REAEGIS
Sign inRequest a demo
Getting Started
Introduction

What is REAEGIS?

REAEGIS is a compliance execution platform that sits between DevSecOps pipelines and federal authorization systems. It automates the detection, remediation, documentation, and evidence generation required for FedRAMP, CMMC, and DoD RMF programs.

Unlike Governance, Risk, and Compliance (GRC) platforms that manage documents and spreadsheets, REAEGIS computes compliance posture from real system data — source code, scanner results, infrastructure state, and control implementations. Every claim REAEGIS makes about a system's compliance posture is traceable to evidence that was collected automatically and signed cryptographically.

The problem REAEGIS solves

Federal compliance programs require organizations to demonstrate that security controls are implemented, effective, and continuously monitored. The traditional approach — filling out spreadsheets, writing control narratives manually, and assembling evidence packages before annual assessments — has three fundamental problems:

Evidence is stale. A System Security Plan written six months ago describes what the system looked like six months ago. The actual state of the system — its CVEs, its configuration, its access controls — has changed since then. Assessors are increasingly aware of this gap, and regulators are moving toward continuous monitoring requirements (FedRAMP 20x, DoD cATO) that make point-in-time documentation insufficient.

Evidence is disconnected from reality. When a compliance officer writes "encryption is implemented for all data in transit," that claim exists only in a document. Whether the claim is true — whether the system actually enforces TLS everywhere — is a separate question that requires technical investigation. REAEGIS eliminates this separation: every control statement is backed by scanner output, configuration evidence, or build artifact, all collected from the actual running system.

Remediation is slow. Finding a vulnerability in a penetration test report and fixing it in code are separated by weeks of triage, ticket creation, developer assignment, code review, and deployment. During that window, the vulnerability is a known exposure with no active defense. The REAEGIS Autonomous Remediation Engine shortens this to hours by writing and verifying the fix automatically, routing it through CCB approval, and delivering a pull request that human reviewers can merge.

Who uses REAEGIS

Cloud Service Providers (CSPs) pursuing FedRAMP authorization use REAEGIS to generate OSCAL-formatted authorization packages, maintain continuous KSI validation, and automate the evidence that FedRAMP 20x Phase 2 requires. REAEGIS generates machine-readable SSPs, POA&Ms, and ConMon packages from live system state.

Defense contractors handling CUI use REAEGIS to manage their NIST SP 800-171 implementation across repositories, compute their SPRS score from real control data, and prepare for CMMC Level 2 C3PAO assessments. The REAEGIS subcontractor portal handles DFARS 252.204-7021 flow-down obligations.

Federal agencies and system owners under the DoD RMF use REAEGIS to maintain continuous authorization (cATO), track control implementation across multiple systems, and produce assessment evidence packages for Authorizing Officials.

Managed Security Service Providers (MSSPs) use REAEGIS multi-tenant architecture to manage compliance programs for multiple clients from a single platform, with per-client isolation and consolidated reporting.

RoleHow REAEGIS helps
ISSOMaintains ATO evidence continuously; generates SSP narratives from real scanner data
ISSMTracks posture and findings across multiple programs from one dashboard
DeveloperReceives remediation PRs with working code fixes, build-verified before delivery
CISOCompliance Intelligence Command Center with cross-program posture and alert strip
Authorizing OfficialReviews Cosign-signed OSCAL evidence packages that reflect current system state
DoD contractorComputes live SPRS score; prepares for CMMC Level 2 C3PAO assessments
CSPOSCAL SSP and RFC-0024 machine-readable packages from live control data

Platform architecture

REAEGIS is built around six purpose-built engines that handle distinct phases of the compliance lifecycle. Each engine communicates over NATS message streams, with every event logged to the CHRONICLE audit system and signed with Cosign.

Repository Push


┌─────────────┐     ┌─────────────┐     ┌──────────────┐
│   RAMPART   │────▶│    AXIOM    │────▶│  ADVERSARIUS │
│  Evaluation │     │  Control    │     │  AI Analysis │
│   Engine    │     │ Intelligence│     │              │
└─────────────┘     └─────────────┘     └──────────────┘
      │                                        │
      ▼                                        ▼
┌─────────────┐     ┌─────────────┐     ┌──────────────┐
│     ARE     │────▶│   PHAROS    │     │  CHRONICLE   │
│  Autonomous │     │ Continuous  │     │    Audit     │
│ Remediation │     │ Monitoring  │     │    Engine    │
└─────────────┘     └─────────────┘     └──────────────┘

RAMPART — Evaluation Engine

RAMPART runs 9 compliance gates on every push to a connected repository. Gates check image digest pinning, vulnerabilities, SBOM attestation, STIG baselines, branch policies, change control, secrets, IaC configuration, and SLSA provenance. Every gate returns a PASS, WARN, FAIL, or BLOCK decision, with findings created for any non-pass result.

A key design principle: RAMPART never returns PASS when it cannot run. A gate that lacks the evidence to evaluate returns WARN — missing evidence is itself a compliance signal, not a clean bill of health.

AXIOM — Control Intelligence

AXIOM maps RAMPART gate results to NIST SP 800-53 and 800-171 controls. When RAMPART reports a VULNERABILITY gate failure mapped to SI-2, AXIOM marks the SI-2 control as having unresolved findings. This mapping propagates to the compliance posture score, the ATO readiness ring, and the SPRS calculator.

AXIOM evaluates 15 Rego policy rules that assess control implementation quality beyond gate pass/fail — for example, evaluating whether the system's logging configuration covers the full audit scope required by AU-2.

ARE — Autonomous Remediation Engine

The ARE takes a finding and autonomously generates a fix. It reads the actual source code, generates a unified diff patch using claude-opus-4-8, applies the patch, builds the result, and verifies it against 7 scanners in 3 stages. If all verification passes, it creates a CCB Change Request. After approval, it routes dual pull requests: one to the compliance vault for evidence archival, one to the customer's staging branch.

ADVERSARIUS — AI Analysis

ADVERSARIUS provides cross-finding intelligence. When multiple findings across multiple repositories share a common root cause — for example, the same vulnerable library version or the same misconfigured base image — ADVERSARIUS identifies the pattern and surfaces it as a strategic finding with cross-system remediation guidance.

PHAROS — Continuous Monitoring

PHAROS runs scheduled sweeps to maintain continuous monitoring compliance. It generates monthly ConMon packages for FedRAMP, checks control narrative freshness for SSP accuracy, and triggers SHA-delta re-evaluations when it detects that a system's dependency snapshot has changed without a corresponding evaluation.

CHRONICLE — Audit and Signing

CHRONICLE is the cryptographic backbone of the platform. Every event — evaluations, findings, remediation steps, control updates, document generation — is signed with Cosign and anchored to the Rekor transparency log. This provides a tamper-evident audit trail that satisfies both FedRAMP continuous monitoring and DoD RMF evidence requirements.

How an evaluation works

When a developer pushes code to a connected repository:

  1. GitHub delivers a webhook event to REAEGIS
  2. RAMPART fetches the repository at the pushed commit SHA
  3. RAMPART runs all 9 gates in sequence
  4. Findings are created for any FAIL, BLOCK, or WARN results
  5. AXIOM maps findings to NIST controls and updates posture scores
  6. CHRONICLE signs the evaluation and anchors it to Rekor
  7. PHAROS receives the event and updates continuous monitoring state
  8. If findings exist, the ARE can be triggered to begin autonomous remediation

A complete evaluation typically takes 3–8 minutes, depending on repository size and scanner availability.

Evidence-first compliance

The most important architectural decision in REAEGIS is that evidence is primary and documentation is derived. Every control narrative in the System Security Plan is generated from evidence that was collected automatically. Every POA&M entry corresponds to a finding that was detected by a scanner. Every compliance posture score is computed from control implementation records backed by evidence.

This means REAEGIS documentation reflects the actual state of the system at the time it was generated — not a description written months earlier that may no longer be accurate.

REAEGIS generates OSCAL-formatted SSPs, POA&Ms, and ConMon packages from live system state. RFC-0024 requires machine-readable authorization packages from all FedRAMP providers by September 30, 2026. See the FedRAMP guide for details.

What REAEGIS is not

  • Not a GRC spreadsheet tool. REAEGIS generates evidence from real system data, not from human-entered descriptions of what should be true.
  • Not a document-filling tool. Documents are outputs of the evidence pipeline, not the starting point.
  • Not a one-time assessment tool. REAEGIS runs continuously; every push is evaluated.
  • Not a point-in-time scanner. Posture is maintained between evaluations by PHAROS continuous monitoring.

What REAEGIS does not do

⚠️

REAEGIS does not replace eMASS, does not conduct penetration testing, and does not automate Physical & Environmental (PE), Personnel Security (PS), or Awareness & Training (AT) controls. These require human involvement.

Framework support

FrameworkREAEGIS support level
FedRAMP LowFull — control catalog, SSP, POA&M, ConMon
FedRAMP ModerateFull — 325+ controls, KSI dashboard, OSCAL packages
FedRAMP HighFull — 420+ controls, STIG gate, all KSIs
CMMC Level 1Full — 17 practices, self-attestation wizard
CMMC Level 2Full — 110 practices, SPRS calculator, C3PAO prep
CMMC Level 3Partial — NIST 800-172 delta gap analysis
NIST 800-171 Rev 2Full — 110 requirements, SPRS, evidence per practice
NIST 800-171 Rev 3Full — 98 active requirements, ODP editor, readiness score
DoD RMFFull — cATO monitoring, STIG baselines, eMASS export
NIST 800-53 Rev 5Full — complete control catalog, SSP, SAR, POA&M

Next steps

  • Quick Start — Connect your first repository and run an evaluation
  • Key Concepts — Definitions for all terms used in this documentation
  • RAMPART Engine — Detailed gate documentation
  • CMMC Guide — CMMC 2.0 requirements and REAEGIS support
Last verified: 2026-06-14 · Report an error
Quick Start