Features Platform Frameworks Pricing FAQ Request Demo →
AI-powered compliance with Claude • Auto-evidence from AWS, Azure, GCP

AI-Powered
compliance automation.

The only compliance platform with built-in AI assistant, automated cloud evidence collection, and continuous monitoring — deployable on your own infrastructure. 12 frameworks. Self-hosted or cloud.

Start Free — Deploy in 5 min → 📊 See the CISO View

AI risk assessment • Cloud auto-discovery • Continuous monitoring • Self-hosted • From $199/mo

citadel-compliance.com/dashboard
Dashboard
Risks
Controls
Policies
Evidence
Organisations
Compliance
Reports
78%
Readiness
42
Risk Score
3
Open Risks
89
Days to Audit
Risk Closed • Controls Active • Policies Signed • Evidence Collected
⚠ R-001 No named security owner Critical
⚠ R-005 No formal risk assessment Critical
🛠
0
Compliance Frameworks
🔌
0
Tool Integrations
🌐
0
Languages Supported
🔧
0
REST API Endpoints
Platform
Everything your CISO needs.
Nothing they don't.
From risk register to board-ready reports, Citadel covers the entire compliance lifecycle without the enterprise bloat.
⚠️

Risk Register

20 pre-built SOC 2 risks with L×I scoring, severity badges, bulk actions, CSV/JSON export, and remediation tracking.

CC3.1 · CC3.2
🛡

Control Matrix

Cross-framework controls mapped across all 12 frameworks. One control satisfies multiple standards simultaneously.

CC5.2
📝

Policies & Docs

14 core templates + 7 CCPA/CPRA policies. Inline editor, digital signatures, signed document viewer, PDF export.

21 templates

Evidence Inventory

Live dashboard: collected vs missing. Screenshot uploads, document attachments, S3 storage. Per-org filtering.

All CC
📊

Executive Reports

CISO-ready summary with SVG donut charts, sparklines, risk scores, framework coverage. Click-through to source data.

Board-ready
📅

Project Plan Export

Auto-generated roadmap with auto-assigned owners. Export to Jira, Azure DevOps, Asana, Monday, Trello, CSV, JSON.

7 formats
🏢

Multi-Org & Segments

Scope by business unit. Audit segments link orgs, assets, tools, and frameworks. Per-org dashboards and filtering.

Enterprise
🔒

CISO Approval Flows

Exception register with email-based approval. Submit, approve, reject with audit trail and expiry countdown.

CC3.2
🔨

77+ Integrations

Prowler, Wiz, Snyk, CrowdStrike, KnowBe4, Jira, Moodle, Cornerstone, and 60+ more. Auto-sync findings.

API + LMS
💻

Full REST API

41 endpoints. JWT auth with auto-refresh. RBAC (4 roles). Rate limiting. SSO (Okta, Ping, ADFS). OpenAPI docs.

FastAPI
🌐

10 Languages

200+ translated strings: English, Chinese, Hindi, Spanish, French, Arabic, Bengali, Portuguese, Russian, Urdu.

i18n
📣

Command Palette

Ctrl+K to search everything. Keyboard shortcuts for all tabs. Bulk actions. CSV/JSON/PDF export from any view.

Power user
Deep Dive
See it in action.
Click through the core platform modules to see how Citadel manages every aspect of your compliance programme.

CISO Dashboard

A single-screen compliance posture overview. Every number is clickable — drill into any metric instantly.

  • Audit readiness donut with weighted formula
  • Risk exposure score (0–100) with severity band
  • Audit countdown with days remaining
  • 4 progress bars: risks, controls, policies, evidence
  • Multi-org compliance heatmap
  • Priority action items (clickable to source)
See it live →
78%
READINESS
42
RISK SCORE
Risks Closed
85%
Controls Active
72%
Policies Signed
64%
Evidence Collected
58%

Risk Register

20 pre-built SOC 2 risks with full detail panels. Expandable rows with remediation actions, evidence uploads, and assignee tracking.

  • Likelihood × Impact scoring (1–5 matrix)
  • Severity badges: Critical, High, Medium, Low
  • Filter by category, severity, status
  • Auto-assignment from team directory by role
  • Evidence screenshot uploads per risk
R-001 No named security ownerCritical 5×5
R-005 No formal risk assessmentCritical 5×5
R-007 No security monitoringHigh 4×5
R-006 No process for new risk IDMedium 3×4

Control Matrix

25 shared controls mapped to 12 frameworks simultaneously. When you activate a control for SOC 2, it also satisfies NIST, ISO 27001, HIPAA, and others.

  • Cross-framework mapping eliminates duplicate work
  • Live scan results from Prowler, Trivy, Semgrep
  • Evidence status tracking per control
  • Tool recommendations for each control
SC-001Security governanceActive
SC-006Change managementActive
SC-009Encryption at rest & transitIn Progress

Policies & Documents

14 policy templates ready to customise. Each has an inline editor with auto-filling fields, digital signature canvas, and DocuSign workflow.

  • Fill in company details — auto-populates document
  • Digital signature canvas for wet signatures
  • Upload signed PDFs from DocuSign
  • Track signer, date, blocker status
  • Export to PDF for auditor delivery
GOV-001 Security Governance Charter✓ Signed
POL-001 Information Security Policy✓ Signed
POL-006 Vulnerability Management✎ In Draft
POL-010 Business Continuity✗ Unsigned

Evidence Inventory

Real-time view of evidence collection progress across all controls and policies. See exactly what's collected and what's missing before audit day.

  • Auto-calculated from control & policy status
  • Screenshot uploads per control
  • Document attachments (PDF, Word, images)
  • Scoped by org and framework
67%
Evidence Collected
26 collected13 missing

Executive Reports

Generate a one-page compliance posture summary for your board, auditor, or executive sponsor. Print-ready with all the right data.

  • Readiness donuts & risk score gauges
  • Framework coverage breakdown
  • Top open risks (clickable to source)
  • Policy sign-off status
  • Evidence screenshots embedded
  • Print / PDF export
78%
READINESS
42/100
RISK SCORE
3
OPEN RISKS
10/14
POLICIES

Admin Panel

Full system administration from within the app. Manage users, track licenses, view activity, and monitor system health — all without leaving the browser.

  • User management: add, edit, deactivate, assign roles & orgs
  • 4 RBAC roles: Admin, Contributor, Auditor, Reviewer
  • License & billing: tier cards, usage bars, plan switching
  • Activity log: timestamped admin audit trail (last 200 actions)
  • System info: version, storage mode, API health check
  • Roles & permissions: visual reference cards
Sarah ChenAdminActive
Priya PatelContributorActive
Lisa KimAuditorActive
Tom DawsonReviewerInactive

Audit Segments

Define the exact scope of each audit engagement by linking organisations, assets, tools, and frameworks into named segments. Each segment is a self-contained audit boundary.

  • Group orgs + assets + tools per audit scope
  • Assign auditor and target date per segment
  • Map specific frameworks to each segment
  • Status tracking: Planning, In Progress, Complete
  • Segment-level evidence and control views
Acme Platform API
Orgs: Acme Corp, Acme EU
Auditor: Deloitte
Frameworks: SOC 2, NIST, ISO 27001
Status: In Progress
Acme Health Portal
Orgs: Acme Health
Auditor: KPMG
Frameworks: SOC 2, HIPAA, NIST
Status: Planning

Import & Export

Move data in and out of Citadel with the built-in import wizard and multi-format export system. No data lock-in — your compliance data is always portable.

  • 3-step import wizard: upload → preview → confirm
  • CSV and JSON file support with drag & drop
  • Auto-detect columns from file headers
  • Export any view as CSV, JSON, or Print/PDF
  • Project plan export to Jira, Azure DevOps, Asana, Monday, Trello
  • Bulk actions: select multiple rows, batch update or delete
  • Keyboard shortcut: Ctrl+Shift+E for quick export
📄
Drop CSV or JSON file here
or click to browse
CSVJSONJiraAzure DevOpsAsanaMondayTrelloPDF
Deployment
Your infrastructure, your rules.
Deploy Citadel the way that fits your security requirements. Cloud, on-prem, or air-gapped — one command gets you running.
🐳

Docker Compose

One command. Four containers. PostgreSQL, Redis, FastAPI, and nginx — all wired together with automatic database migrations.

$ docker compose up -d
4 containers running

Kubernetes / Helm

Production-grade Helm chart with configurable replicas, ingress, secrets management, and horizontal pod autoscaling.

$ helm install citadel ./helm
deployed to cluster

SaaS (Cloud)

Fully managed cloud instance. We handle infrastructure, backups, updates, and scaling. You focus on compliance.

Zero infrastructure to manage
Automatic updates & backups
What You Get
Everything in one platform.
No bolt-ons. No add-on pricing. Every feature included from day one.
20 Pre-Built Risks
SOC 2 CC1–CC9 with L×I scoring, remediation actions, and owner assignments
25 Shared Controls
Cross-framework mapped — activate once, satisfy SOC 2 + NIST + ISO + HIPAA simultaneously
21 Policy Templates
14 core SOC 2 policies + 7 CCPA/CPRA privacy policies with inline editor and digital signatures
12 Compliance Frameworks
SOC 2, NIST CSF, ISO 27001, HIPAA, PCI DSS, GDPR, CCPA/CPRA, FedRAMP, CMMC, DORA, CIS Controls
77+ Tool Integrations
Security scanning, SIEM, IAM, project management, LMS — auto-sync findings to your risk register
41 REST API Endpoints
Full CRUD for all resources. JWT auth with auto-refresh. OpenAPI docs. Rate limiting. RBAC enforcement.
Multi-Org Management
Separate business units with independent frameworks, audit dates, and compliance postures
10 Language Support
200+ translated strings: English, Chinese, Hindi, Spanish, French, Arabic, Bengali, Portuguese, Russian, Urdu
SSO Authentication
Okta, Ping Identity, and ADFS out of the box. OAuth 2.0 Authorization Code flow. MFA support.
8 Compliance Record Types
Access reviews, training, exceptions, meeting minutes, pen tests, BC/DR tests, system description, change log
Command Palette
Ctrl+K to search everything. Keyboard shortcuts for all tabs. Ctrl+S save. Ctrl+Shift+E export.
Stripe Billing
Checkout, customer portal, webhook handling, subscription lifecycle — all built in and ready to go.
Frameworks
12 frameworks. One platform.
Map controls once, satisfy multiple frameworks simultaneously. Cross-framework coverage eliminates duplicate work and accelerates your audit timeline.
SOC 2 Type 1SOC 2 Type 2NIST CSF 2.0ISO 27001:2022HIPAAPCI-DSS v4.0GDPRCCPAFedRAMP ModerateCMMC 2.0DORACIS Controls v8
🔍 Prowler🐛 Snyk🛡 Wiz🦅 CrowdStrike📊 Datadog📚 Splunk🔒 Okta🎓 KnowBe4📋 Jira🔵 Azure DevOps📄 Asana🔃 Monday.com🗃 Trello⛅ Trivy🔐 Vault💻 AWS Security Hub 🔍 Prowler🐛 Snyk🛡 Wiz🦅 CrowdStrike📊 Datadog📚 Splunk🔒 Okta🎓 KnowBe4📋 Jira🔵 Azure DevOps📄 Asana🔃 Monday.com🗃 Trello⛅ Trivy🔐 Vault💻 AWS Security Hub
Getting Started
Audit-ready in 3 steps.
No months-long implementation. No consultants. Connect, configure, and start closing gaps today.
1

Deploy in 5 Minutes

Run docker compose up or use our cloud instance. Database migrations run automatically. Superadmin account created on first boot.

2

Configure & Import

Create organisations, select frameworks, add your team. Import existing data via CSV/JSON wizard. 20 risks and 14 policies pre-loaded for SOC 2.

3

Close Gaps & Pass

Work through the prioritised action list. Assign owners, upload evidence, sign policies. Export your project plan to Jira and hand your auditor a complete evidence package.

CISO & Board View
Board-ready in one click.
Your executive team and board don't need to see every control. They need a clear compliance posture with actionable insights. Citadel generates it automatically.

Executive Compliance Report

One-page compliance posture summary designed for CISOs, board presentations, and auditor handoffs. Every number is live — click any metric to drill into the source data.

  • Audit readiness donut with weighted formula (40/35/25)
  • Risk exposure score (0–100) with severity bands
  • Per-org compliance cards with framework coverage bars
  • Top open risks ranked by severity (clickable to source)
  • Policy sign-off status with signer and date
  • Print / PDF export — one click, board-ready
See it in your data →
Executive Compliance Report
Acme Corp
Generated 4 April 2026
FRAMEWORKS
SOC 2NISTISO 27001
78%
Readiness
42
Risk Score
3
Open Risks
89
Days to Audit
Risks
85%
Controls
72%
Policies
64%
Evidence
58%
Top Open Risks
No named security owner5×5
No formal risk assessment5×5
No security monitoring4×5
AI & Automation
Your compliance team, supercharged.
Citadel embeds Claude AI across every workflow. Suggest risks, review policies, fill questionnaires, explain alerts, and generate remediation code — all from inside the platform.
🤖

AI Risk Assessment

Claude analyzes your org profile — industry, frameworks, size — and suggests risks ranked by likelihood and impact. One click to add to your register.

Claude AI

Cloud Auto-Discovery

Connect your AWS account and Citadel auto-discovers EC2, RDS, S3, Lambda, ELB, and ECS resources. Assets populate automatically with classification and metadata.

AWS + Azure + GCP
🔔

Continuous Monitoring

Background scans run on schedule. When a control drifts or a new finding appears, Citadel generates an AI-explained alert with remediation steps and code.

Celery + Redis
📝

AI Policy Review

Paste your policy text and Claude reviews it against framework requirements. Get a gap score, specific suggestions, and missing sections identified instantly.

Gap Analysis
📋

Questionnaire Auto-Fill

Incoming security questionnaire? Claude auto-fills answers using your policies, controls, and compliance posture. Review, edit, approve — done in minutes, not days.

AI + Your Data
🔧

Remediation with Code

For every finding, Claude generates step-by-step remediation with Terraform, AWS CLI, and Python code snippets. Copy, paste, fix — no Googling required.

IaC Ready
Why Citadel
How we compare.
Enterprise-grade compliance management without the enterprise price tag or implementation timeline.
CitadelVantaDrataSprintoSpreadsheets
AI compliance assistant (Claude)
AI risk assessment + remediation
Cloud auto-evidence (AWS/Azure/GCP)
Continuous monitoring + smart alerts
Asset auto-discovery (cloud + CMDB)
Self-hosted / Docker / Kubernetes
Multi-framework (12+)
No per-user pricing
Multi-org + audit segments
CISO boardroom executive reports
Project plan export (Jira, ADO, Asana...)
Security questionnaire auto-fill (AI)
CISO approval workflows + email
🔒
SOC 2 Type II
Compliant platform
🛡
GDPR Ready
EU data protection
Self-Hosted
Your infrastructure
🔐
256-bit Encryption
Data at rest & transit
99.9% Uptime
SLA guaranteed
FAQ
Common questions.
Everything you need to know about getting started with Citadel.
What frameworks does Citadel support?

Citadel supports 12 frameworks: SOC 2 Type 1 & 2, NIST CSF 2.0, ISO 27001:2022, HIPAA, PCI-DSS v4.0, GDPR, CCPA, FedRAMP Moderate, CMMC 2.0, DORA, and CIS Controls v8. Controls are mapped across frameworks so activating one control can satisfy multiple standards simultaneously.

Can I self-host Citadel?

Yes. Citadel ships as a Docker container. Run docker-compose up -d and you have a production instance on your own infrastructure. Your data never leaves your environment. We also offer a cloud-hosted option if you prefer.

How does pricing work?

Citadel offers three tiers. Starter ($199.99/mo or $999/yr) covers 1 organisation, 1 framework, and up to 5 users. Professional ($499.99/mo or $5,799/yr) supports up to 3 organisations, 3 frameworks, and 25 users. Enterprise (custom pricing) is unlimited across organisations, frameworks, and users, with self-hosted deployment and SSO. All plans include the full REST API, command palette, and evidence tracking.

How long does it take to get audit-ready?

Most teams reach SOC 2 Type 1 readiness within 4-8 weeks using Citadel's pre-built risks, controls, and policy templates. The platform auto-generates a prioritised project plan that you can export directly to Jira or Azure DevOps for immediate sprint planning.

What integrations are available?

77+ integrations across security scanning (Prowler, Wiz, Snyk, Trivy), SIEM/EDR (CrowdStrike, Splunk, Datadog), IAM (Okta, Azure AD), project management (Jira, Azure DevOps, Asana, Monday.com, Trello), and LMS (KnowBe4, Moodle, Cornerstone, SAP Litmos, Docebo, Absorb). Findings auto-create risks and update control status.

Is my data secure?

Citadel can be fully self-hosted — your data stays on your infrastructure. For the cloud version, data syncs via encrypted GitHub Gist (private, scoped to your token). Microsoft 365 integration uses OAuth 2.0 PKCE flow with no stored credentials. We practice what we preach.

Pricing
Simple, transparent pricing.
No per-user fees. No surprise costs. Scale as your compliance programme grows.
Starter
$199.99/mo
or $999/year (save 58%)
For teams getting started with their first compliance framework.
  • 1 organisation
  • 1 compliance framework
  • Up to 5 users
  • 20 pre-built risks
  • 14 policy templates
  • Evidence tracking
  • Full REST API access
  • Command palette & shortcuts
Start with Starter →
Professional
$499.99/mo
or $5,799/year (save 3%)
For growing teams with multiple frameworks and audit deadlines.
  • Up to 3 organisations
  • Up to 3 frameworks
  • Up to 25 users
  • Audit segments
  • 77+ tool integrations
  • Project plan export (7 formats)
  • Executive reports
  • CISO approval workflows
  • CSV/JSON import wizard
  • 10 language support
Start with Professional →
Enterprise
Custom
annual contract
For organisations with complex multi-entity compliance needs.
  • Unlimited organisations
  • All 12 frameworks
  • Unlimited users
  • Self-hosted Docker / Kubernetes
  • SSO (Okta, Ping Identity, ADFS)
  • Dedicated onboarding
  • Custom framework mapping
  • Priority support & SLA
  • On-prem license key
  • Annual audit preparation
Contact Sales
ROI Calculator
See your savings.
Estimate how much time and money Citadel saves compared to manual compliance management.
Hours saved per month42
Annual cost savings$62,400
Time to audit-ready6 weeks
$62,400
Estimated annual savings with Citadel

Stay ahead of compliance.

Get monthly insights on framework updates, audit tips, and compliance automation strategies. No spam.

Ready to simplify your
compliance journey?

See Citadel in action. Request a personalised demo with your frameworks, your org structure, your tools.

★ Star on GitHub Email Us
Built With
Production-grade tech stack.
Enterprise architecture. Open standards. Deploy anywhere in minutes.
FastAPI
🐘 PostgreSQL 16
🔥 Redis 7
🐳 Docker
Kubernetes / Helm
🔐 JWT + bcrypt
💰 Stripe Billing
🎯 Okta / Ping / ADFS SSO
🛠 Alembic Migrations
📊 SQLAlchemy ORM
🧠 Pytest (67 tests)
🌐 i18n (10 languages)
🚧 GitHub Actions CI/CD
🛡 CSP + HSTS + RBAC
📄 nginx Reverse Proxy
📦 GHCR Container Registry