Early access

The intelligence layer
for cybersecurity compliance

ControlGraph connects frameworks, controls, capabilities, and the products you already use — so you can explore requirements once and assess posture without starting from scratch every audit.

Get started Sign in

Supported frameworks

NIST CSF 2.0NIST 800-53NIST 800-171CIS Controls v8SOC 2 TSCPCI DSS 4HIPAAFedRAMPCJISCISA CPG

controlgraph.query / capability("MFA")

142 controls · 11 frameworks

Mapped controls

142

Coverage

94.2%

Evidence artifacts

38

The problem

Organizations don't lack controls.
They lack the relationships between them.

The same capability — MFA, logging, asset management — appears in every framework under a different name. Teams evaluate them separately, pay consultants to translate, and run audits in parallel.

3–7×

Duplicate work

$340k

Avg. consulting spend

Chronic

Audit fatigue

Across teams

Conflicting interpretations

The platform

Eight pillars. One graph.

Explore, map, assess, and monitor — built on one shared control graph instead of disconnected spreadsheets and slide decks.

01Frameworks

Framework library

NIST, CIS, SOC 2, PCI, HIPAA, FedRAMP, and more — loaded from authoritative sources and searchable in one workspace.

02Crosswalk

Control crosswalks

See how requirements align across frameworks so you stop rebuilding the same mapping every engagement.

03Capabilities

Capability graph

Identity, logging, encryption, and response expressed once — then linked to controls in every framework you care about.

04Stack

Technology mapping

Map Entra ID, Okta, CrowdStrike, AWS, and dozens of other products to the capabilities and controls they help satisfy.

05Evidence

Evidence intelligence

Connect policies, configs, and artifacts to the controls they support — reduce duplicate evidence collection.

06Assessment

Compliance assessments

Run coverage analysis from your technology stack with a documented reasoning trail on every result.

07API

GraphQL API

Query controls, technologies, capabilities, and impact from your own GRC or consulting platform.

08Monitoring

Change monitoring

Get notified when framework sources change so your mappings and client advice stay current.

Flagship feature

Assess posture
with clear reasoning.

Ask compliance questions against your declared technology stack. Every assessment includes coverage estimates, priority gaps, and a step-by-step reasoning trail you can share with clients and auditors.

Coverage estimates across overlapping frameworks
Gap analysis tied to specific controls
Reasoning trail for every result
Audit reference on each assessment

Compliance assessment

reasoning

YOU

We have Microsoft 365 E5, Entra ID P2, CrowdStrike Falcon, Intune and GitHub Enterprise. How close are we to CMMC Level 2?

Estimated compliance74%

Strong

Identity
Endpoint protection
Logging

Gaps

Media sanitization
Vendor risk
Incident testing

citations:CMMC L2 §3.8.3NIST 800-171 r2 3.6.2NIST CSF DE.CM-1FedRAMP IA-5

Infrastructure, not a dashboard

A GraphQL API for the
cybersecurity knowledge graph.

Embed crosswalks, capability lookups and compliance impact directly into your GRC, consulting, or compliance platform. Available on Team and Enterprise plans.

Get API accessGraphQL · v1

// query the graph

query {
  technology(name: "Microsoft Entra ID") {
    capabilities
    controls
    frameworks
    complianceImpact
  }
}

Pricing

From single consultant to compliance infrastructure.

Start with one framework. Scale to the full graph and the API.

Professional

Consultants & vCISOs

$199/ month

Framework explorer & search
Crosswalk & capability views
Technology mapping
Compliance assessments
Change feed

Get started

Most chosen

Team

MSPs & compliance teams

$1,499/ month

Everything in Professional
Multiple team members
GraphQL API access
Priority support
Onboarding assistance

Contact us

Enterprise

Regulated industries

Customfrom $10k / yr

Everything in Team
Private graph extensions
GraphQL API & SSO
Additional frameworks
Assessment audit history
Dedicated success engineer