Unstructured Data Normalization
commits, PR comments, logs, tickets, chats → structured evidence.
Turns raw PR comments, CI logs, and Jira threads into audit-ready evidence.
Turn Unstructured Chaos Into Compliance Confidence Join 300+ DevSecOps teams already simplifying audits
Built with input from leading fintech, SaaS, and AI companies
Why now
- GRC tools check structured settings, but auditors still demand unstructured evidence.
- Most teams waste weeks screenshotting Jira, Slack, PRs, and CI logs.
- Underwriters lack objective, evidence-backed risk scoring.
How it works
-
1. Ingest
Connect GitHub/GitLab, CI logs, Jira, Confluence, Slack, HRIS.
-
2. Normalize & Map
AI automatically maps unstructured signals to SOC2/ISO/PCI controls with citations.
-
3. Score & Report
0–100 risk score, deltas over time, one-page audit report, and Jira-ready remediation.
Key features
AI Control Mapping
SOC2 CC6–CC9, ISO Annex A, PCI, HIPAA with explainable rationale.
Explainable control mapping with citations to the original artifacts.
Risk Score & Deltas
quantify posture; show what improves the score.
Quantified risk with clear deltas and 'what-to-fix' guidance.
Audit-Ready Output
one-pager for auditors/insurers with evidence links.
Privacy-by-Design
read-only scopes, redaction, no-exfil mode, BYOK.
Two product paths
CLI for Engineers
brew install sdek → scan Git/Jira/CI, get terminal summary + local HTML/PDF report.
SaaS for Teams
persistent connectors, dashboards, history, benchmarks, API/export to GRC.
Who it’s for
Startups preparing SOC2
Auditors needing real evidence
Insurers seeking objective SDLC risk
CTOs/DevSecOps
What early adopters are saying
"Finally, SOC2 prep that doesn't mean endless screenshots. Cut our audit prep from 3 weeks to 4 days."
"The AI mapping is surprisingly accurate. It found evidence in Slack threads I'd completely forgotten about."
"Risk score dropped 23 points after fixing the Jira tickets it flagged. Our insurer actually noticed."
What's new
Updated October 2025SOC2 CC7 Support & Enhanced Logging
- Full SOC2 CC7 (System Operations) control mapping
- PagerDuty incident correlation for availability evidence
- Enhanced CloudWatch/DataDog log parsing
Jira Evidence Mapping & Smart Citations
- Automatic Jira ticket → control mapping with confidence scores
- Deep-link citations to original comments and attachments
- Support for Jira custom fields in evidence extraction
GitHub Integration & PR Analysis
- GitHub/GitLab PR review extraction with approval chains
- Commit signature verification for change management evidence
- Branch protection policy compliance checks
Evidence preview
SOC2
ISO 27001
PCI DSS
HIPAA
Integrations
- GitHub
- GitLab
- Jira
- Confluence
- Slack
- Okta
- AWS
- GCP
- Azure
Pricing
Free CLI
local scans & report.
Team (SaaS)
dashboards, history, PDF exports, API.
Enterprise
SSO/SAML, BYOK, on-prem agent.
FAQ
Do you store code?
No. We default to metadata + redacted artifacts; no-exfil mode available.
How do you map to SOC2?
AI + rules; each finding cites evidence and control IDs (e.g., CC7.2).
Will this replace my GRC tool?
No—we complement Vanta/Drata by supplying unstructured evidence.
Is there an API?
Yes—export JSON, PDF, and webhooks.
What about insurers?
We provide a quantified risk score and one-page underwriting report.
Ready to turn chaos into confidence?
We collect your email only to share product updates and beta access. You can unsubscribe anytime. For security, we default to read-only scopes, redact sensitive data, and offer a no-exfil mode.
Join hundreds of engineers simplifying SOC2 audits Already 500+ teams on the waitlist
No credit card required
Early access pricing locked
Priority support included
Sample Report
Pull Request Review Evidence
Finding Summary
Pull request #4321 demonstrates proper change management controls with documented approvals from authorized reviewers before deployment to production.
PR Number:
#4321
Approvals:
2/2 required
Date:
2025-09-28 14:32 UTC
Status:
✓ Passed
How It Was Recognized
Our AI engine analyzed your GitHub repository and identified this pull request through the following signals:
- API Integration: Connected to GitHub API and scanned pull request metadata
- Approval Detection: Identified 2 required approvals from authorized maintainers (@tech-lead, @senior-engineer)
- Change Tracking: Detected 247 lines changed across 8 files with proper code review comments
- Control Mapping: AI mapped this workflow to SOC2 CC8.1 (Change Management) requirements
Evidence Source
{
"pr_number": 4321,
"title": "Add authentication middleware",
"approvals": [
{"user": "tech-lead", "date": "2025-09-28T13:45:00Z"},
{"user": "senior-engineer", "date": "2025-09-28T14:12:00Z"}
],
"required_approvals": 2,
"branch_protection": true,
"status": "merged"
}Compliance Mapping
SOC2 CC8.1 - Change Management
The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.
Control Satisfied
Recommendations
Current Status: Compliant
Your change management process meets SOC2 requirements. To maintain compliance:
- Continue requiring at least 2 approvals for production changes
- Ensure branch protection rules remain enabled
- Document approval authority matrix in your security policy
- Review and update the list of authorized approvers quarterly
Threat Modeling Documentation
Finding Summary
Jira tickets show evidence of threat modeling activities, but the frequency and documentation completeness require improvement to fully satisfy ISO 27001 A.12.6 requirements.
Tickets Found:
21 threat modeling tickets
Last Activity:
47 days ago
Coverage:
68% of new features
Status:
⚠ Partial
How It Was Recognized
Our AI engine analyzed your Jira workspace and identified threat modeling activities:
- Jira Integration: Scanned tickets with labels "threat-model", "security-review", "risk-assessment"
- Pattern Recognition: Identified security-focused ticket templates and attachments
- Gap Analysis: Compared threat modeling coverage against new feature deployments
- Timestamp Analysis: Detected 47-day gap since last documented threat modeling session
Evidence Source
{
"total_tickets": 21,
"labels": ["threat-model", "security-review"],
"date_range": {
"first": "2024-11-15",
"last": "2025-08-16"
},
"avg_frequency_days": 52,
"features_with_threat_model": 68,
"total_features": 100
}Compliance Mapping
ISO 27001 A.12.6 - Technical Vulnerability Management
Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, and appropriate measures shall be taken to address the associated risk.
Partially Satisfied - Needs Improvement
Recommendations
Action Required: Improve Process
To achieve full compliance, implement the following improvements:
- Increase Frequency: Conduct threat modeling for 100% of new features with external interfaces
- Regular Cadence: Schedule quarterly threat modeling reviews (currently at 52-day average)
- Documentation Standards: Use a standardized template (STRIDE, PASTA, or similar framework)
- Validation: Require security team sign-off on all threat models before deployment
- Automation: Set up Jira automation to create threat modeling tickets for new epics
Next Steps:
- Create a threat modeling policy document
- Schedule training session for development teams
- Update Jira workflow to require threat model completion
CI/CD Security Scanning
Finding Summary
CI/CD pipelines demonstrate comprehensive security scanning with SAST tools, high code coverage, and automated vulnerability detection meeting PCI DSS 6.5 requirements.
Pipelines Analyzed:
57 runs
SAST Coverage:
100% of builds
Code Coverage:
86%
Status:
✓ Passed
How It Was Recognized
Our AI engine analyzed your CI/CD pipeline configuration and execution logs:
- Pipeline Integration: Connected to GitHub Actions/CircleCI and analyzed workflow YAML files
- Security Tool Detection: Identified SAST tools (SonarQube, Snyk, Semgrep) in pipeline stages
- Coverage Analysis: Extracted test coverage reports showing 86% code coverage
- Failure Prevention: Confirmed pipelines block merge on security vulnerabilities (HIGH/CRITICAL)
Evidence Source - CI Configuration
name: Security Scan
on: [pull_request]
jobs:
sast:
runs-on: ubuntu-latest
steps:
- name: Run SAST
run: semgrep --config=auto
- name: Run Snyk
run: snyk test --severity-threshold=high
- name: Code Coverage
run: pytest --cov --cov-report=xmlCompliance Mapping
PCI DSS 6.5 - Secure Development Practices
Address common coding vulnerabilities in software development processes including training developers in secure coding techniques and developing applications based on secure coding guidelines.
Control Satisfied
SOC2 CC6.6 - Logical Access
The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
Control Satisfied
Recommendations
Current Status: Excellent
Your secure SDLC practices exceed baseline requirements. To further enhance security:
- DAST Integration: Add dynamic application security testing (DAST) to staging deployments
- Dependency Scanning: Expand to include container image scanning with Trivy or Clair
- Policy as Code: Implement Open Policy Agent (OPA) for deployment policy enforcement
- SCA Enhancement: Add software composition analysis (SCA) for license compliance
- Increase Coverage: Target 90%+ code coverage for mission-critical modules
Incident Response Documentation
Finding Summary
Slack incident channel demonstrates proper incident response procedures including postmortem documentation, root cause analysis, and remediation tracking.
Incident ID:
INC-2025-0847
Response Time:
14 minutes
Postmortem:
Completed
Status:
✓ Passed
How It Was Recognized
Our AI engine analyzed your Slack workspace incident response channels:
- Slack Integration: Monitored #incidents and #security-alerts channels with read-only access
- Timeline Extraction: Parsed incident declaration, response, and resolution timestamps
- Postmortem Detection: Identified structured postmortem document with RCA and action items
- Follow-up Tracking: Verified completion of 5 remediation tasks in linked Jira tickets
Evidence Timeline
2025-09-15 09:23 UTC - Alert triggered: API error rate spike
2025-09-15 09:37 UTC - Incident declared (Severity: P2)
2025-09-15 09:41 UTC - On-call engineer engaged
2025-09-15 10:15 UTC - Root cause identified
2025-09-15 10:52 UTC - Incident resolved
2025-09-15 16:30 UTC - Postmortem published
2025-09-18 14:00 UTC - All action items completedCompliance Mapping
HIPAA §164.308(a)(6) - Security Incident Procedures
Implement policies and procedures to address security incidents, including response and reporting.
Control Satisfied
SOC2 CC9.2 - Incident Response
The entity responds to identified security incidents by executing a defined incident response program.
Control Satisfied
Recommendations
Current Status: Compliant
Your incident response process demonstrates maturity. To further strengthen your program:
- Automation: Integrate PagerDuty or Opsgenie for automated escalation
- Playbooks: Develop runbooks for top 5 incident types in your wiki/Confluence
- Training: Conduct quarterly tabletop exercises with cross-functional teams
- Metrics: Track MTTR (Mean Time To Resolution) and aim for <15min for P1 incidents
- External Communication: Create a status page (status.io) for customer transparency
Best Practice: Your 14-minute response time is excellent. Document this as your baseline SLA.
Live Activity