Frequently Asked Questions

A secure operations platform is a control plane that discovers your infrastructure, hardens it through defense-in-depth, monitors for drift continuously, and collects compliance evidence from running systems. Unlike traditional GRC tools that start with checklists, a secure operations platform starts with actual security posture. Compliance proofs are a byproduct of doing security correctly. Sentinel runs continuous discovery and monitoring. Garrison tracks your connected estate. Rampart maps observed posture to framework controls. The result is infrastructure as evidence: your running systems generate the proof, not your compliance team.

Redoubt Forge supports CMMC, NIST 800-53, FedRAMP, SOC 2, ISO 27001, HIPAA, PCI-DSS, NIST CSF 2.0, CIS Controls v8, NIST 800-207 Zero Trust, NIST AI RMF, and 20+ additional frameworks with 50+ overlays. Enterprise tier supports custom frameworks.

GRC tools start with checklists and work backward to evidence. Redoubt Forge starts with your actual security posture: hardened infrastructure, enforced controls, continuous monitoring. Compliance proofs are generated from observed state, not assembled from templates. Your assessor gets an immutable chain of evidence from your running systems, not a binder of narratives. The platform also bridges DevSecOps and compliance; scan results from Vanguard automatically map to framework controls in Rampart. No traditional GRC tool does this.

Where GRC platforms require manual evidence uploads and periodic collection cycles, Sentinel maintains continuous evidence streams with live connections to source-of-truth systems. Where GRC platforms treat compliance as a documentation exercise, Redoubt Forge treats it as a security engineering discipline. The platform monitors your entire estate through Garrison, detects drift the moment it happens, and re-evaluates affected framework controls automatically. Evidence decay is eliminated because evidence is never a static file. It is a live, immutable record from running infrastructure.

Redoubt Forge supports 20+ frameworks and 50+ overlays. Frameworks include NIST 800-53 rev5 (Low/Moderate/High baselines), CMMC Level 1/2/3, FedRAMP (Low/Moderate/High/LI-SaaS), SOC 2 Type I/II, ISO 27001:2022, PCI-DSS v4.0, HIPAA Security Rule, NIST CSF 2.0, CIS Controls v8, NIST 800-207 Zero Trust, CISA Zero Trust Maturity Model, NIST AI RMF, NIST IR 8596, RMF/FISMA, NIST 800-171 rev2/rev3, CNSSI 1253, and StateRAMP/TX-RAMP.

Overlays include DISA STIGs for 15+ platforms, DISA SRGs, CIS Benchmarks, DoD Impact Levels IL2 through IL6, CNSSI 1253 overlays, ITAR, DFARS, and sector-specific overlays for healthcare, financial services, education, and critical infrastructure. Enterprise tier supports custom frameworks with AI-suggested mappings that require human confirmation before activation.

Sentinel, the automated monitoring capability, maintains continuous evidence streams with live connections to source-of-truth systems. Hash comparison detects the moment state changes. Evidence expiration warnings fire before gaps appear. Your assessor sees continuous verification confirming a control has been satisfied every day for the past 90 days, with the verification log to prove it. Evidence is not a file that decays. It is a live, immutable record from your running infrastructure.

Rampart stores every compliance event as an immutable record with a SHA-256 integrity hash, OpenTelemetry trace ID, user ID, session ID, and timestamp. The assessor can verify that evidence has not been modified after collection. This is cryptographic proof, not a trust assertion. Vanguard scan results feed the compliance engine continuously, with new findings automatically mapped to affected framework controls. Garrison tracks the complete infrastructure estate, ensuring the authorization boundary in your documentation matches the running environment.

Yes. Air-gapped environments participate through export and import workflows. Scan results and inventory data come in; remediation guidance and compliance artifacts go out. Garrison tracks air-gapped systems alongside cloud, hybrid, and on-premise infrastructure in a single connected estate. This supports DoD classified environments, SCIF deployments, and any network where direct connectivity is not possible.

Vanguard scan results from disconnected environments are imported and mapped to framework controls in Rampart the same way connected scan results are processed. DoD Impact Level requirements, CNSSI 1253 overlays for classified systems, and DISA STIG configurations all function within the air-gapped workflow. The platform generates remediation guidance and hardened Armory modules that can be transferred into the disconnected environment through approved data transfer mechanisms.

Desired-state convergence means the platform continuously observes current state, compares it to desired state, acts within policy, records what happened, escalates what requires judgment, and learns from decisions. Users declare what their systems should be: "This system should be CMMC Level 2 compliant on AWS with three environments." The platform continuously converges reality toward that declaration. It handles the 90% that is mechanical. Humans handle the 10% that requires judgment: intent, risk acceptance, policy choices, exceptions, review, and governance.

Sentinel detects drift and evaluates the compliance impact. Rampart re-evaluates affected frameworks automatically. Citadel surfaces the action queue with prioritized remediation tasks. For certain infrastructure drift scenarios, Sentinel can auto-remediate after approval: if a storage bucket loses its encryption configuration, Sentinel detects the drift and restores the compliant state within your defined change windows. The convergence loop operates continuously, not on a quarterly review cycle.

When infrastructure drifts from its desired state, compliance status can change instantly. A configuration change, a new resource, a modified policy: any of these can invalidate controls that were previously satisfied. Sentinel detects drift across your entire estate the moment it happens and evaluates the impact on your controls in real time. Rampart re-evaluates affected frameworks automatically. Posture degradation alerts trigger before small changes become real findings. Nothing decays silently.

This is the core difference between continuous compliance and periodic assessment. Traditional approaches collect evidence on a schedule; between collections, evidence decays and drift accumulates undetected. Garrison maintains a live inventory of every resource in your estate. When a new resource appears outside the declared authorization boundary, or an existing resource changes configuration, Sentinel fires an event and Rampart recalculates affected control scores across every active framework: CMMC, FedRAMP, NIST 800-53, SOC 2, and any others in your compliance portfolio.

Commercial compliance platforms focus primarily on SOC 2 and ISO 27001. Redoubt Forge covers the full spectrum including CMMC, FedRAMP, DISA STIGs, DoD Impact Levels, CNSSI 1253, ITAR, and DFARS. It supports AWS GovCloud, air-gapped environments, and defense-in-depth architecture patterns designed for classified environments.

Redoubt Forge also bridges DevSecOps scanning directly to compliance evidence: Vanguard runs 14 scanner categories whose findings automatically map to framework controls in Rampart. Sentinel provides continuous monitoring with drift detection. Garrison tracks the full infrastructure estate. Alliance enables trust networks for supply chain verification and assessor access. The platform is a control plane for secure operations, not a compliance checklist tool. It starts where GRC tools leave off.

Frameworks are independent control structures. Each framework defines its own set of controls, assessment criteria, and certification requirements. NIST 800-53 rev5 defines a catalog of security and privacy controls. CMMC defines maturity levels for the defense industrial base. FedRAMP defines baseline selections for cloud service providers. SOC 2 defines trust service criteria for service organizations. Each stands alone with its own assessment methodology and certification authority.

Overlays modify or extend a base framework. DISA STIGs add platform-specific implementation guidance on top of NIST 800-53 controls. CIS Benchmarks define hardening configurations for specific operating systems, cloud platforms, and databases. DoD Impact Levels (IL2 through IL6) specify additional controls based on data sensitivity. ITAR and DFARS add regulatory requirements on top of existing frameworks. In Rampart, you select a base framework and then layer applicable overlays. The platform resolves the combined control set and tracks each requirement distinctly. See the regulatory compliance guide for detailed overlay application patterns.

The derivation chain is the structural relationship between compliance frameworks. CMMC Level 2 IS NIST 800-171 rev2. NIST 800-171 derives from the NIST 800-53 Moderate baseline. FedRAMP baselines are specific control selections from the same NIST 800-53 catalog. SOC 2 Trust Service Criteria map to 800-53 control families through published cross-walks. ISO 27001:2022 Annex A controls have NIST-published mappings through the NIST Cybersecurity Framework. These relationships are deterministic and auditable. Work done for one framework simultaneously satisfies controls in every framework that traces back to the same NIST lineage.

Rampart maintains the cross-reference engine that resolves these derivation chains through five strategies: native control mapping, NIST 800-53 derivation chain tracing, NIST CSF 2.0 bridging, published cross-walks from authoritative sources, and AI-suggested mappings that require human confirmation. As you satisfy controls in one framework, Rampart computes your readiness percentage for every other framework in the catalog. The marginal effort to add each subsequent framework decreases because control overlap compounds through the derivation chain. One security posture. Every framework computed.

Redoubt Forge uses AI-guided compliance to accelerate assessment, remediation, and documentation. Artificer guides system scoping by asking targeted questions based on what Sentinel has already discovered about your environment. It drafts practice narratives, suggests control mappings, computes SPRS scores, and identifies which remediations deliver the greatest compliance improvement per unit of effort. AI handles the mechanical work. Humans handle the judgment: risk acceptance, policy choices, exceptions, and governance decisions.

AI-suggested framework mappings require human confirmation before activation. AI-drafted narratives are presented for review, not automatically published. AI-recommended remediations enter the action queue in Citadel as proposed tasks, not automated changes. The platform is designed so that AI accelerates the 90% of compliance work that is mechanical while preserving human authority over the 10% that requires judgment. Every AI-generated artifact carries provenance metadata identifying it as AI-assisted, ensuring full transparency for assessors and auditors reviewing your compliance package in Rampart.

Yes. The Enterprise tier supports custom frameworks with full control definition, assessment criteria, and evidence requirements. Organizations can define frameworks that reflect internal security policies, sector-specific regulations, or customer-mandated requirements that do not map to a published standard. Custom frameworks participate in the same derivation chain as built-in frameworks: Rampart suggests mappings between custom controls and existing NIST 800-53 controls, enabling cross-framework leverage from day one.

Custom overlays are also supported at the Enterprise tier. Organizations can define ADD, MODIFY, and REMOVE operations against any base framework to reflect organizational policy requirements. A custom overlay might add controls for internal data handling procedures, modify evidence collection frequencies for specific control families, or remove controls that are not applicable based on the organization's operating environment. Custom frameworks and overlays integrate with Sentinel monitoring, Vanguard scan mapping, and Artificer guidance the same way built-in frameworks do.

Vanguard is the DevSecOps workbench. It supports multi-language SAST (static application security testing), secret scanning, linting, dependency analysis, container scanning, DAST (dynamic application security testing), STIG raw results, code quality analysis, coverage tracking, fuzzing, and API security testing. Scan targets that are not connected to a system live in Outpost and graduate to Garrison when promoted to a connected system.

The critical differentiator is the bridge between scan results and compliance controls. Vanguard findings automatically map to framework controls in Rampart. A vulnerability discovered in application code maps to flaw remediation controls. A secret found in a repository maps to credential management controls. A container image with a known CVE maps to system integrity controls. This mapping works across every active framework: CMMC, NIST 800-53, FedRAMP, SOC 2, and any others in your compliance portfolio. Sentinel schedules scans and tracks trends over time, ensuring continuous evidence from your development pipeline.

Regulatory requirements like ITAR (International Traffic in Arms Regulations) and DFARS (Defense Federal Acquisition Regulation Supplement) are implemented as overlays in Redoubt Forge. DFARS 252.204-7012 requires contractors handling Controlled Unclassified Information to implement NIST 800-171 and report compliance through the Supplier Performance Risk System. ITAR imposes additional access restrictions on technical data related to defense articles. Both layer additional requirements on top of existing framework controls.

In Rampart, you activate regulatory overlays alongside your base framework assessment. The platform resolves the combined control set: CMMC Level 2 plus DFARS plus ITAR produces the full set of controls your organization must satisfy for a specific contract. Sentinel monitors compliance with overlay-specific requirements, such as ITAR access restrictions and DFARS incident reporting obligations. See the regulatory compliance guide for detailed implementation patterns across defense, healthcare, financial, and other regulated sectors.

Your evidence, assessments, control narratives, audit trails, and configurations are retained for the full length of your active subscription with no time limit while the subscription stays active. While active, data remains in hot storage, immediately queryable, and fully restorable through the platform.

On cancellation, your tenant data enters a 90-day frozen grace period in cold storage. During this window you can request a data export through support or reinstate the subscription to restore everything exactly as it was: evidence, assessments, scores, configurations, and narratives. Transient data classes (scan results, Sentinel-collected evidence, Discovery inventory) are purged 30 days after cancellation as part of the reduced-state cleanup.

After the 90-day grace period with no reinstatement, data moves to long-term archive only if a formal legal or regulatory hold requires it. Otherwise it proceeds through the nine-step verified deletion process per the deletion schedule in your contract. Legal holds extend retention indefinitely until the hold is released. The deletion process is irreversible once executed. See the pricing page for commercial questions about subscription lifecycle and reinstatement.

Redoubt Forge is in active development. All tiers show "Coming soon" until general availability. Early access is available now. Request early access to join the waitlist, receive launch pricing, and participate in pre-release builds. Forward-looking items and target phases live on the Redoubt Roadmap.