Argonaut Cyber

The cyber control plane for security operations.

SafeHarbor evolves beyond CAASM into a unified control plane that observes, decides, and enforces across the full security lifecycle: asset intelligence, vulnerability prioritization, compliance automation, and closed-loop remediation in a single platform. Built for regulated enterprise and federal environments. Air-gapped from day one.

Request a demo → Explore the platform
1,264 connectors IL5 / IL6 ready
The problem

CAASM tools tell you what you have.
SafeHarbor tells you what it should be, where it's drifting, and how to fix it, continuously.

Read-only inventory is not enough

Legacy CAASM tools surface drift but leave you opening tickets. SafeHarbor closes the loop with policy-driven enforcement across connectors.

Federal environments aren't K8s-friendly

Single binary. No cluster, no sidecar sprawl, no cloud dependency. Ships as an offline bundle for IL5, IL6, SIPR, and JWICS.

Compliance shouldn't take a quarter

SSP auto-generation, continuous monitoring, OSCAL export. POA&M lifecycle with an auto-close worker that actually closes.

SafeHarbor · the flagship product

Four loops. One binary.

SafeHarbor observes every asset, scores every vulnerability, drafts every SSP, and executes every remediation. Built as a single binary so it runs the same way on your laptop, on a hardened enclave appliance, and on a cATO-authorized SIPR node.

SafeHarbor dashboard
01 · Observe

Every asset.
Every edge.
Every time.

1,264 connectors stream into a DGraph-backed asset graph with 23 AD edge types. ClickHouse handles the analytics side-car. NATS JetStream keeps the ingest pipeline durable even across air-gap transfer windows.

DGraph v25.3.2ClickHouse 24.12NATS JetStream23 AD edge types
SafeHarbor Asset Explorer
02 · Decide

TIDE risk scoring. Predictive, not reactive.

Every asset carries a TIDE score: Threat, Impact, Defensibility, Exposure. Enriched with EPSS, CISA KEV, and Tenable VPR. Snapshots persist to ClickHouse, so you can query what the tide looked like at 4am last Thursday.

EPSS · liveCISA KEV · dailyVPR enrichment$-at-risk engine
SafeHarbor Business Risk view
03 · Prove

OSCAL-native compliance. Eight frameworks out of the box.

NIST 800-53 Rev 5, FedRAMP, CMMC 2.0, CISA BOD, CISA ZT, DISA STIG, PCI DSS, HIPAA. Auto-generated SSPs, evidence collection, and OSCAL export (SSP, SAR, POA&M, Component Definition). eMASS and Xacta 360 integrations ship in the box.

NIST 800-53 R5FedRAMPCMMC 2.0DISA STIGeMASSXacta 360
System Security Plan · draft.oscal.json● Auto-sync 
{
  "system-security-plan": {
    "uuid": "f3c21a...",
    "metadata": { "title": "SafeHarbor · Prod-IL5" },
    "control-implementation": {
      "implemented-requirements": [
        { "control-id": "ac-2", "status": "implemented" },
        { "control-id": "au-6", "status": "implemented" },
        { "control-id": "si-4", "status": "implemented" },
        ...  1,247 controls auto-populated
}
04 · Enforce

Closed-loop remediation. Not a ticket queue.

Policies declare desired state. SafeHarbor detects drift, opens change records, executes remediations through the same connectors it reads from, then proves the fix held. Every action signed and logged to the tenant-isolated audit stream.

Policy-drivenSigned actionsRollbackTenant isolation
# harbor-ctl · close the loop on a drifted S3 bucket $ harbor-ctl drift detect --asset s3://prod-claims-data ⚠ public-read ACL detected · policy ac-3 violated $ harbor-ctl remediate --from policy ac-3 --apply ✓ ACL reset → private ✓ attestation signed · audit-log#4f2a ✓ evidence attached to POA&M #129 # 48 seconds, end to end.
Compliance matrix

One control plane, every framework.

SafeHarbor maps controls to evidence, automates the drudgery, and exports in OSCAL.

SafeHarbor compliance overview
Federal & DoD

Architected for classified from day one.

Architected for IL5, IL6, SIPR and JWICS natively. Verifiable in the binary: no cloud dependency, no outbound sidecar, no K8s control plane required.

Crypto
Go BoringCrypto cryptographic module. TLS 1.2+, FIPS cipher suites, PBKDF2-SHA256 600K iterations.
Authentication
CAC/PIV via mTLS with X.509, SAML, OIDC, LDAP with JIT. DoD PKI out of the box.
Authorization
RMF 7-step lifecycle, cATO engine, eMASS bi-directional, Xacta 360.
Feeds (offline)
NVD, OSV, EPSS, KEV ingestion via signed offline bundles. Works on disconnected networks.
IL5
IL6

IL5 / IL6 ready

Architected for classified enclaves. Deployable on SIPR and JWICS.

cATO

Continuous ATO

RMF 7-step automation with ConMon workers that actually close POA&M items.

1,264
Connectors shipping today
8
Compliance frameworks
30
Built-in security policies
23
AD edge types tracked
Solutions

Where SafeHarbor fits in your stack.

Five archetype deployments. SafeHarbor cohabits with the tools you have already bought (XDR, CSPM, SIEM, IdP) and makes them answer the questions they can't answer alone.

HIGH-SIDE ENCLAVE Falcon Gov Entra · CAC Tenable SC SafeHarbor FIPS · OSCAL eMASS OSCAL PDP / PEP Splunk
Federal · DoD / IC

Classified-ready SOC

CAC/PIV, eMASS, OSCAL-native exports. Single binary, ready to deploy into IL5+ enclaves with zero external SaaS dependencies.

Read the architecture →
 Wiz / Prisma CrowdStrike Tenable VM Okta · Entra SafeHarbor CAASM · OSCAL FedRAMP pkgSSP · POAM · SAR ServiceNow $-at-risk
Federal Civilian · FedRAMP

Continuous ATO evidence

Ingest Wiz, Tenable, CrowdStrike, Okta. Emit the FedRAMP package (OSCAL SSP, POA&M, SAR) on demand from live graph state. No more 90-day spreadsheets.

Read the architecture →
 CrowdStrike Okta Jamf · Intune Tenable VM SafeHarbor Attack paths Toxic combos Jira auto-POAM Splunk Exec briefing
Commercial · XDR Stack

Answers XDR can't

"Which users have admin access without MFA on production servers without EDR?" Attack-path engine with 23 AD edges. No domain-join, no BloodHound collector on the DC.

Read the architecture →
 01 Scope 02 Discover 03 Prioritize 04 Validate 05 Mobilize GARTNER CTEM · FIVE STAGES 4 native, 1 partner. Any BAS for stage 4.
CTEM Program

Four of five stages, natively

Scoping, Discovery, Prioritization, Mobilization ship in the binary. Partner with AttackIQ, SafeBreach, or Pentera for live Validation. Their telemetry marks attack paths validated_live in the graph.

Read the architecture →
 LEVEL 0-1 · PLCs Modbus · DNP3 · OPC UA LEVEL 2 · SCADA / HMI Historian · HMI workstations LEVEL 3-5 · ENTERPRISE IT AD · SaaS · Cloud SafeHarbor IT + OT graph 62443 · Purdue
OT · ICS · Critical Infrastructure

One graph, IT + OT

Passive OT discovery from Claroty, Dragos, Nozomi lives alongside IT endpoint telemetry. Purdue-model segmentation gaps surface as toxic combinations. ISA / IEC 62443 mapping is native.

Read the architecture →
See all five architectures →
Pricing

Start free.
Scale to enterprise.

Community runs the same binary as Enterprise, just with a 50-asset cap. Upgrade only when your asset count demands it.

Community
Free

50 assets. All connectors. OSCAL export. Local auth. The full binary, on your laptop or homelab.

  • ✓ 50 assets
  • ✓ 1,264 connectors
  • ✓ All 8 compliance frameworks
  • ✓ OSCAL export
  • ✓ Community Discord
Request a community license →
Enterprise
Custom

Air-gap, FIPS, IL5/IL6, CAC/PIV, eMASS, Xacta. Dedicated TAM.

  • ✓ Everything in Community
  • ✓ Per-asset volume pricing
  • ✓ SSO (SAML, OIDC, CAC/PIV)
  • ✓ Air-gap offline bundle
  • ✓ IL5/IL6
  • ✓ eMASS, Xacta integrations
  • ✓ Direct engineering support
Contact us →
Request a demo

Let's show you the binary.

30 minutes. No deck. We spin up a live SafeHarbor against your sample connectors and walk through your own asset graph. Federal briefings available with AO/PM present.

📧
Commercial sales
sales@argonautcyber.com
🏛
Federal & DoD
federal@argonautcyber.com
🛟
Support
support@argonautcyber.com
Get in touch

Email the right team directly and we'll reply within one business day.

Commercial demo: sales@argonautcyber.com → Federal briefing: federal@argonautcyber.com →