Compliance for the code you ship — and the AI you run.
Every gap, mapped to every framework — in minutes, not months.
Scan your code, databases, cloud, and AI agents. Track every BAA, contract, and vendor. Map it all to SOC 2, HIPAA, and the EU AI Act — and prove it continuously.
First scan free · self-serve from $19.89/mo · enterprise-ready GRC · No credit card required
That's 230+ every minute — and almost none get a SOC 2 / HIPAA security scan before they touch real customer data. KollGuard is the one that does — free, in minutes.
Rate from GitHub Octoverse 2025.
See it in action
40 seconds through the real product: posture, findings, architecture, work tracking, and agent guardrails.
Built for everyone who owns the risk
From the developer who ships it and the founder who sells it, to the enterprise GRC team that has to prove it at scale.
Developers & security engineers
Scan your repos and databases, see exactly what's broken, and fix it from your IDE — your AI agent reads findings over MCP.
For developersFounders & teams
Get "SOC 2 / HIPAA ready" to close enterprise deals — in minutes, on a $20/mo budget, without a $30k/yr GRC platform.
For foundersCompliance & security teams
Continuous posture, audit-ready evidence, vendor risk — and governance for the AI agents now touching your data.
For security & complianceEnterprise & regulated teams
One Control Tower: agreements & vendor risk, AI-agent governance, SSO/SCIM, and a tamper-evident audit trail — proof at scale.
For enterpriseBuilt for teams pursuing SOC 2 & HIPAA compliance
Anyone can ship an app in a weekend. Almost no one ships it secure.
AI assistants and no-code tools let founders and "vibe coders" launch products faster than ever — but the security and compliance work gets skipped: row-level security left off, access controls misconfigured, secrets exposed, no audit trail, no SOC 2 or HIPAA evidence. The gap stays invisible until an enterprise deal, a breach, or an auditor forces the issue.
KollGuard fills that gap — it gives fast-moving teams the security and compliance guardrails they skipped, without slowing them down.
What usually gets missed
- Databases shipped without row-level security or with public tables
- Over-privileged roles, weak grants, and no audit logging
- Repos missing branch protection, secret scanning, or review gates
- No mapping of any of it to SOC 2 or HIPAA — so audits start from zero
Everything you need to stay audit-ready
One platform for scanning, mapping, and proving your security posture across code and data.
GitHub repository scanning
Connect with a least-privilege token and continuously scan repositories for security gaps and misconfigurations.
Database scanning
Read-only checks across Postgres, Supabase, MySQL, MongoDB, SQL Server & DynamoDB — RLS, exposed tables, and weak grants on Postgres; auth and role hygiene on MySQL, MongoDB, and SQL Server; encryption and backups on DynamoDB.
Web app security scanning
Verify a URL you own, then run safe, non-destructive checks — headers, TLS, cookies, exposed files, CORS — the automated part of a pentest, on a continuous cadence.
SOC 2 & HIPAA mapping
Every finding maps to the relevant SOC 2 Trust Services Criteria and HIPAA safeguards automatically.
Projects & rolled-up posture
Group repos and databases into projects and see a single, rolled-up compliance posture per project.
Auto-mapped architecture
KollGuard reads your connected repos and database and generates an interactive, versioned map of your stack — features, services, and data flow — so you can hand auditors a current system description, not a stale diagram.
Evidence & reports
Generate downloadable evidence and reports auditors can use — without manual screenshot wrangling.
AI cost visibility
Track AI usage and spend across every project from one dashboard, so costs never surprise you.
AI agent monitoring
Agent Watch monitors the AI agents you deploy — MCP servers, CI bots, service accounts — for health, behavior drift, and security, with a nightly digest.
Work with it from any IDE (MCP)
Connect Claude Code, Cursor, VS Code, Windsurf, Grok or any MCP client. Agents read live findings with a read-only key — and with scoped write access, they can file issues and update tickets too.
Issues, epics & support tickets
Built-in Kanban trackers for your team’s work — issues grouped under epics, a support queue with SLAs in mind, and AI-assisted drafting & triage. One-click import from Jira, Linear, GitHub, or Zendesk.
Security questionnaire automation
Answer customer security questionnaires from your live posture and a reusable answer library — instead of copy-pasting the same 200 answers every quarter.
Closed-loop remediation
KollGuard doesn’t stop at finding problems: it proposes the fix, opens the PR, re-scans after merge, and marks the finding verified — a loop no checkbox platform closes.
Cloud posture (AWS)
Read-only CIS checks against your AWS account — public S3 access, CloudTrail coverage, password policy — mapped to the same controls as your code and data findings.
AI governance & agent guardrails
EU AI Act / ISO 42001 readiness plus real controls for the agents you run: per-tenant autonomy policy, an approval inbox, a master kill-switch, and a tamper-evident audit chain you can verify with one click.
Also included
Your compliance Control Tower.
The scanning is just the start. KollGuard runs your whole GRC program in one place — the agreements, vendors, AI-agent governance, and audit trail your compliance team already owns — so security and the people who ship stay on one system of record.
AI-assisted agreements register
Track every BAA, DPA, MSA, NDA, and vendor contract — with attachments, 30/14/7-day expiry reminders, share links, and automatic inclusion in your evidence package.
Third-party & vendor risk (TPRM)
A live, standardized posture view of every vendor, with an onboarding gate — so third-party risk is continuous, not a once-a-year questionnaire.
AI-agent governance
Inventory the agents you run, enforce a per-tenant autonomy policy, and keep a tamper-evident history — the answer to “what did our AI do?” EU AI Act & ISO 42001 ready.
SSO / SAML + SCIM
Enterprise identity and user provisioning for the whole org, plus branded per-tenant subdomains and a DPA/BAA with KollGuard.
195 controls · 15+ frameworks
SOC 2, HIPAA, ISO 27001, PCI DSS, GDPR, HITRUST, CIS, NIST 800-53 — plus EU AI Act, ISO 42001, and NIST AI RMF. One scan, every framework.
Evidence & tamper-evident audit trail
Auditor-ready evidence packages, a public Trust Center, and a hash-chained audit log — assembled continuously, so a security review never catches you scrambling.
Your AI agent, a first-class teammate
KollGuard ships an open MCP server, so an AI agent in Claude Code, Cursor, VS Code, Windsurf, Grok — or any MCP client — can pull your live findings and fix them in your repo. Grant a key scoped write access and the agent can also file issues, link them to epics, and update support tickets — straight from the IDE.
For security & compliance leads: keys are read-only by default, least-privilege, and revocable — write access is per-surface opt-in, every agent action is rate-limited and lands in the tamper-evident audit trail, and agent activity is visible in Agent Watch.
{
"mcpServers": {
"kollguard": {
"command": "npx",
"args": ["-y", "kollguard-mcp"],
"env": { "KOLLGUARD_API_KEY": "kgr_…" }
}
}
}How it works
From connection to audit-ready evidence in three steps.
See your real posture
Connect a repo or database and KollGuard scans what you actually run, mapping every gap to SOC 2, HIPAA, and 10 more frameworks — in minutes, not quarters.
Know what’s at risk, and why
Every finding carries its business impact, the exact control it touches, and a plain-language AI explanation — so anyone on the team, not just engineers, gets the stakes.
Fix it fast — even from your IDE
Prioritize by risk and remediate. Your AI agent can pull findings over MCP, fix them in your repo, and file the follow-up work in KollGuard’s built-in issue tracker — every change tied back to a control.
Prove it to auditors & customers
Export evidence packages, share a public Trust Center, and keep a tamper-evident audit trail — continuously, not just at audit time.
Mapped to the frameworks that matter
Stop translating raw security findings into compliance language by hand. KollGuard ties each finding directly to the controls your auditors review.
- Findings mapped to SOC 2 Trust Services Criteria
- Coverage of HIPAA administrative & technical safeguards
- Rolled-up posture per project for fast reporting
- Downloadable evidence to share with auditors
Pillar guides
The full developer-grade guide for each framework — what's required, where the citations land, and the honest cost.
Guides
Practical, auditor-grounded walkthroughs for the stacks our customers actually ship on.
Simple, honest pricing
Start free, upgrade when you need continuous monitoring and the full advisory board. Orders of magnitude under the $7,500+/yr GRC platforms.
Free
See it
- 1 scan target (repo or database)
- On-demand scans
- SOC 2 / HIPAA + 12 more framework mapping
- AI Advisory Review (Compliance preview)
Starter
Get audit-ready
- Everything in Free, plus:
- Up to 5 targets · continuous scans
- Full AI Advisory Board (Compliance, CSO, CTO, CFO) + PDF
- Evidence & reports · risk register
- Developer Tools · architecture diagram · read MCP key
Growth
Prove it & automate
- Everything in Starter, plus:
- Unlimited targets · cloud (AWS) + web scanning
- BAA tracker · questionnaires · Trust Center · vendor risk
- Agent Watch · closed-loop remediation
- Write-scoped MCP keys · RAG knowledge base
Enterprise
Pass procurement
- Everything in Growth, plus:
- SSO / SAML · SCIM provisioning
- Branded subdomains
- DPA / BAA with KollGuard
- Priority support & SLA
See your compliance posture today
Connect a repo or database and run your first scan in minutes. No source code is ever stored.
First scan free · $19.89/mo Starter · $99/mo Growth · custom Enterprise
