ready / IL5 / GovCloud path
  • BCM / disaster recovery
  • Dedicated CSM + custom SLA
Contact Sales

Get your free 30-day trial key

Enter your email to receive a license key. No credit card required. Deploy on your own infrastructure in minutes.

Deploy in minutes

Docker Compose stack with PostgreSQL, Redis, backend, frontend, and optional MinIO. OPA and Steampipe are available in the full source deployment. The installer brings up the core stack; flagship features (AI, evidence storage, ticketing) are enabled by connecting your own keys and integrations afterward.

# One-line install — pulls pre-built images, generates secrets,
# starts the stack, and runs database migrations automatically.
curl -sSL https://get.defendflow.xyz | bash

# Works on Linux, macOS (Docker Desktop), and any OCI host.
# No source code download required — images ship from ghcr.io.
Step 1

Install

One command downloads the compose file and env template, checks prerequisites, generates secrets, and pulls prebuilt images to start the stack.

Step 2

Activate

Paste your trial or purchased license key in Settings.

Step 3

Connect

Add your LLM key, object storage, and ticketing. The in-app Setup readiness checklist shows what is ready and what still needs a key.

Step 4

Assess

Create your first assessment and connect cloud providers.