Our Philosophy

Built by practitioners, for practitioners

CISO Assistant was born from real-world frustrations with fragmented, overpriced, and rigid GRC landscape. Every design decision is guided by a simple question: does this actually help the practitioner to be more productive on a daily-basis?

Truly open source

The community edition is the heart of CISO Assistant β€” licensed under AGPLv3, it powers the core of the application and is where all the foundational features live. The Pro edition builds on top of it, adding priority support and extra features to help organizations scale up their usage. Even the Pro edition’s source code is publicly available (under a proprietary license), because we believe transparency builds trust.

  • Community at the core β€” the open-source community edition is the foundation, not a stripped-down teaser, but the real product.
  • Pro to scale up β€” priority support and advanced features for organizations that need to go further, faster.
  • Code visible to all β€” every line of the codebase is publicly accessible, no black boxes.
  • No vendor lock-in β€” you own your data and your deployment, switch or self-host whenever you want.

Deploy your way

Everyone can afford it β€” run CISO Assistant on the infrastructure that works best for you.

  • Docker Compose β€” get started in minutes with a single docker-compose.sh script.
  • Kubernetes β€” production-grade Helm charts for orchestrated deployments.
  • Offline-VM β€” full control on your own setup with air-gapped environments supported.
  • SaaS β€” let us handle the infrastructure so you can focus on your security program.

One platform, no fragmentation

The biggest challenge in GRC is data fragmentation and repetition. When your risk register, compliance evidence, and audit findings live in separate tools, you waste time reconciling and duplicating efforts. CISO Assistant brings everything under one roof.

  • Unified data model β€” risks, controls, evidence, and compliance mapped together in a single coherent structure.
  • Single source of truth β€” one place for all your GRC data, no more conflicting spreadsheets.
  • No duplication β€” map one control to many frameworks, do the work once and reuse it everywhere.

Batteries included, yet fully customizable

Built-in standards and frameworks so you don’t reinvent the wheel β€” but extensible enough to accommodate your own.

  • Built-in frameworks β€” ISO 27001, SOC 2, NIS2, DORA, NIST CSF, and many more out of the box.
  • Standards library β€” a curated, community-maintained catalog of security standards and regulations.
  • Custom frameworks β€” create and import your own frameworks to match your organization’s context.
  • Risk matrices β€” configurable risk matrices that adapt to your risk appetite and methodology.
  • Compliance mappings β€” pre-built cross-framework mappings to eliminate redundant work.

API-first and automation by design

Every feature in CISO Assistant is backed by a fine-grained REST API with full CRUD operations over all objects. Integrate with your existing toolchain, automate repetitive workflows, and build on top of a solid foundation.

  • Full REST API β€” a comprehensive, well-documented API covering the entire platform.
  • Fine-grained CRUD β€” create, read, update, and delete any object: risks, controls, evidence, and more.
  • Automation-friendly β€” script your workflows, sync data from external tools, and trigger actions programmatically.
  • Custom n8n node β€” to ease up the integration with a low-code / no-code approach.
  • Extensible integrations β€” connect to SIEMs, ticketing systems, vulnerability scanners, and CI/CD pipelines.

AI β€” responsible and local-first

AI can be a powerful accelerator for GRC work, but trust and control come first. CISO Assistant takes a local-first approach: AI features run offline by default so your sensitive data never leaves your environment unless you explicitly choose otherwise.

  • Local-first β€” AI capabilities run on your infrastructure, keeping your data where it belongs.
  • Offline mapping β€” use AI-assisted mapping between frameworks and controls without any external call.
  • MCP interface β€” you decide what to share, with whom, and when. No silent data exfiltration, no opaque cloud calls.
  • Opt-in, not opt-out β€” AI features are there when you need them, invisible when you don’t.

Why so many features?

The answer is simple: we aim to be the hub of cybersecurity program management. While we all share roughly 80% of the same needs, everyone eventually needs something specific β€” maybe not today, but someday. Instead of encouraging fragmented forks, we expand the data model whenever it makes sense (and yes, we have had to say no many times). The result is a platform that covers a wide surface area while staying coherent, and feature flags let every user enable or disable capabilities to match their exact workflow.

  • One hub, not many forks β€” a broad feature set under one roof avoids ecosystem fragmentation.
  • Deliberate expansion β€” every addition to the data model is weighed carefully; we say no more often than we say yes.
  • Feature flags β€” don’t need something? Turn it off. Your instance, your rules.

Enterprise-grade features

Built for teams and organizations that need security, governance, and collaboration at scale.

  • SSO / SAML β€” integrate with your identity provider for seamless, secure authentication.
  • Audit logging β€” every action is tracked, full traceability for internal and external audits.
  • Fine-grained IAM β€” domains concept allows multi-tenant isolation and granular access policies.
  • Collaborative workflows β€” task assignment, notifications, and review cycles keep teams aligned.
  • Feature flags β€” toggle capabilities on or off to tune the platform to your exact needs.
  • Role-based access β€” define roles and permissions so every user sees exactly what they need.

Shaped by its users

CISO Assistant is not designed in an ivory tower. Actual practitioners collaborate on shaping the solution β€” the roadmap is driven by real-world feedback, iteration cycles are short, and the tool evolves with the needs of the people who use it every day.

  • Practitioner-driven roadmap β€” feature priorities come from the community, not from a sales-driven backlog.
  • Short feedback loops β€” report an issue or suggest an improvement, see it addressed in days, not quarters.
  • Real-world validation β€” every feature is battle-tested by security teams before it ships.

Why we don’t do benchmarks

We respect the work of other software vendors and don’t see the relevance of a biased opinion. We trust users to do their own research and find what fits their needs and context best. Our energy is better spent improving the product than crafting favorable comparisons.