The Optimal Platform

Harden. Verify.
Govern the agents.
Prove.

Self-hosted CNAPP and AI control plane. Applies DISA STIG, CIS, and IEC 62443 baselines to containers, host OS, and OT firmware before they ship. Scans the running fleet on Apollo-style SLA clocks. Watches every autonomous agent in your stack. Emits compliance evidence live, on every request.

Talk to an operator See the live demo

Move at mission speed · Operate with evidence · Run the agents

Phase 01 / Harden

DISA STIG, not just CIS.

Bundled XCCDF library, per-rule pass / fail / N-A from the Spoke scanner, fix text verbatim from DISA, plus operator actions inline. CIS and IEC 62443 ride the same channel. OT and IoT firmware too.

Harden your own images. No distro lock-in.

STIG 1,184 passing 31 N-A 2 failing CIS v8 IG-2 IEC 62443 3-3 SL2

// April 2026 STIG library, bundled

01
Amazon Linux 2023 STIG.
Per-rule findings. Auto-remediation drafts. Operator approval gates.
02
Kubernetes STIG.
Admission control, RBAC, network policy, workload identity, audit log.
03
Apache HTTPD 2.4 Unix STIG.
Module config, TLS posture, request filtering, log retention.
04
Microsoft Windows Server 2022 STIG.
Domain config, audit policy, service hardening, firmware posture.
05
CIS Benchmarks.
Container, Kubernetes, AWS, GCP, Azure profiles.
06
IEC 62443 (industrial / OT).
3-3 system requirements. Edge Collector for firmware reach.
07
Hardening Agent.
Failing rule, fix plan against the smallest possible change set. Dockerfile, Helm values, host config.
Phase 02 / Verify

Continuous scanning.
SLA clocks running.

Containers, cloud config, Kubernetes posture, secrets, malware, SBOM, OT firmware. The attack-path graph surfaces toxic combinations in the hour. SLA clocks count down on every finding. Breached and approaching surface automatically.

Critical
24h
High
7d
Medium
60d
Low
180d

// Verify capabilities

01
Container vulnerability scanning.
Layers, OS packages, language deps, base-image inheritance.
02
Cloud configuration.
AWS, GCP, Azure. Policy as code.
03
Kubernetes posture.
RBAC, admission, network policy, workload identity.
04
Secrets & malware.
Code, images, configmaps, env vars. Static + behavioural detection.
05
SBOM (CycloneDX 1.6, signed).
Per-build, per-image, queryable. First-class artifact.
06
Attack-path graph.
Toxic combinations: critical CVE × internet-exposed × admin IAM.
07
Drift detection + eBPF runtime.
Production diverges from hardened baseline, finding raised. Kernel-level workload visibility.
08
SLA clocks + waivers.
Breached and approaching surface automatically. Operator-approved suppression waivers with audit trail.
Phase 03 / AI Security

The model side
and the agent side.

Inventory every model running in the fleet. Sign an MLBOM on every build. Screen every prompt and tool call for injection, jailbreak, and exfiltration. Govern every autonomous agent on top: identity, tools, data scope, memory, authority, handoffs.

Optimal already runs the model side. Agents adds the orchestration layer above it.

MODELS 23 inventoried MLBOM 23 signed · CycloneDX 1.6 AGENTS 47 tracked 3 blocked · prompt injection

// AI security capabilities

01
Model inventory.
Per-service usage. Which workload calls which model, how often, with what scopes.
02
MLBOM (CycloneDX 1.6, signed).
First-class artifact for every on-prem AI model. Same lifecycle as SBOM.
03
Prompt-injection guardrails.
Inline gateway. Blocks injection, jailbreak, and exfiltration patterns before they reach the model.
04
Agent identity registry.
Owner, version, model + prompt + tool revision. Pinned. Drift triggers a finding.
05
Tool allowlist + data scopes.
MCP servers, HTTP endpoints, shell. Off-list calls refused at the gateway. Data outside the declared scope refused.
06
Authority graph + handoff edges.
Every action chains back to a human approver. Cross-agent handoffs refused unless declared.
07
Memory scope.
Per-agent. Read-only, append-only, or scoped key-value. Cross-agent memory denied unless declared.
08
Framework coverage.
NIST AI RMF, ISO/IEC 42001, OWASP LLM Top 10. Evidence emits in the same channel as the rest of the fleet.
Phase 04 / Prove

Evidence as a
product feature.

Live HTML and JSON artifacts at compliance.gooptimal.io, re-emitted on every request from observed fleet state. Branded for the customer's audit. Auditor reads a live feed, not a quarterly screenshot binder.

Audit time stops being a fire drill.

LAST EMIT 12s ago live feed · no screenshots

// Frameworks covered

01
SOC 2.
CC + additional criteria, mapped to operational state.
02
PCI DSS v4.0.1.
Requirements 1, 2, 6, 10, 11 covered against your container footprint.
03
HIPAA Security Rule.
Administrative, Physical, Technical Safeguards. PHI scoping.
04
ISO 27001:2022.
Annex A controls aligned to scanning and hardening output.
05
FedRAMP 20x KSI.
Machine-readable evidence emitter. Self-attestation lifecycle on compliance.gooptimal.io.
06
IEC 62443.
3-3 system requirement evidence for industrial and OT scopes.
07
Shared responsibility matrix.
Explicit boundary: what Optimal does, what the customer does.
08
POA&M + waiver lifecycle.
Finding through fix PR through resolution. Operator-approved suppression waivers tracked.
Architecture

Hub. Spoke. Edge.
Agentic CD, self-hosted.

Optimal is built on best-in-class open-source security engines, with our opinionated hardening, remediation, evidence emission, and agent governance as the value-add layer. The whole platform runs inside your own Kubernetes cluster. One Helm chart, one command. Optimal never holds your credentials. Optimal never holds your data.

The Recall Agent (Claude Opus 4.7) proposes remediation plans on KEV-listed criticals and SLA breaches. Operator approves. The Orchestration Engine executes against the Hub, the Spokes, and the Edge Collectors.

Optimal Platform: Agentic CD architecture Customer Kubernetes cluster contains the Optimal platform via one Helm install. Inside the cluster: Hub orchestrates Harden, Verify, AI Security, and Prove engines. Spokes scan containers and host OS. Edge Collectors reach OT and IoT firmware. Recall Agent (Claude Opus 4.7) proposes remediation plans on KEV-listed criticals and SLA breaches. Operator approves. Orchestration Engine executes. Outputs leave as fix PRs to GitHub or GitLab, and as a live evidence feed to compliance.gooptimal.io. $ helm install optimal/platform ONE COMMAND // CUSTOMER KUBERNETES CLUSTER · SELF-HOSTED HUB ORCHESTRATION Recall Agent · Claude Opus 4.7 SPOKE · Containers scan + harden + drift SPOKE · Host OS STIG · CIS · eBPF EDGE · OT / IoT firmware · IEC 62443 AI control plane agents · models · MLBOM Evidence emitter live · branded Orchestration Engine operator-approved actions Fix PRs → GITHUB · GITLAB Operator console → FINDINGS · GRAPH · SLA compliance.gooptimal.io → LIVE EVIDENCE FEED // Optimal never holds customer credentials. Optimal never holds customer data.

// Hub orchestrates. Spokes scan. Edge reaches the firmware. Recall Agent proposes; operator approves; Orchestration Engine executes.

Get on channel

Talk to an operator.

Move at mission speed. Operate with evidence. Run the agents.

Contact See the live demo