Pay for what you certify against. Not per-control. Not per-report.

Security Essentials is $65 per user per month, billed annually. A "user" is defined as a committer who pushed code in the last 90 days (a soft limit) plus any additional seats you add. Auditor seats are free — unlimited read-only access. Compliance frameworks are added à la carte: SOC 2 Type II is $2,500/year, FedRAMP Low/Moderate/High are $5,000/$10,000/$15,000/year, and DoD Impact Levels (IL2–IL6) start at $15,000/year. NIST 800-53 is included in every plan.

The free trial is self-service. You log in via GitHub and a GitHub organization admin installs the TestifySec GitHub App; from there the platform begins collecting signed evidence on every commit. The trial includes 5 NIST 800-53 controls so you can see your spine coverage on day one. No credit card is required.

TestifySec maps pipeline evidence, production scans, IaC, and application code to NIST 800-53 (included), SOC 2 Type II, FedRAMP Low/Moderate/High, and DoD Impact Levels IL2 through IL6 today. CMMC 2.0, ISO 27001, EU CRA, and FedRAMP 20x are on the roadmap; FedRAMP 20x is targeted for June 2026. Enterprise customers can request custom frameworks built against their own control catalog.

Yes. The Enterprise (self-hosted) tier runs in your VPC or fully air-gapped on-prem. TestifySec provides cleared support for DoD Impact Levels up to IL6, and Enterprise deployments support BYO KMS, BYO storage (S3 / MinIO / Postgres), and BYO LLM provider (AWS Bedrock, Azure OpenAI, GCP Vertex AI, or your own API keys).

in-toto is an open framework — originally developed at NYU — for cryptographically attesting every step of a software supply chain. Each step produces a signed attestation linking inputs, command, and outputs; verifiers can then check that a final artifact was produced by an approved pipeline. TestifySec maintains Witness (the CLI/attestor) and Archivista (the attestation store) — both donated to the in-toto project — and built the TestifySec Platform on top to turn raw attestations into framework-mapped compliance evidence. Frederick Kautz (TestifySec) is a co-author of NIST SP 800-204D; both founders contributed to the CNCF Software Supply Chain Best Practices whitepaper.

Witness is an open-source CLI tool maintained by TestifySec that generates in-toto attestations from CI/CD steps. It wraps any command (build, test, scan, sign, deploy) and emits a signed attestation describing what ran, what it consumed, and what it produced. Witness is the production tool behind Autodesk's FedRAMP attestation pipeline.

Archivista is the open-source attestation storage service maintained by TestifySec. It accepts in-toto attestations from Witness or any other in-toto–compatible producer, stores the signed envelopes, and exposes a GraphQL API for verification and reporting. Archivista is the storage backend the TestifySec Platform uses to power its compliance dashboards and reports.

No — TestifySec sits beside your existing GRC tool. GRC platforms manage policy, personnel, and IT infrastructure controls; TestifySec automates the development-side evidence those tools cannot collect (cryptographic build attestations, SBOMs, vulnerability scans, policy-as-code enforcement on every commit). The platform exports signed evidence to Vanta, Drata, Secureframe, OSCAL bundles, or direct auditor PDFs.

TestifySec was founded by Cole Kennedy and Frederick Kautz. Frederick is a co-author of NIST SP 800-204D ("Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD Pipelines"). Both founders contributed to the CNCF Software Supply Chain Best Practices whitepaper. The team maintains Witness and Archivista in the in-toto project.