Three Things. At the Core.
Automates Evidence Acquisition
Soteria ingests and normalizes compliance artifacts from any source, converting them into structured, queryable evidence objects with provenance, timestamps, and cryptographic integrity markers.
Maintains Continuous Authorization State
Soteria acts as the guardian of the system's authorization posture tracking drift, detecting evidence expiration, monitoring configuration changes, and generating real-time POA&M updates.
Performs Machine-Reasoned Control Evaluation
Instead of human-driven checklist review, Soteria applies automated scoring, correlation, and risk-weighted prioritization aligned with NIST 800-53 Rev 5, FedRAMP, and DoD CC SRG.
Evidence as Structured Data, Not Documents
Soteria ingests and normalizes compliance artifacts from any source, converting them into structured, queryable evidence objects with provenance, timestamps, and cryptographic integrity markers.
STIG Viewer Outputs
Automated ingestion and normalization of STIG compliance data.
SCAP / OVAL Results
Machine-readable security configuration results parsed directly.
Cloud Configuration Baselines
AWS, Azure, GCP configuration compliance baselines.
CI/CD Pipeline Scans
Integration with build pipelines for continuous evidence capture.
Manual Artifacts
PDF, XLSX, DOCX artifacts normalized into structured evidence objects.
API-Level Telemetry
Real-time telemetry from deployed systems via API integration.
Objective, Repeatable, Audit-Ready
Instead of human-driven checklist review, Soteria applies automated scoring, correlation, and risk-weighted prioritization. Control evaluation is objective, repeatable, and produces consistent results regardless of who runs it.
Control-to-Evidence Mapping
Every control in the NIST 800-53, FedRAMP, or DoD CC SRG catalog is mapped to the evidence objects that satisfy it. The mapping is explicit, traceable, and machine-verifiable.
Automated Pass/Fail Scoring
Controls are scored automatically based on the evidence in the system. Pass/fail decisions are deterministic. The same evidence produces the same result every time.
Gap Detection
Controls without sufficient evidence are identified automatically. Gaps are surfaced before audits, not discovered during them.
Risk-Weighted Prioritization
Controls are prioritized by risk weight, control family criticality, and mission relevance. The most important gaps get addressed first.
Soteria correlates evidence across multiple artifacts to satisfy controls that require evidence from more than one source. A control satisfied by a combination of a STIG result, a CI/CD scan, and a configuration baseline is handled natively, no manual cross-referencing.
// CONTROL INHERITANCE RESOLUTIONControls inherited from platform or agency overlays are resolved automatically. Programs do not re-prove what has already been proven at a higher level.
What Changes When Compliance Is Data-Driven
Soteria replaces manual, document-centric RMF workflows with automated, data-driven, machine-verifiable authorization pipelines.
Evidence Handling
Treat evidence as static documents · Manual upload, tagging, review · No provenance or cryptographic integrity · Evidence becomes stale without human refresh
Treats evidence as structured data objects · Automatically ingests STIGs, SCAP/OVAL, cloud baselines, CI/CD scans · Normalizes into a queryable evidence graph · Tracks provenance, timestamps, expiration, and drift
Control Evaluation
Checklist-driven and subjective · Human interpretation required for every control · No automated scoring or correlation · Inconsistent results across assessors
Machine-reasoned control evaluation · Automated pass/fail scoring · Cross-artifact correlation · Risk-weighted prioritization and inheritance resolution
Continuous Monitoring
Periodic manual review · No evidence expiration tracking · No real-time drift detection · POA&M updates require human intervention
Real-time drift detection · Evidence expiration alerts + automated refresh · Continuous POA&M generation · Live dashboards showing authorization posture
Integration & Automation
Limited or no API integration · Not designed for DevSecOps pipelines · Manual data entry dominates workflows · No automated RMF lifecycle execution
Full API-driven ingestion and dispatch · Integrates with CI/CD, cloud APIs, telemetry feeds · Automated RMF lifecycle (Categorize → Monitor) · Outbox-pattern dispatch for reliability
Auditability & Transparency
Opaque evidence trails · No tracking of failures or retries · Auditors rely on screenshots and narratives
Full audit trail for every evidence object · Dispatches, retries, failures persisted · Machine-verifiable integrity and provenance
Mission Fit
Built for document management · Not designed for cloud or telemetry-rich systems · Reactive, slow, labor-intensive
Data-driven, automated, continuous authorization · Designed for cloud, pipelines, telemetry ecosystems · Enables high-tempo missions and rapid fielding
When Compliance Becomes Automated
When compliance becomes automated, continuous, and evidence-driven, the operational, financial, and strategic gains are transformative.
Soteria does not reduce compliance rigor. It eliminates compliance waste, the human hours spent re-proving what the system already knows, re-assembling evidence that was already generated, and re-reviewing controls that have not changed. The rigor stays. The ceremony goes.
Open Questions
The questions Soteria cannot yet answer. The reason the experiment is still running.
"What signals indicate that Soteria should escalate from automation to human review, and how are those thresholds learned or tuned?"
// Active area of development.
"How does Soteria quantify uncertainty in its assessments, and how should that uncertainty be communicated?"
// Partially addressed, not yet well-characterized.
"How does Soteria evolve as federal frameworks evolve? Does it adapt automatically, or does it require human updates?"
// Emerging priority, with each new NIST update.
"What is the long-term role of Soteria in federal cybersecurity: assistant, auditor, or autonomous compliance officer?"
// Complete autonomy? Not likely, but what if?