What does KollGuard do?

KollGuard connects read-only to your GitHub repositories and databases (Postgres, Supabase), scans them for security gaps, and maps every finding to the controls auditors check. The first scan is free and takes minutes.

Which compliance frameworks does KollGuard support?

Twelve: SOC 2 and HIPAA are asserted directly from the technical checks, while ISO 27001, ISO 27701, PCI DSS, GDPR, NIST CSF, NIST 800-53 (the basis for NIST 800-171 and CMMC), HITRUST CSF, CIS Controls and the Joint Commission (JCAHO) Information Management standards are crosswalked from the same checks.

How is KollGuard different from Vanta, Drata, or Secureframe?

KollGuard actually scans your systems rather than only collecting evidence or sending questionnaires, starts free in minutes, is transparently and affordably priced, and lets vendors prove their posture without sharing source code or credentials.

Can KollGuard monitor my AI agents?

Yes. KollGuard's Agent Watch monitors the AI agents you deploy — MCP servers, CI bots, service accounts, and LLM agents — recording every run as a tamper-evident, hash-chained heartbeat, raising health and behavior-drift alerts, and emailing a nightly digest. It maps agent activity to the same SOC 2 and HIPAA controls as the rest of your security posture, so the AI agents touching your data are continuously monitored for compliance.

Does KollGuard need access to my source code?

No. KollGuard performs read-only checks against repository and database metadata and configuration; it never copies or stores your source code, and credentials are encrypted in a vault.

How much does KollGuard cost?

The first scan is free. Paid plans are Starter at $19.89/month and Growth at $99/month, with custom Enterprise pricing. There are no quote-based contracts to get started.

Is this a replacement for a SOC 2 penetration test?

No — and KollGuard does not claim it is. A SOC 2 report expects an independent, third-party pentest. This automated scan complements it: continuous, safe checks for the common issues (headers, TLS, cookies, exposed files, CORS) that catch regressions between your annual engagements. Use both.

Is it safe to run against a production app?

Yes. Every check is read-only (GET requests), with no exploit payloads, no state changes, a bounded number of requests, and a per-request timeout. It is designed to be safe against production. It only scans the exact host you verified.

How does KollGuard stop people scanning sites they do not own?

Ownership is required before any scan. You verify control of the URL via a /.well-known token file or a DNS TXT record, and the scanner hard-refuses any unverified target. Private, loopback, and internal hosts are rejected outright.

What does it actually check?

HTTPS enforcement and HTTP→HTTPS redirect, HSTS, Content-Security-Policy, clickjacking protection, X-Content-Type-Options, Referrer-Policy, cookie Secure/HttpOnly/SameSite flags, software-version disclosure, CORS reflect/wildcard-with-credentials, mixed content, exposed .git/.env/config files, directory listing, and a security.txt best-practice check.

Where do the findings go?

Into the same Findings, Risks, and posture views as your repository, database, and cloud scans — mapped to SOC 2 and HIPAA controls — so web issues roll up into one compliance picture and the same evidence export.

Automated web application security testing for SOC 2

Honest framing: this is the automated layer of web-app security testing. It does not replace the independent, third-party penetration test a SOC 2 auditor will ask for — it makes that pentest more valuable by clearing the easy findings and stopping regressions in between.

From verified URL to continuous checks

1. Add and verify your app (10 minutes)
Add your app URL in KollGuard, then prove you control it — serve a /.well-known/kollguard-verify.txt token file or add a DNS TXT record. KollGuard will not scan a URL you have not verified, so the tool can never be pointed at someone else's site.
2. Run the safe checks (read-only)
KollGuard runs non-destructive GET-only checks against the verified origin: HTTPS enforcement and HSTS, security headers (CSP, X-Frame-Options, nosniff, Referrer-Policy), cookie Secure/HttpOnly/SameSite flags, software-version disclosure, CORS misconfiguration, mixed content, and exposed files (.git, .env, directory listings). No payloads, no exploitation, nothing that modifies your app.
3. Review findings mapped to controls
Each finding lands in your Findings list and posture, mapped to SOC 2 CC6/CC7 and HIPAA §164.312 — the same pipeline as your repo, database, and cloud scans. Transport issues map to transmission security; header and CORS issues map to boundary and logical-access controls.
4. Keep it continuous
Schedule the scan to run on a daily or weekly cadence so a regression — a dropped security header, a newly-exposed file — is caught between releases rather than at your next annual pentest. SOC 2 expects ongoing monitoring, not a once-a-year snapshot.
5. Pair it with an independent pentest
A SOC 2 audit expects an independent, third-party penetration test. This automated scan is the continuous-assurance layer underneath it: it catches the common, mechanical issues early and cheaply, so your paid pentest can focus on logic and depth — and so nothing regresses in the 12 months between engagements.

What it checks

HTTPS enforced + HSTS
HTTP → HTTPS redirect
Content-Security-Policy
Clickjacking (X-Frame-Options / frame-ancestors)
X-Content-Type-Options: nosniff
Referrer-Policy
Cookie Secure / HttpOnly / SameSite
Software-version disclosure
CORS reflect / wildcard-with-credentials
Mixed content on HTTPS
Exposed .git / .env / config
Directory listing + security.txt

Frequently asked

Is this a replacement for a SOC 2 penetration test?: No — and KollGuard does not claim it is. A SOC 2 report expects an independent, third-party pentest. This automated scan complements it: continuous, safe checks for the common issues (headers, TLS, cookies, exposed files, CORS) that catch regressions between your annual engagements. Use both.
Is it safe to run against a production app?: Yes. Every check is read-only (GET requests), with no exploit payloads, no state changes, a bounded number of requests, and a per-request timeout. It is designed to be safe against production. It only scans the exact host you verified.
How does KollGuard stop people scanning sites they do not own?: Ownership is required before any scan. You verify control of the URL via a /.well-known token file or a DNS TXT record, and the scanner hard-refuses any unverified target. Private, loopback, and internal hosts are rejected outright.
What does it actually check?: HTTPS enforcement and HTTP→HTTPS redirect, HSTS, Content-Security-Policy, clickjacking protection, X-Content-Type-Options, Referrer-Policy, cookie Secure/HttpOnly/SameSite flags, software-version disclosure, CORS reflect/wildcard-with-credentials, mixed content, exposed .git/.env/config files, directory listing, and a security.txt best-practice check.
Where do the findings go?: Into the same Findings, Risks, and posture views as your repository, database, and cloud scans — mapped to SOC 2 and HIPAA controls — so web issues roll up into one compliance picture and the same evidence export.

Automated web application security testing for SOC 2

From verified URL to continuous checks

1. Add and verify your app (10 minutes)

2. Run the safe checks (read-only)

3. Review findings mapped to controls

4. Keep it continuous

5. Pair it with an independent pentest

What it checks

Frequently asked

Scan your web app today