Turn Security Reviews IntoClosed Deals
Stop losing deals to 300-question security questionnaires.
Aurora ingests security questionnaires, drafts responses, links evidence, and exports a clean packet without a massive GRC rollout.
Recent Questionnaires
One platform for governance, evidence, and questionnaires
Build a defensible program without a GRC department. Track requirements, collect proof, and respond faster.
- Track requirements (including custom)
- Assign owners and due dates
- Turn gaps into remediation
- Evidence library and indexing
- Requests, reminders, and follow-up
- Export-ready audit packets
- Reusable response library
- Evidence-backed answers
- Exports for reviews and renewals
The full workflow, not a checklist
Aurora is built around the real “show me” cycle: policies → evidence → questionnaires → exports.
50 policy + standard templates
A NAIC-first library for agencies: required starters + optional add-ons, ready to personalize.
- Guided setup (required vs optional)
- Mustache variables for fast personalization
- Draft → approval workflow
Upload existing policies
If you already have a policy, upload it and keep it as your source-of-truth in Aurora.
- PDF/Word uploads supported
- Extract to editable drafts
- Aurora improvements with diff preview
- Version history + approvals
Evidence library + requests
Track what proof exists, what’s missing, and who’s responsible—without a spreadsheet.
- Evidence indexing and status
- Requests and reminders
- Evidence-backed exports
One-click exam binder export
Generate a clean ZIP packet for carrier/examiner “show me” requests, with manifests.
- ZIP + CSV manifests
- Include policies/WISP/evidence
- Repeatable, consistent output
NAIC-first controls + state overlays
Start with NAIC 668, then layer in state-specific requirements where available.
- NAIC baseline control library
- Selected state overlays (expanding)
- Jurisdictions drive what applies
State deadlines in your calendar
Regulatory deadline reminders appear automatically based on your configured jurisdictions.
- Recurring deadline events (where dated)
- Shows on the dashboard as “Upcoming Deadlines”
- Keeps timing visible, not tribal
Assessment + questionnaire automation
Upload questionnaires, draft answers with citations, and export faster.
- Draft responses with evidence context
- Reusable “golden answers” library
- Exports for renewals and reviews
Vendors + remediation tracking
Inventory vendors, run assessments, and turn gaps into tracked remediation.
- Vendor inventory + artifacts
- Assessments and follow-ups
- Remediation tracking + due dates
Incident readiness workflows
Keep incident documentation, assignments, and notification clocks from getting lost in Slack.
- Incident tracking + timeline
- Notification expectations (where applicable)
- Defensible record for exams/audits
Evidence pipelines + continuous monitoring, built in
Not just policies. Aurora includes an automation layer that connects integrations, normalizes metadata, runs drift tests, and exports auditor-ready packets. Designed for single-tenant AWS deployments with data minimization by default.
Vertical Packs + Guided Setup
Turn a regulated vertical into an actionable setup plan.
- Start with a sane default for your vertical (P0 core controls + P1 vertical add-ons).
- See what’s missing: which integrations need credentials and what evidence/tests will run.
- Avoid “GRC sprawl” by selecting one tool per category (single-tenant).
- Pack Builder: choose vertical, integrations, scope, cadence.
- Connections created disabled until credentials are added.
- Tests + evidence specs enabled in one flow.
Integration Health & Staleness
Know when evidence pipelines are actually working.
- Catch broken credentials and silent data gaps before an exam or incident.
- See freshness at-a-glance (green/yellow/red) with last success + last error.
- Reduce “we thought we were logging” surprises with ingest heartbeat tests.
- Health status, staleness seconds, last error reason.
- Per-stream cursors (users/roles/audit/config) where supported.
- One-click validate + sync triggers.
Export Ingest (Partner‑Gated Vendors)
Automate closed systems without collecting customer content.
- Replace screenshot scrambles with repeatable exports + mappings.
- Normalize vendor exports into canonical resources for tests and evidence.
- Keep scope tight: target admin/audit/config metadata only by schema.
- S3 “dropbox” ingest (CSV/JSON/JSONL).
- Mapping UI with local sample preview (data minimization).
- Schema validation + import jobs with stats and error samples.
Continuous Drift Tests
Detect changes that matter, automatically.
- Spot control drift (MFA changes, missing EDR coverage, stale logs) quickly.
- Reduce manual audit prep by keeping posture continuously evaluated.
- Prevent duplicate noise using deterministic finding dedupe.
- Safe test DSL on canonical resources (no arbitrary code execution).
- Findings with first/last seen, severity, status (open/ack/resolved).
- Baseline + diff snapshots for drift-style tests (where applicable).
Findings → Tickets (Jira + ServiceNow)
Route compliance drift into the systems teams already use.
- Make compliance actionable: findings create/update tickets.
- Keep status aligned with reality via reconciliation (back‑sync).
- Avoid double entry by mapping finding lifecycle to ticket workflows.
- Ticket drivers for Jira Cloud + ServiceNow + webhook fallback.
- Manual sync + reconcile controls to validate configuration.
- Per-finding ticket links and status visibility.
Notifications (Slack / Email / Webhook)
Get alerted on drift, staleness, and key lifecycle events.
- Notify the right channel when drift happens—before it becomes audit debt.
- Use webhooks to connect to automation tools (Zapier/Tines/Torq, etc.).
- Support “test notifications” so teams can verify routing quickly.
- Slack Incoming Webhook, SES email, and generic webhook destinations.
- Event queue + retry semantics (job-driven).
- Auditability of notification events (queued/sent/failed).
SIEM / Log Ingest (Splunk HEC + Syslog)
Normalize security events and monitor ingest freshness.
- Centralize log evidence without committing to a single SIEM vendor.
- Normalize into a canonical security.event so tests can reason over logs.
- Detect ingest outages with staleness monitoring.
- Splunk HEC-compatible endpoint + syslog receiver (TLS optional).
- Raw log storage to S3 logs bucket + ingest processing jobs.
- Ingest health drift test for “no events received” windows.
Evidence Vault + Integrity
Immutable artifacts with hashes and manifests.
- Make audits defensible: every artifact is hashed and traceable.
- Keep evidence minimal by default; include raw objects only when needed.
- Support WORM storage patterns (S3 Object Lock) where required.
- Evidence artifacts stored with SHA256 + metadata.
- Optional Object Lock/WORM configuration per tenant deployment.
- Presigned downloads for auditor access (role-gated).
Auditor Export Packages
One-click ZIP with manifest + checksums.
- Ship an auditor-ready evidence packet without ad-hoc file hunting.
- Prove integrity with checksums and a machine-readable manifest.
- Keep exports consistent across renewals, exams, and diligence.
- ZIP package + `manifest.json` + `checksums.sha256`.
- Findings report included (metadata-first).
- Download via presigned URL; store in tenant bucket as needed.
Framework Mapping + Traceability
Tie controls → tests → evidence → findings.
- Turn frameworks into a working system, not a spreadsheet.
- See which controls have evidence, which are missing, and why.
- Generate traceability views that reduce audit back-and-forth.
- Framework templates (GLBA/NYDFS/PCI + sector overlays where available).
- Apply wizard to create evidence specs and enable tests.
- Traceability matrix and audit report exports.
Single‑Tenant AWS Isolation
One AWS account per customer, least privilege by default.
- Customer isolation by design: data and workloads do not co-mingle.
- Easier security reviews: clear boundaries and scoped IAM roles.
- Cost-aware, event-driven primitives (S3→SQS, workers, schedulers).
- Terraform modules for VPC/ECS/S3/SQS/RDS/KMS/WAF/alarms/budgets.
- Secrets in AWS Secrets Manager (no plaintext config).
- Deployable to a single EC2 box for dev/demo when needed.
Your Security Team's
Aurora
Aurora reads your policies and evidence, then drafts responses you can review and approve, fast, consistent, and exportable.
Context-Aware AI
Not generic templates. Aurora learns your specific architecture, policies, and past responses to provide accurate, consistent answers.
Evidence-Backed Responses
Every answer can link back to your policies and uploaded evidence. No more “trust me” responses.
Continuous Learning
Your response library grows smarter with every questionnaire. Approved answers become your "golden source" for future assessments.
Built for real security questionnaires
Upload what you have today, get immediate coverage signals, then turn the rest into tracked requirements and remediation.
The Complete Platform
Everything Connected.
Nothing Siloed.
One platform that replaces your spreadsheets, point solutions, and manual processes. Every feature works together to create a defensible security program.
Risk Register 2.0
Track risks from identification through remediation with clear ownership, status, and an audit trail.
- Automatic risk scoring (5x5 matrix)
- Evidence-linked mitigation tracking
- Board-ready risk reports
Compliance & Requirements Tracking
Track what you need to meet (and prove) in one place. Start with NAIC 668 and add your own business requirements as you discover them.
- NAIC 668 + available state overlays (expanding)
- One-click “Track requirement” from assessments
- Tie gaps to remediation work
Evidence Library
Centralize screenshots, reports, policies, and vendor documents. Then link them directly to answers and requirements.
- Organize evidence by category
- Capture Wizard (extension or no-install) with signed manifests and independent timestamps
- Audit trails for downloads and changes
- Link evidence to answers and requirements
Vendor Risk Management
Track vendor details, documents, and review status so you can answer “who has access to what?” with confidence.
- Automated vendor assessments
- Contract & SLA tracking
- Risk-based vendor tiering
Guided Assessments
Turn complex requirements into a step-by-step assessment. Capture answers, attach evidence, and create remediation items for gaps.
- Pre-built industry templates
- Automatic task generation
- Progress tracking & reporting
Living Policy Library
Policies that actually get used. Start from an exam-ready NAIC-first library, then customize, approve, and auto-link to evidence.
- 50 exam-ready policy + standard templates
- Approval workflow + audit trail
- Upload existing policies + auto-link to controls
- Review cadence reminders (Calendar)
A complete, examiner-ready operating system.
Not a toolbox. A connected workflow for policies, evidence, assessments, vendors, incidents, and exports—so you can answer “show me” quickly.
The Aurora Method
Your Compliance Flywheel
Stop treating compliance as a once-a-year scramble. Aurora creates a continuous improvement cycle that strengthens with every turn.
COMPLIANCE
Assess
Run guided assessments and questionnaires. Aurora drafts answers and you review.
Identify
Turn new questions into tracked requirements with one click.
Remediate
Create remediation items, assign owners, and track progress.
Prove
Attach evidence to answers and export a clean packet when you’re done.
Result: Your compliance posture improves automatically with every cycle.
No more annual scrambles. No more failed audits. Just continuous, demonstrable improvement.
Solutions by Industry
Built for Your Specific Challenges
Every industry has unique compliance requirements. Aurora adapts to your world, not the other way around.
SaaS & Tech Companies
Respond Faster. Stay Consistent.
When enterprise prospects send 200+ question security reviews, keep momentum without burning engineering time. Draft responses, attach evidence, and export a clean packet.
- Talk to Aurora for questionnaires
- Talk to Aurora over your policies
- Reusable response library (“golden answers”)
- Evidence-backed exports (CSV/ZIP)
- Turn gaps into tracked remediation
Insurance Agencies
NAIC 668 & Carrier Readiness
Stop scrambling before carrier audits. Keep policies, evidence, and assessment answers organized and mapped to what carriers and regulators ask for.
- NAIC Model Law 668 compliance
- State overlay mapping (expanding)
- Aurora for policy + evidence questions
- Carrier questionnaire workflows
- Evidence packet exports (ZIP + CSV manifests)
Regulated Teams
Policies, Evidence, Remediation
Build a defensible compliance program with a single source of truth: requirements, policies, evidence, assessments, and remediation, without a giant GRC rollout.
- Requirements tracking (including custom)
- Aurora with citations
- Assessment runner + assignments
- Evidence library linked to answers
- Export packets for audits/reviews (ZIP + CSV manifests)
Transparent Pricing
Pay for Value, Not Complexity
Simple, predictable pricing that scales with your business. No hidden fees, no surprise audits.
Tell us your team size and workflow volume, and we will recommend a starting plan.
FAQ
Everything You Need to Know
Got questions? We've got answers. Can't find what you're looking for?Contact our team.
How quickly can we get started?
Usually in a single call. Upload your policies/evidence, then run your first assessment or questionnaire. You’ll immediately see coverage and what needs work.
What security frameworks do you support?
Today: NAIC Model Law 668 + state insurance requirements, plus custom “Business Requirements” you can track (and add from assessments). More frameworks are on the roadmap. Tell us what you need.
How does the AI questionnaire responder work?
Aurora ingests questionnaires (XLSX, CSV, Word, PDFs, TXT), uses your policies/evidence and approved “golden answers” to draft responses with citations, then you review before export. Aurora is the fast lane for day-to-day questions (“Do we require MFA?”) and assessment help — grounded in your policy base.
Can Aurora replace our current GRC tool?
Aurora focuses on the workflows teams get stuck on: policies, evidence, requirements tracking, assessments, and remediation. If you need deeper GRC modules, we’ll be transparent about what’s in-product vs. on the roadmap.
What about data security and privacy?
We follow strong security basics (access controls, audit logging, encrypted transport). For AI features, we use the OpenAI API; OpenAI states API data is not used to train their models by default. We do not claim third‑party certifications today.
Do you offer professional services?
Yes. Our Virtual CISO team provides policy writing, framework implementation, audit preparation, and ongoing compliance advisory. Available as needed or through annual retainers.