Operator-grade · CNAPP + AI Control Plane

The control plane for regulated software
and the AI agents that run on it.

Optimal hardens containers, host OS, and OT firmware against DISA STIG, CIS, and IEC 62443. Signs SBOM and MLBOM on every build. Watches every autonomous AI agent's identity, tools, data scope, and authority. Emits compliance evidence live, on every request. Runs in your Kubernetes cluster, never ours.

Talk to an operator See the live demo

DISA STIG · SBOM · AI agents · Continuous evidence

FLEET 847 containers STIG 1,184 passing · 31 N-A · 2 failing SBOM 847 signed · CycloneDX 1.6 AGENTS 47 tracked · 12 authorities asserted

33.7393° N · 118.3995° W · CH 03 · OPEN

How operators use it

Every finding has an action.
Not just a row.

The buttons below are the ones in the product today. The Recall Agent drafts, the Hardening Agent proposes, the artifacts ship signed. Operator approves. Audit trail records.

Propose remediation plan

Every finding has an action. Recall Agent (Claude Opus 4.7) drafts a plan against KEV-listed criticals and SLA breaches. Operator approves. Orchestration Engine executes against Hub, Spoke, and Edge Collectors.

// 24h critical · 7d high · 60d medium · 180d low

Generate STIG fix

Failing DISA rule, Hardening Agent drafts a fix plan against the smallest possible change set. Dockerfile patch, Helm values delta, or host config diff. Fix text verbatim from DISA, plus operator actions inline.

// April 2026 library · XCCDF per-rule · pass / fail / N-A

Live SBOM / MLBOM

Signed CycloneDX 1.6 for every container, and an MLBOM for every on-prem AI model. First-class artifacts, not a side report. Click the artifact, see the manifest, ship to the auditor.

// per-build · per-image · per-model · queryable

What makes us different

Three things competitors don't ship together.

01 / 03 → 03 / 03

01

DISA STIG hardening, not just CIS.

Bundled XCCDF library, per-rule pass / fail / N-A from the Spoke scanner, fix text verbatim from DISA, plus operator actions inline. April 2026 release: Amazon Linux 2023, Kubernetes, Apache HTTPD 2.4 Unix, Microsoft Windows Server 2022. CIS and IEC 62443 ride the same channel.

STIG 1,184 passing 31 N-A 2 failing CIS v8 IG-2 IEC 62443 3-3 SL2

02

AI agent control plane.

Every autonomous agent's identity, tools, data scopes, memory scope, authority, and handoff edges. Full audit trail. Forensics on every action. Optimal already runs the model side (inventory, guardrails, MLBOM); Agents adds the orchestration layer above it. The category is forming around this; we ship it today.

AGENTS 47 tracked AUTHORITIES 12 asserted HANDOFFS 1,204 / 24h 3 blocked · prompt injection

03

Evidence as a product feature.

Live HTML and JSON artifacts at compliance.gooptimal.io, re-emitted on every request from observed fleet state. Branded for the customer's audit. SOC 2, PCI DSS v4.0.1, HIPAA, ISO 27001, FedRAMP 20x KSI, IEC 62443. Not a quarterly export from a third-party SaaS.

LAST EMIT 12s ago SOC 2 · PCI v4 · HIPAA · ISO · KSI · 62443 live feed · no screenshots

For AI-forward teams

The agent control plane.
Identity. Authority. Audit.

The market is converging on a category sometimes called identity-aware agent harness, agent runtime security, AI control plane, agentic identity, or AI workflow governance. The label varies. The checklist doesn't.

Optimal already runs the model side: inventory, guardrails, MLBOM, prompt-injection and exfiltration screening. Agents adds the orchestration layer above it. The checklist below is what Optimal answers, per agent, today.

01 Who owns it? Owner identity asserted at registration. Tied to a human or service principal. Recorded on every action.

02 What can it access? Data scope declared up front. Optimal denies any read or write outside the declared scope. Logged.

03 What tools can it use? Explicit tool allowlist. MCP servers, HTTP endpoints, shell commands. Anything off-list is refused at the gateway.

04 Which version is running? Model + prompt + tool revision pinned. Drift triggers a finding. Rollback is one operator action.

05 Whose authority does it act under? Delegated-authority graph. Every action chains back to a human approver, named, with timestamp.

06 What memory can it read or write? Memory scope per agent. Read-only, append-only, or scoped key-value. Optimal denies cross-agent memory access unless declared.

07 Which other agents can it hand work to? Handoff-edge graph. Optimal blocks any handoff outside the declared edge set. Forensics trace every handoff in the fleet.

NIST AI RMF ISO/IEC 42001 OWASP LLM Top 10

Industries

For teams that cannot afford uncertainty.

// 01 · FINSERV

Financial Services

Your QSA arrives next quarter and asks for continuous evidence of CDE hardening. Your container scan reports are stale and live in three separate tools. Optimal ships the evidence as a product feature, refreshed on every request, branded for your audit. PCI DSS v4.0.1 ready out of the box.

PCI v4.0.1 · SOC 2 · NYDFS

// 02 · HEALTHCARE

Healthcare

OCR investigates a breach and your audit logs are scattered across CloudWatch, Splunk, and a screenshot folder. Optimal emits HIPAA Technical Safeguards evidence as a live feed your auditor reads directly, refreshed on every request. HITRUST and SOC 2 ride the same channel.

HIPAA · HITRUST · SOC 2

// 03 · SLED

State & Local Government

Your CJIS auditor reviews every system touching criminal-justice data and asks for continuous proof your vendors meet state policy. Optimal scans containers and cloud config against StateRAMP, CJIS v6.0, and FERPA-aligned access patterns. Evidence emits live, branded for your agency.

StateRAMP · CJIS v6.0 · FERPA

How it ships

Distribution model in four lines.

No SaaS data plane. No vendor cloud account holding your secrets. Commercial-cloud procurement, the way procurement actually buys.

01 / 04 → 04 / 04

01 Self-hosted via Helm. $ helm install optimal/platform

02 Hub + Spoke + Edge. Hub orchestrates. Spokes scan containers and host OS. Edge Collectors reach OT and IoT firmware.

03 One SKU. No tiering. Same codebase, every customer. AWS and GCP Marketplace. No annual minimum.

04 Founder-led engagement. Talk to an operator →

Channel · Open

Run the agents.

Move at mission speed. Operate with evidence. Run the agents.