Product — Policy-as-Code
Controls you can execute, not just document
Six policy types turn compliance requirements into machine-readable rules. They evaluate continuously against your ledger — and can block violations before they enter.
Six policy types
One language for every control
Balance thresholds. Approval flows. SLAs. Access restrictions. Segregation of duties. Evidence freshness. Six primitives that compose into any compliance requirement.
Balance
Set min, max, or exact thresholds on any account. "Zero open critical findings." "At least 1 annual penetration test." Violations fire the moment a balance drifts out of bounds.
max: 0 shadow IT apps
Flow
Require items to pass through intermediate steps before reaching a destination. Every app must go through security review before approval — tracked per item, not in aggregate.
discovered → review → approved
Temporal
Enforce time limits on how long items can stay in a state. Discovered vulnerabilities must be triaged within 30 days. FIFO tracking catches the oldest item first.
max 30 days in triage
Role
Restrict who can post to sensitive accounts. Only CISOs can accept risks. Only reviewers can approve vendors. Transactions without an identified actor are always violations.
only: reviewer, ciso
Separation
Enforce segregation of duties — the person who proposes cannot be the person who approves. Per-item correlation means Alice can approve Bob's change while Bob approves Alice's.
proposer ≠ approver per item
Freshness
Evidence expires. Require periodic proof that controls are active. Quarterly vulnerability scans, annual penetration tests, monthly backup verification. Retracted evidence doesn't count.
scan every 90 days
How it works
From definition to enforcement
Policies aren't just documentation. They're executable rules that produce auditable results.
Policies are the controls
When an auditor asks "show me control A.8.1", you point to the policy definition and its check result. No separate mapping document. The policy IS the control.
Waivers with expiry
Accept a policy violation with a reason and a deadline. Waivers expire automatically — no forgotten risk acceptances lingering in a spreadsheet.
Write-time enforcement
Policies can reject transactions before they enter the ledger. A change that would violate segregation of duties is blocked at the gate, not flagged after the fact.
Continuous evaluation
Policies run against the full ledger on every scan. Drift is caught the moment it happens — not during the next quarterly review.
For MSPs
One policy engine, every client
Define policy templates once, apply them across your portfolio. Customize thresholds per client without rebuilding the logic.
Policy templates per framework
Start with pre-built policy sets for ISO 27001, NIS2, SOC 2, DORA, and CIS Benchmarks. Customize per client as needed.
Client-specific overrides
Same base policies, different thresholds per client. One client requires 7-day remediation SLAs. Another accepts 30. Both are enforced automatically.
Compliance status at a glance
Each policy produces a pass/fail/waived result. Roll up across clients for a portfolio-wide compliance dashboard.
Stop documenting controls. Start enforcing them.
See how policies evaluate against real scan data. Start with a free domain scan and watch the policies run.