Evidence-led compliance assurance.
Any framework. IRAP-depth for Australia. AI governance worldwide.

CyberSentien assesses once against your real evidence and reports everywhere — deterministic verdicts, honest coverage, tamper-evident lineage on every report. Controls without evidence read “manual assessment required”, never a fabricated pass. Built for assessors, practices, banks and AI providers.

Run a real assessment on sample docs → Book a founder demo
The demo runs on synthetic sample documents — you upload nothing, and nothing is retained. How we handle data →
🛡 Australian-sovereign hosting🧠 Local AI — no third-party AI API🗑 No data retention🔐 Tamper-evident report lineage
33frameworks live on the engine
61evidence connectors registered
446reports issued with integrity anchors
18document kinds drafted on demand

🧪 Try it now — no documents of yours required

Open the gated demo and run the REAL engine on a synthetic sample library spanning strong evidence through to poor — so you can watch it stay honest no matter what it's fed. Instant sample reports open immediately from cached scenarios — pre-run assessments over the same library — then a live run takes a couple of minutes, because it's real work, not a scripted animation. Output stays watermarked until you subscribe; the trial itself is never gated.

Open the gated demo →

Who it's for

Depth is badged honestly per lane — consultant-grade where we go deepest (ISM/IRAP, Essential Eight), Tier-A breadth elsewhere. Never overstated.
Tier-A breadth

🏦 Banks & APRA-regulated

CPS 230 operational resilience and CPS 234 information security posture from live evidence — board and regulator packs, material-supplier registers, no false green. The engine is the evidence layer; it does not replace an APRA-appointed tripartite reviewer.

Consultant-grade depth

🏛 Government & Defence

ISM/IRAP assessment at the depth an IRAP assessor documents — the full ISM catalogue with SAR generation, Essential Eight across ML1–ML3, evidence mapped control by control. Australia's real moat.

Depth badged per lane

💼 GRC consultants & practices

Every framework live on the engine, one book of work: per-engagement scoping, evidence freshness measured — not asserted — and reports carrying an Evidence Freshness Statement. IRAP-grade on ISM/E8, Tier-A breadth elsewhere.

Tier-A breadth

🧠 AI vendors & providers — GAiaaS

Multi-jurisdiction AI governance from one evidence base — EU AI Act, ISO/IEC 42001, NIST AI RMF, plus every national instrument live on the catalogue, enumerated on the solutions page rather than promised. The one axis where our reach is already genuinely global.

Served via security lens

🏥 Healthcare

OAIC breach duties and buyer security clauses served through ISO 27001, SOC 2, Essential Eight and third-party risk. Honest position: no dedicated health-sector catalogue on the engine today — we say that plainly rather than badge it green.

Served via existing lanes

⚡ Critical infrastructure — SOCI

SOCI risk-management-program obligations served through Essential Eight maturity, ISM depth and third-party risk registers. Honest position: no dedicated SOCI catalogue yet — where an obligation is not covered, the posture says so.

Framework-driven

🌎 Everywhere else

Not a bank, not an agency, not a hospital? The engine is framework-driven, not industry-templated. If your obligations map to the frameworks live on the catalogue, the same machinery serves you — and if they don't, we say so and it goes on the roadmap, not on your report.

Frameworks on the engine today

Every entry below is a live catalogue on the assessment spine, generated from the engine's own data at build time — not a logo wall, and not a promise.

Why there are no customer logos here yet

We're early, and we won't fake social proof any more than the engine fakes a pass.

🤝 Founding partners — first 5 AU practices

Locked founder pricing, a direct line to the founder, and real roadmap input. We build the case studies together — that's the deal.

Ask about founding partnership →

🔐 Trust you can verify instead

Every report carries a validation run id and a SHA-256 integrity anchor chained into a tamper-evident ledger — auditors, regulators and your clients can verify a CyberSentien report is genuine and unmodified. No logo proves that.

🧾 No false green — anywhere

Coverage is measured against full catalogues; controls without evidence say “manual assessment required”, never a fabricated pass. The same rule governs this website: every number here was read from the engine when the site was built.

See your posture on the real engine

A working demo on live machinery — not slides. Tell us where you sit and we'll send a gated, revocable demo link.

Request the demo →