Sightline is open source — self-host it yourself for free, or let us host it for you. It ingests evidence about your posture, evaluates each control against it into a live pass / at-risk / fail verdict with a “last validated” time, forecasts the controls trending toward failure, and explains every one in language a non-technical decision-maker can act on — across every framework you carry.
Zero-config, then connect
sightline check assesses this machine out of the box — no setup, no scope
file. Beyond that, connectors pull evidence from the tools you already run — Microsoft 365, Okta, JAMF, Intune,
AWS, Azure, GCP, GitHub, and more — and return it in exactly the same shape the built-in scanners produce, so it
flows into the same evidence graph and the same verdicts.
Scheduling those live connector syncs on a cadence — credentials held per tenant, refreshed automatically — runs on the hosted platform runner and is rolling out. The ingestion and evaluation behind it ship today; until the runner is configured, a scheduled-sync request is reported as deferred, never faked.
See all integrationsEvery signal carries source, tenant & an integrity digest.
Connects to the tools you already run
Agentic continuous control monitoring
Sightline fuses each control's evaluated status with the freshness of the evidence behind it. A control that's evaluated “pass” but whose proof has gone stale drops to at risk — because it is no longer continuously validated. Every monitored control carries a “last validated” time, a clear reason, and a verdict you can act on.
Worst-verdict-first, stale before fresh.
Predictive forecast
For every control that isn't already failing, Sightline reads that control's own posture timeline for two early signals — evidence about to age out of the freshness window, or a trend that's already degrading (a warning or fail observed after an earlier pass). Either one flags the control as trending to failure, with the days left, so you can re-validate before it crosses.
DE.CM-1 — evidence ages out of the freshness window in 1.6d. Re-validate before it lapses.
PR.IP-12 — evidence trend is degrading (warning after pass). Validate before it lapses.
No global model, no ML — each control judged on its own history.
Evidence graph
Verdicts are only as good as what backs them, so Sightline stores evidence in a tamper-evident graph. Every signal carries its provenance (which scanner or connector produced it — never anonymous), an integrity digest (a signal whose digest doesn't match is rejected on ingest, even when reloaded from disk), and a tenant scope (one client's evidence never bleeds into another's). Rejected signals are counted, not silently dropped.
Frozen once created · re-validated on every reload.
CI gating
Drift isn't only “a control failed.” Sightline also tracks verdict drift — a control
that lost continuous validation even when its raw status didn't move, because its evidence went stale. Run
sightline monitor --fail-on-drift in a pipeline and it exits non-zero on any regression — a status
drop, a verdict regression, or a new failing finding — so a compliance regression stops a release the same way a
failing test does.
sightline monitor --fail-on-drift # exit 2 on regression
⚠ VERDICT PR.DS-2: pass → at_risk (lost validation)
⚠ REGRESSED PR.AC-4: pass → fail
⏳ TRENDING DE.CM-1: ages out in 1.6d
exit code: 2 — release blocked.
Unified control model
Findings map to one NIST CSF 2.0 control catalog, crosswalked to HIPAA, SOC 2, and FERPA using published mappings (AICPA Trust Services Criteria, US Dept. of Education guidance). A clinic sees HIPAA + NIST. A school sees FERPA + NIST. A startup sees SOC 2 + NIST — all from one connected dashboard.
Plain-English translation
Every control is rendered as three plain questions — what we checked, why it matters to you, and what to do — at an 8th-grade reading level. Deterministic and reproducible. Your IT team gets the detail; your executives get the meaning.
What we found: sensitive data on devices isn't encrypted.
Why it matters: a lost laptop becomes a reportable breach.
What to do: turn on FileVault / BitLocker on every device.
The dashboard
A verdict-first one-pager: your posture, your coverage, and the top three actions — the thing that gets security funded.
Click any finding, vulnerability, or framework for control-level depth. Filter, explore, and hand the technical layer to IT.
Scores are computed over what was actually evaluated, with coverage stated plainly. A thin scan can never look like “half compliant.”
GRC review workflow
Crosswalks ship clearly marked as indicative. Your compliance professional signs off per framework with a single command, and the caveat clears — so what you hand an auditor is backed by a real review, never a black box.
sightline grc mark "HIPAA" --status reviewed --reviewer "Jane Doe, CISA"
Get a plain-English compliance verdict for your organization — and the three things to fix first.