🐍 Meet us at PyCon US 2026 — May 15-17, Long Beach CA
Security Hardened

Compliance Without the Guesswork

Three major frameworks mapped. Every control implemented. Evidence ready for your auditor.

SOC 2 Type II
ISO 27001
NIST 800-53
Request Security PackView Control Mappings
<1ms
Verification Latency
vs typical token introspection round-trips
5 min
Badge TTL
stolen credentials expire before they're useful
Zero
External Calls at Runtime
enforcement works even when the network doesn't
Ed25519
No Shared Secrets
asymmetric crypto — nothing to leak, rotate, or distribute
SECURITY HARDENED

Hardened Through Internal Red-Team Evaluation

We conducted rigorous internal security evaluations simulating enterprise SecOps and DevOps review processes — covering the policy engine, audit pipeline, authentication boundaries, and cryptographic controls.

The result: a security-hardened product with CI-blocking vulnerability scanning, zero known vulnerabilities, and SHA-256 supply chain verification across every distribution channel.

Most AI agent platforms have never stress-tested their own security posture. We did — and shipped every fix.

What we hardened:

Authentication & SSO
OIDC integration, API key permissioning, enterprise auth pathways
Audit Event Pipeline
Guaranteed delivery for security events, backpressure controls, overflow recovery
Policy Engine Governance
Maker-checker approval workflows, resolution auditing, hierarchical policy resolution
Break-Glass Emergency Access
Scoped tokens, JTI replay protection, mandatory reason fields, separate signing keys
Supply Chain Integrity
SHA-256 binary checksums on all SDK downloads, tampered binary detection
Data Path Hardening
Decision cache invalidation, client-side encrypted draft storage, self-signed badge rejection

Compliance Framework Mappings

Detailed control-by-control mappings for the three frameworks enterprise GRC teams ask about most.

CC6 — Logical and Physical Access Controls

CC6.1
User Identity & Authentication
Trust Badge system (Ed25519 JWS), trust levels (DV/OV/EV), Key Ownership Proof
CC6.2
Authentication Mechanisms
API key auth, OIDC/SSO (Enterprise), Clerk (Cloud), multi-factor support
CC6.3
Authorization Controls
RBAC roles, per-endpoint permission middleware, API key scoping
CC6.6
System Boundary Protection
Gateway reverse proxy with badge enforcement, SSRF protection, policy engine
CC6.7
Data Classification & Protection
Policy YAML versioning, content hashing, client-side encrypted draft storage (AES-GCM)
CC6.8
Prevention of Unauthorized Changes
Maker-checker policy approval, proposal versioning, content hash integrity

CC7 — System Operations

CC7.1
Detection of Unauthorized Changes
Audit event pipeline, policy version tracking, resolution audit trail
CC7.2
Monitoring for Anomalies
Async event ingestion, break-glass usage alerts, Prometheus metrics
CC7.3
Evaluation of Security Events
Structured event types with severity classification (security/operational)
CC7.4
Incident Response
Break-glass override with replay protection, key rotation, incident runbook

CC8 — Change Management

CC8.1
Changes Are Authorized
Maker-checker workflow: proposal → approval → activation, role-gated
CC8.2
Infrastructure & Software Changes Controlled
Git-based deployment, CI/CD with automated testing, release order enforcement
CC8.3
Changes Tested Before Deployment
Unit tests, integration tests (PostgreSQL), E2E security tests

What Sets CapiscIO Apart

Architectural decisions that matter for enterprise security teams

Hierarchical Policy Resolution

Org → group → agent policy inheritance with per-scope overrides. Matches how regulated organizations actually manage security controls.

Gradual Enforcement Rollout

Observe → Guard → Strict enforcement modes. Start with telemetry-only, promote to enforcement when ready. No big-bang deployment.

Cryptographically Sound Foundation

Ed25519 JWS badges with proper expiry, key ownership proof, and revocation. No shared secrets. No weak algorithms.

Designed for how regulated organizations actually manage security controls

Evidence Ready for Your Auditor

Every control maps to a specific feature with documented evidence locations

Architecture Documentation

  • Threat model and security boundaries
  • Cryptographic controls specification
  • Data flow diagrams (agent ↔ guard ↔ registry)
  • Deployment topology options

Compliance Artifacts

  • SOC 2 / ISO 27001 / NIST control mappings
  • Vendor security questionnaire responses
  • Incident response runbook
  • Gap analysis with mitigation timelines

Audit Trail APIs

  • Event query endpoint with filtering
  • Policy resolution audit history
  • Structured JSON event query API with filtering
  • Configurable retention policies per plan tier

Security Testing

  • E2E security test suite (SQL injection, XSS, IDOR)
  • Cross-org isolation tests
  • Auth boundary enforcement tests
  • CI pipeline with automated security checks

Need the full security pack for procurement?

We provide framework mappings, architecture docs, and control evidence in formats your GRC team can work with directly.

Request Security PackBook Agent Trust Sprint

Frequently Asked Questions

Everything you need to know