What does KollGuard do?

KollGuard connects read-only to your GitHub repositories and databases (Postgres, Supabase), scans them for security gaps, and maps every finding to the controls auditors check. The first scan is free and takes minutes.

Which compliance frameworks does KollGuard support?

Twelve: SOC 2 and HIPAA are asserted directly from the technical checks, while ISO 27001, ISO 27701, PCI DSS, GDPR, NIST CSF, NIST 800-53 (the basis for NIST 800-171 and CMMC), HITRUST CSF, CIS Controls and the Joint Commission (JCAHO) Information Management standards are crosswalked from the same checks.

How is KollGuard different from Vanta, Drata, or Secureframe?

KollGuard actually scans your systems rather than only collecting evidence or sending questionnaires, starts free in minutes, is transparently and affordably priced, and lets vendors prove their posture without sharing source code or credentials.

Can KollGuard monitor my AI agents?

Yes. KollGuard's Agent Watch monitors the AI agents you deploy — MCP servers, CI bots, service accounts, and LLM agents — recording every run as a tamper-evident, hash-chained heartbeat, raising health and behavior-drift alerts, and emailing a nightly digest. It maps agent activity to the same SOC 2 and HIPAA controls as the rest of your security posture, so the AI agents touching your data are continuously monitored for compliance.

Does KollGuard need access to my source code?

No. KollGuard performs read-only checks against repository and database metadata and configuration; it never copies or stores your source code, and credentials are encrypted in a vault.

How much does KollGuard cost?

The first scan is free. Paid plans are Starter at $19.89/month and Growth at $99/month, with custom Enterprise pricing. There are no quote-based contracts to get started.

Does SOC 2 actually require an architecture diagram?

A SOC 2 report includes a description of the system — its components, boundaries, and data flows — written by management and tested by the auditor. There is no single mandated diagram format, but a clear, current architecture and data-flow diagram is the fastest way to produce that description and is something almost every auditor asks to see.

How is this different from drawing one in Lucidchart or Miro?

Hand-drawn diagrams are accurate the day you draw them and stale a sprint later. KollGuard generates the map from your real code and regenerates it as you scan and connect sources, with a version history — so it reflects the system you actually run, and you can prove when it changed.

Does it expose or store my source code?

No. It reads repository structure and a few high-signal files (router, schema) to build a bounded summary, sends that to the model to produce the diagram, and stores only the resulting diagram. Source code is never retained, and database scans never read row data.

Does it help with HIPAA too?

Yes. The HIPAA Security Rule expects you to know where electronic PHI is created, received, maintained, and transmitted. The data-flow view — which features touch the database and which call external services — is the starting point for that PHI data-flow analysis and information-asset inventory.

Can I edit the generated diagram before sharing it?

Owners and admins can drag, rename, add, connect, and delete components, add extra views, and save the result as a new version. The generated map is a starting point you fully own.

Auto-generate your architecture diagram for SOC 2

From repo to audit-ready diagram, in six steps

1. Connect your code and data (10 minutes)
Connect your GitHub repository with a least-privilege token, and your Postgres/Supabase database if you have one. KollGuard reads structure only — your router, your migrations, your function list — never your row data, and it never retains your source. This is the same read-only connection that powers scanning, so there is nothing extra to set up.
2. Generate the map (one click)
Open Architecture and click Generate. KollGuard analyses the repo and produces an interactive diagram: an 'All Features' overview plus a per-feature workflow for each major capability, showing the services behind it and how data moves between them. Pick a single repo or a whole project (all its repos in one unified map) from the source dropdown.
3. Confirm your data flows (15 minutes)
Walk the data-flow view. Confirm which features touch the database, which call external services (Stripe, your LLM provider, email), and where authentication sits. This is the exact picture an auditor needs for the system description — and the moment teams usually discover an undocumented dependency or a data path nobody intended.
4. Let it stay current automatically
You do not maintain this by hand. KollGuard regenerates the map after a successful repository scan and when you connect a new source, debounced so a busy day of pushes does not regenerate repeatedly. Every change is saved as an immutable version, so the diagram is always current and you never present a stale one.
5. Diff it at each release
Use Compare versions to see exactly what changed between two points in time — added features, removed features, and changed ones, with new components highlighted. This is your change-awareness evidence: you can show when a component or external dependency entered the system and what it connected to.
6. Hand it to the auditor
When the request list arrives, you already have a current system description and a versioned history of how the architecture evolved — not a diagram you redrew the week before. Pair it with the KollGuard evidence package (control rollup, dispositioned findings, audit-log slice) for the underlying detail.

What auditors actually want

The "system description" in a SOC 2 report is management's account of what the system is and where data goes. A current architecture diagram does most of that work, and it feeds three controls auditors test directly:

System boundary & data flow — the overview and data-flow views show components, trust boundaries, and which features reach the database or external services.
Change management (CC8) — version history and the compare tool evidence that architectural changes are tracked and reviewed.
Risk assessment (CC3) — an accurate inventory of services and third-party dependencies is the input to your risk assessment and vendor list.

Frequently asked

Does SOC 2 actually require an architecture diagram?: A SOC 2 report includes a description of the system — its components, boundaries, and data flows — written by management and tested by the auditor. There is no single mandated diagram format, but a clear, current architecture and data-flow diagram is the fastest way to produce that description and is something almost every auditor asks to see.
How is this different from drawing one in Lucidchart or Miro?: Hand-drawn diagrams are accurate the day you draw them and stale a sprint later. KollGuard generates the map from your real code and regenerates it as you scan and connect sources, with a version history — so it reflects the system you actually run, and you can prove when it changed.
Does it expose or store my source code?: No. It reads repository structure and a few high-signal files (router, schema) to build a bounded summary, sends that to the model to produce the diagram, and stores only the resulting diagram. Source code is never retained, and database scans never read row data.
Does it help with HIPAA too?: Yes. The HIPAA Security Rule expects you to know where electronic PHI is created, received, maintained, and transmitted. The data-flow view — which features touch the database and which call external services — is the starting point for that PHI data-flow analysis and information-asset inventory.
Can I edit the generated diagram before sharing it?: Owners and admins can drag, rename, add, connect, and delete components, add extra views, and save the result as a new version. The generated map is a starting point you fully own.

Auto-generate your architecture diagram for SOC 2

From repo to audit-ready diagram, in six steps

1. Connect your code and data (10 minutes)

2. Generate the map (one click)

3. Confirm your data flows (15 minutes)

4. Let it stay current automatically

5. Diff it at each release

6. Hand it to the auditor

What auditors actually want

Frequently asked

Generate your architecture map today