What does KollGuard do?

KollGuard connects read-only to your GitHub repositories and databases (Postgres, Supabase), scans them for security gaps, and maps every finding to the controls auditors check. The first scan is free and takes minutes.

Which compliance frameworks does KollGuard support?

Twelve: SOC 2 and HIPAA are asserted directly from the technical checks, while ISO 27001, ISO 27701, PCI DSS, GDPR, NIST CSF, NIST 800-53 (the basis for NIST 800-171 and CMMC), HITRUST CSF, CIS Controls and the Joint Commission (JCAHO) Information Management standards are crosswalked from the same checks.

How is KollGuard different from Vanta, Drata, or Secureframe?

KollGuard actually scans your systems rather than only collecting evidence or sending questionnaires, starts free in minutes, is transparently and affordably priced, and lets vendors prove their posture without sharing source code or credentials.

Can KollGuard monitor my AI agents?

Yes. KollGuard's Agent Watch monitors the AI agents you deploy — MCP servers, CI bots, service accounts, and LLM agents — recording every run as a tamper-evident, hash-chained heartbeat, raising health and behavior-drift alerts, and emailing a nightly digest. It maps agent activity to the same SOC 2 and HIPAA controls as the rest of your security posture, so the AI agents touching your data are continuously monitored for compliance.

Does KollGuard need access to my source code?

No. KollGuard performs read-only checks against repository and database metadata and configuration; it never copies or stores your source code, and credentials are encrypted in a vault.

How much does KollGuard cost?

The first scan is free. Paid plans are Starter at $19.89/month and Growth at $99/month, with custom Enterprise pricing. There are no quote-based contracts to get started.

Does HITRUST replace HIPAA?

No. HITRUST is a private framework; HIPAA is federal law. HITRUST CSF certification substantially evidences HIPAA compliance, but you still owe HIPAA independently.

Is HITRUST CSF native in KollGuard?

No — KollGuard maps to HITRUST CSF via a CROSSWALK from SOC 2 and HIPAA. We're explicit about this. Auditors who scrutinize HITRUST will rightfully push back on crosswalk-only assertions. CIS Controls is our best candidate for the next native assertion.

i1 (Implemented) = 1-year certification, ~180 control assessments, ~3 months. r2 (Risk-based, 2-year) = full r2 with hundreds of controls, ~9-12 months. r2 is the gold standard; i1 is the on-ramp.

What about HITRUST e1?

e1 (Essentials) is HITRUST's lightweight tier for ≈45 controls, suitable for very small organizations. Less commonly accepted by enterprise buyers.

HIPAA vs HITRUST CSF

HIPAA

A US federal law regulating PHI. Sets a minimum bar of administrative, physical, and technical safeguards (§164 Security Rule). No certification body.

Who needs it: Anyone handling US patient data
Authority: HHS / Office for Civil Rights
Issued as: No certification — internal docs + OCR enforcement

HITRUST CSF

A commercial certification (HITRUST Alliance) that maps to HIPAA + ISO 27001 + NIST + many others. Three assurance levels (e1, i1, r2). Auditor-issued; CSF i1 ~3 months, r2 ~9-12 months.

Who needs it: Healthtech selling to major hospital systems / payers
Authority: HITRUST Alliance
Issued as: Third-party certified report

Similarities

Both target healthcare data protection.
Both cover administrative, physical, technical safeguards.
HITRUST CSF includes a HIPAA crosswalk — passing CSF substantially evidences HIPAA.

Where they differ

Axis	HIPAA	HITRUST CSF
Legal status	Federal law (mandatory)	Voluntary commercial certification
Specificity	High-level safeguards	Prescriptive — hundreds of specific control statements
Certification	None	Yes — third-party HITRUST authorized assessor
Cost	No exam fee	$60k–$200k+ for r2 certification (assessor fees + tools)
Timeline	Ongoing program	i1: ~3 months; r2: 9-12 months
Renewal	Continuous	i1 annual; r2 biennial with interim assessment
Customer demand	Required for healthcare	Required by some hospital systems / payers

Which do you need?

Pick HIPAA if…

You're a healthtech startup that handles PHI. This is non-negotiable; you cannot opt out.

Add HITRUST CSF if…

A major hospital system or health plan customer requires it (they will say so explicitly in procurement).

Pick i1 first, then r2 if…

You need HITRUST but want a shorter path to certified status. i1 in ~3 months unlocks most enterprise deals; r2 adds rigor.

Skip HITRUST if…

You're early-stage and HIPAA-compliant. The $60k+ price tag is hard to justify without a specific deal demanding it.

Frequently asked

Does HITRUST replace HIPAA?: No. HITRUST is a private framework; HIPAA is federal law. HITRUST CSF certification substantially evidences HIPAA compliance, but you still owe HIPAA independently.
Is HITRUST CSF native in KollGuard?: No — KollGuard maps to HITRUST CSF via a CROSSWALK from SOC 2 and HIPAA. We're explicit about this. Auditors who scrutinize HITRUST will rightfully push back on crosswalk-only assertions. CIS Controls is our best candidate for the next native assertion.
i1 vs r2?: i1 (Implemented) = 1-year certification, ~180 control assessments, ~3 months. r2 (Risk-based, 2-year) = full r2 with hundreds of controls, ~9-12 months. r2 is the gold standard; i1 is the on-ramp.
What about HITRUST e1?: e1 (Essentials) is HITRUST's lightweight tier for ≈45 controls, suitable for very small organizations. Less commonly accepted by enterprise buyers.