ATO As Code · ATAC
Authority to Operate, as code.
ATAC connects to your AWS estate through a small, read-only CloudFormation connector — no agents installed, no writes, nothing running in your environment. Sign in to one board for live compliance posture, four-source audit-grade evidence, AI remediation, an AI compliance co-pilot, and every compliance document generated for you — OSCAL included.
Don't wait once a year to do twice the work. With ATAC, you stay compliant all year.
See the sales deck — the ATAC 1.0 overview→How ATAC works
From install to ATO — a click at a time.
No agents, no servers, no binders. Here's the whole journey.
Connect in one step
Deploy a single read-only CloudFormation stack in your AWS account. ATAC assumes that role to read your environment — no agents installed, no writes, no software running inside your environment. Revoke any time by deleting the stack.
Sign in and scan
Open ATAC in your browser, click Scan, and it reads your live environment against the security controls you've designated — every account in your org, in one pass.
Read your report
Moments later your report is up — every control marked pass or fail, each backed by real, current evidence pulled straight from your account.
Remediate with AI
Select a finding and our trained AI model returns a plain-English risk assessment and a point-and-click remediation. No guesswork, no digging through consoles.
Prove it
Every piece of evidence is SHA-256 hashed at collection — clear, distinct, tamper-evident proof that you are, and stay, compliant.
Documents, written for you
OSCAL SSP, SAR, and POA&M generated automatically, schema-validated, bundled. Control narratives written by our trained AI model from your actual evidence — not a generic LLM.
Stay compliant all year — instead of doing a year's work in one frantic week.
The manual compliance burden.
Why every federal program needs continuous, evidence-backed monitoring.
The full Rev 5 catalog of controls and enhancements across 20 families — each needs evidence, attestation, and continuous review.
Industry estimate for manual evidence gathering and POA&M maintenance across one annual cycle spanning multiple frameworks.
Screenshot evidence is obsolete the moment the auditor asks "what does it look like right now?"
The platform
Six pillars covering the full assessment lifecycle.
From first scan to a submitted ATO package.
Automated scans
Designate your controls, click once, and ATAC checks your live environment across every NIST 800-53 family.
AI remediation
A plain-English risk assessment and point-and-click remediation for every finding — generated the moment you select it.
POA&M lifecycle
Nine enforced states, immutable version history, manual entries, per-control tracking — every move logged with actor and reason.
Two-way Jira sync
POA&M items mirror to Jira with a configurable state map per project — compliance lives in POA&M, engineering in Jira, the two never disagree.
Audit-grade evidence
SHA-256 hashed evidence from four sources — Config Conformance Packs, Security Hub, CloudTrail Lake, IAM Access Analyzer — tamper-evident and tied to every control.
OSCAL out of the box
SSP, SAR, and POA&M as OSCAL JSON, schema-validated and bundled. Plus control narratives written by our trained AI model from your real evidence — not a generic LLM.
Features
Two ways ATAC does the work for you.
Explore each part of the platform in depth.
Jump to
Every section, one click away.
AI co-pilot · Ask ATO-M
Ask compliance questions in plain English.
ATO-M, our trained AI model, is grounded in your actual evidence. It auto-loads control definitions and the evidence behind them, remembers context across follow-ups, and shows the controls and evidence it consulted with every answer. No hallucinations, no generic LLM lookups.
Grounded in YOUR evidence
Detects control IDs in your question and pre-loads their evidence and the control definition before our trained AI model is ever called.
Multi-turn memory
Refine in plain English. No re-setup, no re-explaining the environment with every follow-up.
Citations on every answer
Every response shows the controls and evidence rows our trained AI model consulted to produce it.
Cost-safe by design
Per-account daily AI-call cap and automatic fallback to a faster, cheaper model — AI never just dies, and never racks up a surprise bill.
Where it runs
Works with any application hosted on AWS.
Point ATAC at your environment and start assessing — no need to know how the plumbing works.
Any AWS account
Point ATAC at a single account or your whole organization — it assesses what's already there.
Your existing workloads
No migration, no re-architecting. ATAC reads the environment you already run.
Org-wide or focused
Roll it across every account through the org aggregator, or scope it to just one.
How customers connect
Deploy one CloudFormation stack. Sign in. Done.
Connecting a customer takes minutes. Run the 4-step wizard, deploy a single read-only stack in your AWS account (or across your whole AWS organization), and ATAC verifies the connection live before you ever leave the modal.
Customer ID
Give the customer a short identifier — like “acme-corp”. ATAC generates a unique 24-character secret token bound to this ID, so the connection can only ever be used for this customer.
Download the template
One-click download or copy of the connector template. Deploy it as a single stack at the account root, or as an organization-wide deployment that enrolls every member account in one go.
Paste the role ID
After deploy, paste the role ID back into the wizard. ATAC validates the format before moving on, so a malformed ID never gets past step 3.
Live verify
ATAC immediately tests the connection and reports OK or the exact failure reason — no “looks right but doesn't work” surprise weeks later.
Read-only by design. The connector grants only AWS-managed read-only policies (SecurityAudit + ViewOnlyAccess) plus a small supplemental for reading CloudTrail Lake, Config Conformance Packs, Security Hub, and IAM Access Analyzer. No writes possible. Revoke any time by deleting the stack.
Serverless by design
No OS. No patching. No maintenance.
ATAC is fully serverless. There is no operating system to patch and no servers to maintain, and it only costs you money while a scan is actually running — nothing in between.
- No operating system to patch — ever
- No servers to provision, scale, or maintain
- Scales to zero — you pay only while a scan is running
- No idle compute cost between assessments
- Agentless and read-only — nothing installed on your workloads
Time to compliance
Cut by an order of magnitude.
Money you can always make more of. The hours an ATO eats, you can't — so the real return isn't the dollars, it's the time ATAC hands back.
From ~760h manual to ~60h validated.
~92% reduction · ROI in week one
And ATAC only bills while a scan runs — $0 between assessments.
Estimates based on FedRAMP Moderate assessment benchmarks. Actual savings scale with control count.
Coverage
Every NIST 800-53 control. Every FedRAMP baseline.
The full Rev 5 catalog spans 1,196 controls and enhancements across 20 families. FedRAMP draws three cumulative baselines from it — assess the impact level your system needs.
Baseline for low-impact systems.
The most common federal baseline.
For the most sensitive workloads.
How each control is assessed
Automated
ATAC queries your AWS environment directly and renders pass/fail with evidence.
Policy
Documented policy mapped to the control. Manual attestation with evidence upload.
Inherited
Satisfied by the cloud provider under their FedRAMP authorization — 86 controls. Properly classified, never penalizes your posture, flagged in every output.
Process
Operational procedures (incident response, training). Attested with cadence reminders.
Every control — regardless of baseline or tier — produces evidence artifacts stored in the encrypted vault.
Per-baseline scope, explained inline
Each baseline (Low / Moderate / High) carries an inline panel explaining what's in scope and what isn't. No more “why is this control excluded” questions in the audit meeting.
“Why isn't this 100%?”
When your posture is below 100%, ATAC explains it right under the score — usually inherited controls or open POA&Ms — so execs and auditors get the answer without a meeting.
Evidence Lake
Every control. Four sources. One lake.
ATAC continuously collects evidence from AWS Config Conformance Packs, Security Hub, CloudTrail Lake, and IAM Access Analyzer — then indexes it by control. Every row carries a SHA-256 hash so auditors can verify nothing changed after collection.
Daily + on-demand
Scheduled daily collection plus a one-click “Collect now” button — yesterday's snapshot is always there, and the auditor's “as of right now” is one click.
Per-source retention
CloudTrail 7 years, Security Hub 3 years, manual attestations forever — set per source in the app, not via a data-lake change request.
Drag-and-drop attest
Bulk upload manual attestations; the filename's leading control ID auto-tags the file. A folder of 200 PDFs lands in one pass.
What's in the lake→
AWS Config Conformance Packs
Per-rule compliance status crosswalked onto NIST control IDs. The durable, AWS-native replacement for Audit Manager — same evidence sources, no service-lifecycle risk.
AWS Security Hub
NIST 800-53 r5, NIST 800-171, CIS, AWS FSBP — normalized into the same finding shape as ATAC's native checks, org-wide via the aggregator when available.
CloudTrail Lake
Per-control trail queries pulled live into the evidence view. “Who touched this resource” answered in seconds, not after a 2-minute query.
IAM Access Analyzer
External-access findings ingested as evidence rows tagged to the relevant controls — external-access auditing without standing it up separately.
Manual attestation
PDF, DOCX, XLSX, PPTX, PNG, JPG, TXT, CSV. Per-control, per-family, or one-file-to-many. Versioned, encrypted, integrity-hashed.
Provenance per row
Every evidence row carries source, collectedAt, and actor. Reports render the provenance table per control — the auditor's “where did this come from” is answered inline.
Controls
Automated control checks ATAC runs today.
A live look at the NIST 800-53 controls ATAC assesses automatically — pulling real evidence from your AWS environment across 12 families.
Access Control
- AC-2 Account Management
- AC-2(03) Disable Accounts
- AC-2(04) Automated Audit Actions
- AC-2(05) Inactivity Logout
- AC-4 Information Flow Enforcement
- AC-5 Separation of Duties
- AC-6 Least Privilege
- AC-6(01) Authorize Access to Security Functions
- AC-6(02) Non-Privileged Access for Non-Security Functions
- AC-6(05) Privileged Accounts
- AC-6(09) Log Use of Privileged Functions
- AC-6(10) Prohibit Non-Privileged Users From Executing Privileged Functions
- AC-7 Unsuccessful Logon Attempts
Audit & Accountability
- AU-2 Event Logging
- AU-3 Content of Audit Records
- AU-3(01) Additional Audit Information
- AU-4 Audit Log Storage Capacity
Assessment, Authorization & Monitoring
- CA-5 Plan of Action and Milestones
- CA-7 Continuous Monitoring
- CA-7(04) Risk Monitoring
- CA-9 Internal System Connection
Configuration Management
- CM-2 Baseline Configuration
- CM-2(03) Retention of Previous Configurations
- CM-4(02) Verification of Controls
- CM-5 Access Restrictions for Change
- CM-6 Configuration Settings
- CM-7 Least Functionality
- CM-7(05) Authorized Software
- CM-8 System Component Inventory
- CM-12(01) Automated Tools to Support Information Location
Contingency Planning
- CP-6 Alternate Storage Site
- CP-6(03) Accessibility (Alternate Storage Site)
- CP-9 System Backup
- CP-10(02) Transaction Recovery
Identification & Authentication
- IA-4(04) Identify User Status
- IA-11 Re-Authentication
Incident Response
- IR-5 Incident Monitoring
- IR-5(01) Automated Tracking, Data Collection & Analysis
- IR-6(01) Automated Reporting
Risk Assessment
- RA-5 Vulnerability Monitoring and Scanning
- RA-5(05) Privileged Access (Vulnerability Scanning)
System & Services Acquisition
- SA-22 Unsupported System Components
System & Communications Protection
- SC-4 Information in Shared System Resources
- SC-5 Denial of Service Protection
- SC-7 Boundary Protection
- SC-7(03) Access Points
- SC-8 Transmission Confidentiality and Integrity
- SC-8(01) Cryptographic Protection
System & Information Integrity
- SI-2 Flaw Remediation
- SI-3 Malicious Code Protection
- SI-4 System Monitoring
- SI-4(02) Automated Tools & Mechanisms for Real-Time Analysis
- SI-4(05) System-Generated Alerts
- SI-4(20) Privileged Users
- SI-5 Security Alerts, Advisories & Directives
- SI-7(01) Integrity Checks
- SI-7(07) Integration of Detection and Response
- SI-10 Information Input Validation
- SI-12 Information Management and Retention
Supply Chain Risk Management
- SR-5 Acquisition Strategies, Tools & Methods
- SR-10 Inspection of Systems or Components
- SR-11 Component Authenticity
OS hardening · STIG
DISA STIG, folded into NIST 800-53.
Live STIG scans across running EC2 instances (remotely via AWS Systems Manager — no agent install), every gold AMI in your image pipeline, and your container images. Findings map onto the right NIST control automatically using DISA's official STIG-to-NIST crosswalk, so OS hardening shows up where compliance lives.
Live EC2 scans, no agent
Trigger fresh scans against running instances in minutes — over AWS Systems Manager, nothing to install on the host. CAT I → critical, CAT II → high, CAT III → medium. Every scan records the image it ran against and the base image it was built from — full lineage one click away.
Multi-OS image pipelines
Every gold image is STIG-scored during build. One-touch hardened pipelines for Amazon Linux 2023, Ubuntu, RHEL, and Windows Server 2022 / 2025. Bad images never get promoted to production.
Container image scans
Your container image scans flow in with the same NIST crosswalk. One framework, one report — VMs and containers.
POA&M with the official fix
Generate a POA&M from any finding. Remediation pulls verbatim from the STIG rule's official fix text, with a plain-English explanation alongside.
Frameworks
Every framework your program needs.
ATAC pulls evidence from AWS Security Hub, AWS Config Conformance Packs, CloudTrail Lake, and IAM Access Analyzer — all mapped onto the same NIST 800-53 control catalog. Enable as many frameworks as you need.
NIST SP 800-53 Rev 5
Full Rev 5 catalog; FedRAMP Low, Moderate & High.
NIST SP 800-171 Rev 2
Protecting CUI — and the basis for CMMC Level 2.
CIS AWS Foundations Benchmark
Center for Internet Security hardening baseline.
AWS Foundational Security Best Practices
AWS's baseline of security best practices.
Custom frameworks
Need something else? We also tailor the control set to your program, per customer — just ask us.
On AWS Audit Manager
Audit Manager: covered both ways.
AWS placed Audit Manager into maintenance mode in April 2026. New accounts can no longer enable it, and AWS isn't adding new frameworks, regions, or features going forward. ATAC handles both sides of that line — a durable replacement for accounts that can't enable AM, and an interactive wrapper for accounts that already do.
Can't enable AM? You don't need it.
ATAC's evidence pipeline pulls from the same sources AM does — Config Conformance Packs, Security Hub, CloudTrail Lake, and IAM Access Analyzer — and crosswalks all of it onto NIST 800-53. Same evidence sources, no AWS service-lifecycle risk.
Already running AM? We make it interactive.
ATAC reads your existing assessments and surfaces them with the same look and feel as the rest of the platform. Every finding gets a one-click path to fix, track, or report on it — turning the read-only console into a surface you can act on.
What “interactive” means
Fix the root cause
Click any AM finding to open the same remediation panel used everywhere else in ATAC. The proposed fix runs through the same approve-first guarded path — not a separate flow.
Track it as a POA&M
Auto-draft the POA&M — description, milestone, and risk text written by our trained AI model. It drops straight into the 9-state lifecycle, with two-way Jira sync from there.
Generate an assessment report
One-click assessment report — no bouncing back to the AM console for the download. The triage agent picks which report to generate first when you have many open.
Triage the backlog
Our trained AI model orders the plan; rules decide the actions (fix / track / report). Across hundreds of open AM items, the right work surfaces first — and the model never gets to make a safety call.
Org-delegated Audit Manager? ATAC auto-detects the admin account that owns the assessments and surfaces them across every member account. Members can request actions — create an assessment, generate a report — through the admin via an in-app workflow. No email threads, no second console login.
Submission-ready
OSCAL bundle out. POA&M lifecycle in.
SSP, SAR, and POA&M generated as OSCAL JSON straight from your controls, evidence, and lifecycle state — schema-validated before you ship. POA&Ms move through a strict 9-state lifecycle with immutable version history; Jira syncs both ways.
OSCAL 1.1.2, schema-validated
SSP, SAR, and POA&M individually or as one ZIP bundle. Federal reviewers want OSCAL; you ship it natively — no “the reviewer's tool rejected our submission” round-trip.
9 enforced POA&M states
open → in-review → approved → in-progress → blocked → mitigated → accepted-risk → resolved → closed. Illegal transitions rejected; every move records actor, timestamp, and reason.
Two-way Jira sync
Per-project configurable state map. POA&M state drives Jira workflow — and back. Compliance lives in POA&M, engineering in Jira, the two never disagree.
AI-drafted, editable
Our trained AI model drafts the description, milestone, and risk text for each new POA&M — fully editable before you save. AI-drafted text never enters the evidence chain; only POA&Ms, clearly labeled.
Auto-managed POA&M cleanup
Twice-daily automatic sweep (7am + 7pm) keeps the backlog honest — auto-closes items whose source finding has cleared, with any manual override always respected. No bit-rot, no stale items dragging your score down.
Dogfood proof: ATAC's own FedRAMP Moderate authorization package was generated through ATAC — every artifact in the submission produced by the same product you'd be running.
Policies, written for you
The single biggest writing job in an ATO — drafted from your evidence.
Policy controls are where most ATOs stall — every control needs a written narrative an auditor will accept. ATAC drafts them for you. Pick from a library of vetted templates, bulk-approve everything you agree with, edit anything you don't — and the approved text flows straight into your OSCAL submission.
Auto-drafted from your evidence
Our trained AI model writes each policy control from your actual collected evidence — never a generic template you have to rewrite. Prompts are continuously evaluated and improved against measured quality benchmarks.
Bulk Approve All Drafts
One button approves every AI-drafted policy you're happy with — no per-control babysitting. Disagree with one? Edit just that one before approving the batch.
AI-assisted policy review
Already have a policy? Paste it in and our trained AI model reviews it against the control's intent — surfaces gaps, suggests sharper language, never rewrites without you asking.
Custom prompt context
Add your organization's context (mission, sensitive data, special constraints) once. Every subsequent draft picks it up automatically. Your voice, your environment, your language.
Policy Library + version history
A library of vetted policy templates organized by control family, plus full version history on every customer policy — every revision, every author, every approval recorded. The audit question “when did this policy last change” is one click.
For the audit room
Hand the auditor a URL, not a PDF email attachment.
Beyond OSCAL for federal reviewers, ATAC ships clean HTML and PDF audit-report bundles for the auditor sitting across from you — per-control narratives, evidence, severity, POA&M status, all grounded in your real evidence.
Audit Report Bundle
Per-control bundle with narrative, evidence, severity, POA&M status, and inheritance badges that clearly separate customer-owned controls from cloud-provider-inherited ones. Clean HTML for sharing a link, client-rendered PDF for downloading.
Auto-pick the right controls
When no controls are specified, ATAC cascades through three pickers: non-compliant infrastructure checks first, then Coverage Matrix gaps, then top open findings. Never an empty report.
AI narrative + authorship provenance
3–5 sentence narrative for each control, written by our trained AI model from the actual collected evidence. Every report includes a Policy Provenance appendix tagging AI-drafted vs human-authored content — auditors see what came from where.
Bundles in ~12 seconds
Audit Report bundle generation parallelizes across controls — a full 14-control bundle that used to take ~56 seconds now ships in ~12. The “generate me everything” request fulfilled before the auditor refills their coffee.
Master + Posture reports
A single HTML doc rendering full posture (Master) and a CISO-grade board pack (Posture). Scoped by baseline, framework, or family — the “send me everything” request fulfilled by one URL.
One pane of glass
Every framework. One screen.
Most teams run a different tool, spreadsheet, and login for every standard — a screen apiece, and a fresh chance to drift out of sync with each one. ATAC puts them all on one board.
Toggle any framework on or off — or zoom into just one. The same controls re-score instantly; nothing to re-import, nothing to reconcile.
Toggle, don't tab-switch
Flip frameworks on and off with a click. One set of controls, re-scored live against whatever standards you choose — no second dashboard, no second login, no second export.
Fix once, comply everywhere
The crosswalk maps each control across frameworks, so a single piece of evidence satisfies many standards at once. Remediate one finding and watch it clear across all of them.
Your whole posture, at a glance
A consolidated compliance view across every framework you've enabled. See exactly where you stand — and what's left — in seconds, not spreadsheets.
Get compliant, stay compliant
Continuous scans keep every framework current, so you're audit-ready all year instead of scrambling the week before. Compliance becomes a state you hold, not a fire drill you survive.
Stay out of the console
Give your team everything — without the AWS console.
Compliance work shouldn't mean handing out console logins and standing admin rights. ATAC is the single pane of glass: scanning, evidence, AI remediation, and reports all live in one app — so your compliance team gets everything it needs, and almost no one needs the console. Fewer console sessions is, by itself, a stronger security posture.
One app, not ten consoles
Findings, evidence, AI remediation, POA&Ms, and reports live in a single authenticated view — no jumping between console screens to get the picture.
Least privilege by default
Assessors, auditors, and reviewers don't need broad console access or standing admin credentials. The fewer privileged humans, the smaller your attack surface.
Remediate without the keys
Approve a fix in ATAC and it runs through a guarded, least-privilege path. Nobody hand-edits production resources in the console.
Auditors see, never touch
Give assessors live, read-only visibility into your posture and evidence — without an extra identity, admin role, or console seat.
Every console login is a door. ATAC keeps most of them closed.
Sign in, federal-grade
PIV / CAC sign-in. Your branding. No third-party login form.
Authentication is the first thing a federal security review asks about. ATAC supports PIV / CAC smart-card sign-in out of the box — and the sign-in page lives on your domain, in your visual language, so customers see ATAC the whole way through.
PIV / CAC smart cards
Government-issued credentials work as sign-in. No separate password to manage, no extra identity-provider project — it just works for users who already carry the card.
Your domain, your branding
The sign-in page lives at your domain in ATAC's visual language — dark, teal, embossed logo, your wordmark. No generic third-party form, no jarring redirect to someone else's design.
Fresh PIV on every session
Sign-out forces a fresh smart-card prompt on the next sign-in. No silent re-auth, no “is this still the same user” ambiguity — every session is provably the right person.
Stay compliant all year — not once a year.
Install ATAC, click scan, and let it do the work: live findings, AI remediation, audit-grade proof, and every compliance document generated for you.