A

ATAC · ATO As Code · v1.0 release overview

Compliance · on autopilot

Audit-ready in seconds. v1.0

ATAC automates the security work that drains your team — continuous evidence collection, point-and-click remediation, AI-drafted narratives, audit-ready PDFs — across NIST 800-53, FedRAMP Low / Moderate / High, NIST 800-171, CIS, FSBP, HIPAA, SOC 2, PCI and ISO 27001. One screen replaces a wall of spreadsheets, screenshots, and Slack threads.

$0

nothing to install in your AWS account. No agent, no sidecar, no VPN. One read-only IAM role you can revoke any time.

0 ops

nothing to maintain. We run the dashboard, the AI, the evidence lake, the pipeline, the OSCAL stack — all of it.

7 figures

saved in salary & audit prep. Compliance work that used to need 3-5 FTE is now a dashboard plus a button.

01 / 05

A

ATAC · The problem · why compliance costs so much

The problem

Compliance is expensive. Hiring more people is the wrong fix.

Every regulated AWS workload pays the same compliance tax — paid in headcount, contractor hours, audit prep cycles, and the silent drift that builds up between assessments. ATAC replaces every line item below with software that runs while you sleep.

$300-500K / yr

Manual evidence collection

A compliance analyst spends 60% of their week taking screenshots, exporting logs, and stitching them into a folder structure no one will read.

$200-400K / yr

Audit prep sprint

Every 12 months, the whole team stops shipping for 4-8 weeks to build the SSP, SAR, POA&M, and evidence packages — by hand.

$150-300K / yr

Tooling sprawl

Audit Manager + a GRC platform + a STIG scanner + a POA&M tracker + Jira + a wiki. Five tools, five contracts, none of them talk.

priceless

Silent drift

Six months between assessments. Findings pile up unseen until the next auditor walks in. Your posture is a lottery ticket, not a number.

→

ATAC replaces all four with one continuously-running platform. Evidence collects itself. Reports generate on demand. Drift surfaces the day it happens. Audit prep becomes a download.

02 / 05

A

ATAC · What it does · the six things that matter

What ATAC does

Automated security work + point-and-click remediation.

Six capabilities replace the rote work. Each one was a 1-3 FTE job until last week.

◈

Multi-Framework Posture

One board. Every US framework — NIST 800-53, FedRAMP L/M/H, NIST 800-171, CIS, FSBP, HIPAA, SOC 2, PCI, ISO 27001 — live, severity-ranked, org-wide.

Why it's great: one S3 fix retires findings in four frameworks at once. The "where are we" question goes from a week to a glance.

⛁

Continuous Evidence Lake

Daily collection from Config Conformance Packs, Security Hub, CloudTrail Lake, and IAM Access Analyzer. SHA-256 integrity hash on every row.

Why it's great: auditor asks "show me the evidence as-of Oct 1" — one click. No screenshots, no spreadsheets, tamper-evident by construction.

⛒

Point-and-Click Remediation

Match a finding to a safe remediation pattern, see exactly what would happen, click Fix it for me. Idempotent. AI-drafted runbook for the rest.

Why it's great: "you have a problem" to "the problem is gone" without leaving the dashboard. Every fix is auto-tagged as AU-12 audit evidence.

⚯

Ask ATO-M (AI Co-Pilot)

Plain-English Q&A grounded in your collected evidence. Detects control IDs, loads context automatically, remembers the conversation.

Why it's great: auditor walks in prepared in seconds. AI cost-capped per account so the bill never surprises you.

⎙

Audit-Ready Packages

Per-control AI narrative + 5-source evidence + POA&M state + client-rendered PDF. OSCAL SSP, SAR, POA&M auto-generated and schema-validated.

Why it's great: the analyst-week of stitching screenshots into a deck becomes a minute. Federal reviewers get OSCAL natively.

⛨

STIG & OS Hardening

DISA STIG scans (OpenSCAP / SSM) across EC2, AMIs, and container images. CAT I/II/III findings folded onto NIST 800-53 via the CCI crosswalk.

Why it's great: OS hardening is where most ATO packages get held up. Now it's continuous, automated, and one-click POA&M.

03 / 05

A

ATAC · Capability map · 500 features, twelve categories

Capability map

Every layer of the ATO, in one platform.

Frameworks & Crosswalk

NIST 800-53 / FedRAMP L/M/H
NIST 800-171 (CMMC L2)
CIS · AWS FSBP
HIPAA · SOC 2 · PCI · ISO 27001
One-finding-many-frameworks crosswalk

Evidence Pipeline

4-source daily collection
On-demand "Collect Now"
S3 lake + DDB control-keyed index
SHA-256 integrity per row
Per-source retention windows

Audit Reports

Per-control AI narrative
HTML + client-rendered PDF
Auto-pick controls (Coverage / Packs / SH)
Bulk + family attestation upload
Filename auto-match

OSCAL Stack

SSP · SAR · POA&M (1.1.2)
Schema-validated exports
Bundle export + HTML render
Coverage stats per baseline
Federal-reviewer-ready

AI Layer

Ask ATO-M chat (multi-turn)
Bedrock-drafted POA&M copy
"Fix it for me" runbooks
Per-account daily cost cap
Cheaper-model fallback on throttle

Remediation

Curated safe-pattern catalog
Explicit confirm before execute
Idempotent — re-run is a no-op
Per-control remediation history
Auto-tagged as AU-12 evidence

STIG / OS Hardening

Live EC2 scan via SSM
AMI scoring in the image pipeline
Container image scans
Per-OS hardening recommendations
One-click POA&M from STIG finding

POA&M Lifecycle

9-state enforced lifecycle
Immutable version history
Auto-create from new findings
Auto-close on finding resolution
Bidirectional Jira sync

Multi-Account / Org

Whole-org rollup via SH aggregator
Live org topology map
Shadow-IT account detection
Per-account drilldown
Daily scheduled diff scans

Multi-Tenant

4-step onboarding wizard
Read-only customer connector CFN
Per-customer ExternalId secret
Topnav "View as customer X"
Capability gating per scope

Identity & RBAC

Admin / Auditor / Reader (hierarchical)
Cognito hosted UI + custom domain
Self-service password reset
First-admin bootstrap at deploy
Immutable audit log

Exports & Reports

CSV / JSON on every list
Master & posture HTML reports
AC-6 least-privilege offenders CSV
ATO Review Summary (AI)
All-up bundle export

500+

shipped features in the 1.0 release — every layer of an ATO, from posture to OSCAL.

~1,000

NIST 800-53 Rev 5 controls auto-tracked. Every one has live status + evidence.

10+

frameworks crosswalked. One fix, many frameworks retired.

04 / 05

A

ATAC · Zero-friction install · why now

Zero-friction install

No equipment. Nothing to maintain.

ATAC reads from your AWS account through a single read-only IAM role. You don't install software, you don't run a server, you don't patch anything. Revoke at any time by deleting one CloudFormation stack.

01 · One template

No equipment in your account

Deploy one CloudFormation stack at your AWS root (or as a StackSet org-wide). Creates a single IAM role. No agents. No sidecars. No VPN. No data leaves your account except through this role.

02 · Read-only

No writes. Ever.

The role grants SecurityAudit + ViewOnlyAccess + a small read-only supplement for Conformance Packs, Security Hub findings, CloudTrail Lake queries, and Access Analyzer. Auditable in 90 seconds.

03 · Zero ops

Nothing to maintain

We run the dashboard, the AI, the evidence lake, the OSCAL pipeline, the STIG scans. You get the value. Your team ships product instead of operating compliance plumbing.

Without ATAC

3–5 FTE on continuous compliance
4–8 weeks every audit cycle on prep
Five overlapping tools, none integrated
Drift discovered at the next assessment
Manual screenshots in shared drives

With ATAC 1.0

One platform. One dashboard.
Audit prep is a download
OSCAL SSP / SAR / POA&M auto-generated
Daily drift detection — caught the day it happens
Tamper-evident evidence lake by construction

Stop hiring for compliance.
Start shipping compliance.

AtoAsCode.com

05 / 05