Open source · agentic continuous control monitoring

Don't attest your controls once a year. Continuously validate them.

Sightline is the open-source compliance platform that continuously evaluates each control against the evidence it ingests — turning point-in-time checkbox attestations into live pass / at-risk / fail verdicts, each with a “last validated” time and drift detection, across NIST CSF 2.0, HIPAA, SOC 2, and FERPA. Self-host it yourself for free, or let us run it for you. No security team required.

Get a demo See pricing →

Continuous control monitoring · validation rate 73%

Live verdicts, not a yearly checkbox

Each control evaluated against ingested evidence. Worst-first, so what needs validation leads.

validated PR.AC-4 · last validated 4h ago

at risk PR.DS-2 · stale evidence — not validated in 9d

failing PR.DS-1 · disk encryption off

trending DE.CM-1 · ages out in 1.6d — validate before it lapses

The 2026 shift

A control you attested in January isn't a control that's true in June.

The old model — the one most tools still run — is a point-in-time checkbox: someone marks a control “in place,” and it sits green until the next audit cycle, long after the evidence behind it went stale. That's how a passing control quietly drifts into a failing one with nobody watching.

Sightline takes the agentic approach: every control is continuously evaluated against the evidence it ingests into a live pass / at-risk / fail verdict — with a “last validated” time and drift detection — so you know what's true right now, not what was true last quarter.

Point-in-time attestation

Check a box, hope it stays true
Green until the next audit cycle
Stale evidence still reads “compliant”
You find the drift after it lapses
No record of when a control was last proven

Continuous validation — with Sightline

Each control evaluated against live evidence
Real-time pass / at-risk / fail verdicts
Stale evidence drops a control to “at risk”
Forecast flags drift before it lapses
A “last validated” time on every control

What you get

Compliance that validates itself — and explains itself.

◷

Continuous verdicts

Each control is evaluated against ingested evidence into a live pass / at-risk / fail verdict, with a “last validated” time. Stale evidence drops a passing control to at-risk.

↗

Predictive forecast

Sightline flags controls trending toward failure — running out of freshness runway, or already degrading — so you validate before it lapses.

◇

Plain-English verdicts

Every control becomes “what we checked, why it matters to you, and what to do.” No jargon, no security degree required.

▦

Every framework at once

A unified NIST CSF 2.0 model crosswalked to HIPAA, SOC 2, and FERPA — one connected platform shows where you stand across all of them.

◆

A real dashboard

A full-width, drill-down dashboard with findings, vulnerabilities, framework detail, and a board-ready executive summary.

◆

Built-in GRC review

Track licensed-professional sign-off on your mappings, so your reports move from “indicative” to audit-ready.

Why now

AI and regulation are widening the gap — fast.

Compliance obligations are multiplying (NIST CSF 2.0, DORA, NIS2, the EU AI Act, dozens of state privacy laws). At the same time, AI is accelerating both the sophistication of attacks and the volume of new exposure. The distance between what an organization is responsible for and what it actually understands has never been larger. Proactive isn't a nice-to-have anymore — it's survival.

22+frameworks and regulations in play

Continuousverdicts, not a yearly checkbox

Beforeit lapses — drift caught early