The problem

CAASM tools tell you what you have.
SafeHarbor tells you what it should be, where it's drifting, and how to fix it — continuously.

Read-only inventory is not enough

Legacy CAASM tools surface drift but leave you opening tickets. SafeHarbor closes the loop with policy-driven enforcement across connectors.

Federal environments aren't K8s-friendly

Single Go binary. No cluster, no sidecar sprawl, no cloud dependency. Ships as an offline bundle for IL5, IL6, SIPR, and JWICS.

Compliance shouldn't take a quarter

SSP auto-generation, continuous monitoring, OSCAL 1.1.2 export. POA&M lifecycle with an auto-close worker that actually closes.

SafeHarbor · the flagship product

Four loops. One binary.

SafeHarbor observes every asset, scores every vulnerability, drafts every SSP, and executes every remediation. Built as a single Go binary so it runs the same way on your laptop, on a hardened enclave appliance, and on a cATO-authorized SIPR node.

harbor · Prod-IL5-West

● Live Sweep 4m 12s ago

Workspaces

Assets · 1,284,912

Risk engine · 0.17

Compliance · 8 frameworks

Remediation · 42 running

Connectors · 2,047 active

Audit log

Critical

27

KEV

9

$ at risk

$14.2M

Coverage

98.4%

Risk over time · 30d

VTC-enhanced score trending ↓ 12%

EPSS KEV VPR

01 · Observe

Every asset, every edge, every time.

2,000+ connectors stream into a DGraph-backed asset graph with 23 AD edge types. ClickHouse handles the analytics side-car. NATS JetStream keeps the ingest pipeline durable even across air-gap transfer windows.

DGraph v24.1ClickHouse 24.12NATS JetStream23 AD edge types

Asset graph · sample

02 · Decide

VTC-enhanced risk. Predictive, not reactive.

Every asset is scored with a Vulnerability-Threat-Criticality (VTC) model, enriched with EPSS, CISA KEV, and Tenable VPR. Snapshots persist to ClickHouse so you can query the 4am incident from last Thursday.

EPSS · liveCISA KEV · dailyVPR enrichment$-at-risk engine

Top 5 · business services at risk

Claims Processing$4.8M

Clinical EHR Gateway$3.2M

Financial Core$2.4M

Supply Chain Ingest$1.9M

Benefits Portal$1.1M

03 · Prove

OSCAL-native compliance. Eight frameworks out of the box.

NIST 800-53 Rev 5, FedRAMP, CMMC 2.0, CISA BOD, CISA ZT, DISA STIG, PCI DSS, HIPAA. Auto-generated SSPs, evidence collection, and OSCAL 1.1.2 export (SSP, SAR, POA&M, Component Definition). eMASS v3.22 and Xacta 360 integrations ship in the box.

NIST 800-53 R5FedRAMPCMMC 2.0DISA STIGeMASSXacta 360

System Security Plan · draft.oscal.json● Auto-sync

{
  "system-security-plan": {
    "uuid": "f3c21a...",
    "metadata": { "title": "SafeHarbor · Prod-IL5" },
    "control-implementation": {
      "implemented-requirements": [
        { "control-id": "ac-2", "status": "implemented" },
        { "control-id": "au-6", "status": "implemented" },
        { "control-id": "si-4", "status": "implemented" },
        ...  1,247 controls auto-populated
}

04 · Enforce

Closed-loop remediation. Not a ticket queue.

Policies declare desired state. SafeHarbor detects drift, opens change records, executes remediations through the same connectors it reads from — then proves the fix held. Every action signed and logged to the tenant-isolated audit stream.

Policy-drivenSigned actionsRollbackTenant isolation

# harbor-ctl · close the loop on a drifted S3 bucket $ harbor-ctl drift detect --asset s3://prod-claims-data ⚠ public-read ACL detected · policy ac-3 violated $ harbor-ctl remediate --from policy ac-3 --apply ✓ ACL reset → private ✓ attestation signed · audit-log#4f2a ✓ evidence attached to POA&M #129 # 48 seconds, end to end.

Compliance matrix

One control plane, every framework.

Click a framework to see how SafeHarbor maps controls to evidence, automates the drudgery, and exports in OSCAL. All eight frameworks ship in the binary.

Federal & DoD

Architected for classified from day one.

Axonius can self-host. We're the one architected for IL5, IL6, SIPR and JWICS natively. Verifiable in the binary — no cloud dependency, no outbound sidecar, no K8s control plane required.

Crypto

FIPS 140-3 via Go BoringCrypto. TLS 1.2+, FIPS cipher suites, PBKDF2-SHA256 600K iterations.

Authentication

CAC/PIV with PKCS#12, SAML, OIDC, LDAP with JIT. DoD PKI out of the box.

Authorization

RMF 7-step lifecycle, cATO engine, eMASS v3.22 bi-directional, Xacta 360.

Feeds (offline)

NVD, OSV, EPSS, KEV ingestion via signed offline bundles. Works on disconnected networks.

FIPS

FIPS 140-3

BoringCrypto cryptographic module. In validation, Level 1.

IL5
IL6

IL5 / IL6 ready

Architected for classified enclaves. SIPR and JWICS deployments supported.

OSCAL
1.1.2

OSCAL-native

SSP · SAR · POA&M · Component Definition. Exports that actually import.

cATO

Continuous ATO

RMF 7-step automation with ConMon workers that actually close POA&M items.

1M+

Assets per deployment

50M+

Relationships per graph

2,047

Connectors shipping today

48s

Detect → remediate → prove

"We replaced three tools with one binary. The first OSCAL export from SafeHarbor passed eMASS ingest on the first try — we'd never seen that before."

MR

Maj. M. Rivera*

Authorizing Official · DoD Component Program

* composite quote · placeholder

Pricing

Start free. Scale to enterprise.

Community runs the same binary as Enterprise — just with a 50-asset cap. Upgrade only when your asset count demands it.

Community

Free

50 assets. All connectors. OSCAL export. Local auth. The full binary, on your laptop or homelab.

✓ 50 assets
✓ 2,000+ connectors
✓ All 8 compliance frameworks
✓ OSCAL 1.1.2 export
✓ Community Discord

Download binary →

Professional

Let's show you the binary.

30 minutes. No deck. We spin up a live SafeHarbor against your sample connectors and walk through your own asset graph. Federal briefings available with AO/PM present.

📧

Commercial sales

sales@argonautcyber.com

🏛