EXP-001

Vanguard

Static Analysis for RMF-First Engineering.

// CORE QUESTION

"Can a static analysis engine generate continuous, audit-ready RMF evidence as developers build, accelerating toward ATO instead of away from it?"

Vanguard is the federal-grade static analysis engine built for programs that need to move fast without breaking compliance. Designed for software development environments, Vanguard continuously generates RMF-ready evidence as developers build enabling rapid iteration that accelerates directly toward ATO instead of away from it.

Where traditional SCA tools focus on vulnerabilities alone, Vanguard enforces mission-aligned engineering discipline, mapping code behavior to NIST SP 800-53 controls, supply-chain indicators, and architectural intent. The result: software applications that are secure, traceable, and ATO-advantaged from day one.

// 01

The Gap Legacy Tools Left Open

Federal programs increasingly demand:

Rapid experimentation Prototype-driven discovery Accelerated ATO timelines Continuous RMF evidence generation

But legacy SCA tools were built for enterprise IT, not for mission-critical experimental software. They flag vulnerabilities. They do not map code behavior to control frameworks. They do not generate compliance evidence. They do not understand the difference between a security finding and an RMF-relevant finding.

Vanguard fills that gap. It is the first SCA engine designed specifically for federal R&D, prototyping, and high-consequence software development.

"RMF-First static analysis. Annotation-driven control mapping. Mission-context rule enforcement. Automated evidence export. Federal-grade traceability."

// VANGUARD DESIGN PREMISE

Legacy SCA tools were built for enterprise IT, not mission-critical experimental software. Vanguard fills that gap. Vanguard is built specifically for federal programs and high-consequence software development.

// 02

Mapped to NIST SP 800-53 Rev5

Annotation-Driven Architecture Mapping

Vanguard evaluates code against NIST SP 800-53 Rev5 control families. Each rule is tied to a specific control family, a control enhancement, and a mission-relevant rationale. This creates ATO-ready evidence automatically as developers write code.

AC Access Control
SC System & Comms Protection
SA System & Services Acquisition
SI System Integrity
IA Identification & Auth
PL Planning
CM Configuration Management
CP Contingency Planning
SR Supply Chain Risk Mgmt
PM Program Management
Control Family

Each rule maps to a specific NIST 800-53 control family.

Control Enhancement

Each rule maps to a specific enhancement within the family.

Mission Rationale

Each rule includes a mission-relevant rationale, not just a compliance reference.

// 03

Security Context in the Code

Annotation-Driven Architecture Mapping

Annotation-Driven Architecture Mapping

Vanguard introduces a federal-grade annotation model that allows developers to declare security context directly in code. These annotations become analysis inputs, RMF evidence, traceability artifacts, and dashboard-visible metadata simultaneously.

@security-boundary

Security perimeter declarations

@data-classification

Data sensitivity levels

@auth-requirement

Authentication requirements

@supply-chain

Supply-chain dependencies

@lifecycle-metadata

Build-run provenance

@audit-event

Compliance event markers

@config-item

Configuration management items

// ANNOTATION OUTPUT

These annotations become:

Analysis inputs RMF evidence Traceability artifacts Dashboard-visible metadata
// 04

Five Language Ecosystems

Multi-Language Analysis Pipeline

Multi-Language Analysis Pipeline

Vanguard supports experimental and operational codebases across five language ecosystems. Each integration uses language-native tooling with a unified output layer mapping all findings to the same NIST control taxonomy.

C# / .NET

Native Roslyn analyzers

Python

Bandit integration

JavaScript / TypeScript

ESLint security rules

Go

gosec

Java

Semgrep-based rulesets

// UNIFIED OUTPUT

Each language integration produces findings mapped to the same NIST 800-53 control taxonomy. The output format is language-agnostic. The evidence is consistent across the entire codebase regardless of language mix.

// 05

Single Pane of Glass

Vanguard Dashboard

Vanguard Dashboard
Vanguard Dashboard

The companion dashboard is designed for engineering leads, ISSOs, and ATO teams. Three audiences who need to see the same data in different contexts.

Real-Time Rule Violations

Live feed of analysis findings as they occur during builds.

RMF Coverage Heatmaps

Visual mapping of NIST SP 800-53 control family coverage across the codebase.

Annotation Completeness Scoring

Per-module scoring of annotation completeness. Incomplete annotation is surfaced as an ATO risk.

Supply-Chain Risk Indicators

Continuous monitoring of dependency provenance, license compliance, and known-vulnerability exposure.

Build-to-Build Drift Analysis

Comparison of RMF control coverage and rule violation profile across consecutive builds.

Evidence Export History

Complete record of all evidence packages generated, with timestamps and build identifiers.

// IDE INTEGRATION

Vanguard surfaces findings inline in the IDE, not just in a dashboard. Engineering discipline encoded at the point of writing, not discovered at review.

// 06

Every Scan Produces a Complete Package

Automated Evidence Export

Automated Evidence Export

Every Vanguard scan produces a complete evidence package ready for ATO workflows.

What Every Scan Produces
RMF control mappings
Rule violations
Architectural metadata
Supply-chain indicators
SBOM artifacts
License compliance reports
Build-run provenance
Export Formats
JSON CSV Dashboard ingestion ATO package integration
// ATO-ADVANTAGED FROM DAY ONE

Vanguard does not add compliance to the end of the development process. Every line of code analyzed generates evidence. When the formal ATO process begins, the evidence package exists, built continuously during development, not reconstructed before the audit.

// 07

What We're Still Working Out

These are honest open questions, not answered by the current implementation.

"At what level of annotation completeness does a codebase produce ATO evidence that meaningfully reduces formal audit scope?"

// Active area of development.

"Can Vanguard's control family coverage extend reliably to PL and PM families, or are planning and program management resistant to automated static analysis?"

// Partially addressed. The boundary is not yet well-characterized.

"How does Vanguard perform on AI-generated code? Do annotations survive AI-assisted refactoring?"

// Emerging priority. Untested at scale.

"Can the evidence-first architecture extend to runtime analysis generating evidence from running systems, not just static code?"

// Soteria (EXP-002) is exploring this. Integration is a design question.