Community
Free
ACS Community
OWASP Top 10 Web + API. 40 controls. Free for anyone.
30 frameworks. 7 packs. 15 languages. Code, infrastructure, and cryptographic inventory — every finding backed by file:line:snippet traceability and a tamper-evident evidence chain.
3,000+ controls
30 frameworks
15 languages
Version 5.0
Policy adequacy, staff interviews, governance maturity — those remain the auditor's job. ACS does the code-level and infrastructure-level evidence gathering at machine scale, so the auditor has complete, traceable evidence to review instead of sampling by hand.
Every finding distinguishes clearly between code-verifiable controls (where ACS gives a definitive PASS / FAIL with line-level evidence) and auditor-only controls (which ACS flags for review but cannot decide).
ACS scans code, infrastructure, cryptographic inventory, and integrates with your existing security tools and GRC platforms.
Python, Java, Go, TypeScript, JavaScript, Rust, C#, C/C++, PHP, Ruby, Swift, Kotlin, Dart. AST-aware rules mapped to compliance controls, not just vulnerability patterns.
Docker, Kubernetes, Terraform, GitHub Actions, YAML secrets. IaC rules for privilege escalation, host exposure, unpinned images, resource limits, and CI/CD pipeline security.
12-language coverage. CycloneDX v1.7 output with post-quantum readiness classification. Identifies every algorithm in your codebase and scores it against NIST PQC standards.
14 input adapters: Snyk, Trivy, Semgrep, Checkmarx, Veracode, AWS Security Hub, Azure Defender, GCP SCC, and more. Reads SARIF, CycloneDX, SPDX, OCSF. No rip-and-replace.
14 output adapters: Drata, Vanta, Secureframe, RSA Archer, ServiceNow GRC, OneTrust, AuditBoard, Hyperproof, JIRA, Linear, GitLab Issues, and more. Push evidence directly to your GRC workflow.
Every ACS evidence packet includes 6 clauses: control ID, control name, scope declaration, evidence type, evidence narrative, and relevance clause. Signed with ECDSA, chained with SHA-384, published to Sigstore Rekor.
acs verify-chainStart with the Community pack for free. Add Fundamental for your baseline. Layer industry-specific packs for AI, healthcare, US government, UK defence, or financial services.
Free · 2 frameworks · 40 controls
OWASP Top 10 Web, OWASP API Top 10.
ACS Starter · 3 frameworks · 466 controls
OWASP ASVS v5, OWASP API Security, NIS 2, Infrastructure Security.
Pro add-on · 6 frameworks · 117+ controls
EU AI Act, OWASP Agentic AI, NIST AI RMF, ISO 42001, OWASP LLM Governance, OWASP LLM Top 10.
Pro add-on · 1 framework · 68 controls
HIPAA Security Rule.
Pro add-on · 7 frameworks · 807+ controls
NIST 800-53 (Moderate + High), NIST 800-171 Rev 3, FedRAMP (Moderate + High), CMMC L1/L2/L3, NIST CSF 2.0, SOC 2 Type II.
Pro add-on · 4 frameworks · 474 controls
PCI DSS v4, ISO 27001:2022, DORA, GDPR.
Pro add-on · 2 frameworks · 52 controls
UK MoD Secure by Design, Australia DISP.
ACS v5 is a fundamentally different tool from v3. Here's what shipped.
| Capability | ACS v3 | ACS v5 (current) |
|---|---|---|
| Languages | 5 (Python, Java, Go, TS, Rust) | 15 (+ C#, C/C++, PHP, Ruby, Swift, Kotlin, Dart, JS, Caddyfile) |
| Frameworks | 3 (ASVS, API Security, Agentic AI) | 30 (+ EU AI Act, NIST AI RMF, ISO 42001, HIPAA, NIST 800-53, FedRAMP, CMMC, NIST CSF, PCI DSS, ISO 27001, DORA, GDPR, NIS 2, UK MoD SbD, and more) |
| Controls | ~400 | 3,000+ |
| Scope | Code only | Code + IaC + CBOM (Docker, K8s, Terraform, GitHub Actions, cryptographic inventory) |
| Input adapters | None | 14 (Snyk, Trivy, Semgrep, Checkmarx, Veracode, AWS SH, Azure Defender, GCP SCC, and more) |
| GRC output adapters | None | 14 (Drata, Vanta, Archer, ServiceNow GRC, JIRA, Linear, and more) |
| Evidence chain | JSON output | ECDSA-signed, SHA-384 chained, Sigstore Rekor published |
| Output formats | JSON, PDF | SARIF, CycloneDX, SPDX, OpenVEX, OCSF, JSON, PDF, HTML |
| CBOM / Post-quantum | Not available | 12-language CBOM with NIST PQC classification |
| Incremental scanning | Full scan only | Diff-scan engine with carry-forward evidence |
| FIPS 140-3 | Not applicable | OpenSSL 3.0.2 CMVP #4794 |
We don't ship vapourware. The list below is what's funded and scheduled.
Controls for generative AI systems, including AI model cards and governance checks.
Country-specific regulatory technical standards for the Digital Operational Resilience Act.
UK, Italy, Germany, France. The EU directive is one thing; how each member state implemented it is another.
Sarbanes-Oxley IT general controls — for public-company audit scope.
COSO ERM 2017-aligned governance summaries with cover verdicts, per-framework posture, and accepted-risk attribution.
ACS pricing is being finalised based on infrastructure costs. Get in touch for early access and pilot pricing.
OWASP Top 10 Web + API. 40 controls. Free for anyone.
Fundamental pack. All 30 frameworks. 15 languages. CI integration + trend tracking.
All packs. GRC integrations. Risk management. CBOM. Signed PDF reports. Custom rules. SSO.
ACS pricing depends on infrastructure and scanning volume. Get in touch for pilot pricing and early access.
If you're conducting compliance audits and want to see what ACS does on a real codebase, we'll set up a session. No sales theatre.
Request a session →