JupiterOne launches Continuous Controls Monitoring to check security controls against live asset data

Artificial intelligence risk management platform provider JupiterOne Inc. today announced the launch of JupiterOne Continuous Controls Monitoring, a brand new product that tests whether security and compliance controls are literally working across cloud, software-as-a-service and hybrid environments.

The corporate is pitching CCM, because it calls the offering, as a fix for a spot left by existing compliance automation tools. Those tools have made audit preparation faster but generally stop at proving a control exists on paper quite than confirming it’s operating as intended after implementation.

CCM evaluates controls against live asset data as an alternative of screenshots, spreadsheets and point-in-time reviews. The product is designed to flag control drift because it happens, generate audit-ready evidence from current data sources and map a single control definition across frameworks, including System and Organization Controls 2, International Organization for Standardization 27001, the National Institute of Standards and Technology Cybersecurity Framework, the Federal Risk and Authorization Management Program and the Health Insurance Portability and Accountability Act.

The product sits on top of JupiterOne’s graph-based data model and the corporate’s library of greater than 200 integrations. Fairly than checking isolated application programming interface responses from each connected tool, CCM evaluates controls across the relationships between assets, identities, cloud resources, SaaS applications and security findings. Every test exposes the underlying query, integration source and test logic, which JupiterOne argues is essential for auditors to trust the output.

The corporate’s AI layer can be wired into the product, letting users ask compliance questions in natural language and pull back answers on control status, evidence, drift and framework alignment.

“Most organizations can show that a policy exists. Far fewer can prove, at any moment, that the control behind that policy is definitely working,” said Chief Product Officer Kevin Tonkin. “GRC tools were built to administer compliance workflow. Security teams need something different, a approach to prove that the technical controls behind every policy are literally working, in environments that change by the hour. JupiterOne CCM brings a security lens to GRC.”

Continuous controls monitoring has been gaining ground as security and compliance teams move away from periodic attestation toward real-time assurance, a shift that has drawn entries from each established governance, risk and compliance vendors and a wave of newer startups. JupiterOne’s pitch leans on the graph data model it has built the remainder of its platform around, arguing that controls can’t be meaningfully evaluated in isolation from the assets and identities they govern.

The launch follows JupiterOne’s May rollout of AI Attack Surface Management and Unified Vulnerability Management. The corporate will exhibit CCM at Infosecurity Europe in London from June 2 to 4.

JupiterOne has raised $119 million over 4 rounds. Investors in the corporate include Bain Capital Ventures, Sapphire Ventures, LifeOmic Security, Cisco Investments, Splunk Ventures, Rain Capital Fund LP, Tribe Capital Management, Heavybit Industries Inc. and Sands Capital Ventures.

Image: JupiterOne