Deploys on
Air-gapped deployments
also available.
Designed for organizations with strict data residency, sovereignty, or regulatory requirements that prohibit code, findings, or inference from leaving their environment.
Air-gapped deployments
also available.
Keygraph Enterprise deploys entirely within your cloud infrastructure. Source code, scan results, and AI inference remain within your security perimeter, with no Keygraph-managed control plane and no externally operated data plane.
Every component runs inside your cloud account.
Deployed in your cloud. Scans repos and infrastructure. Calls the LLM via your credentials.
Scheduling, workflow, and operator console all run on your compute.
Your Postgres. Your encryption. Your retention policy.
Integrates with your IdP via SAML 2.0 or OIDC: Okta, Microsoft Entra ID, Ping, Auth0, OneLogin, or any standards-compliant provider.
Run Keygraph in a fully network-isolated environment. Designed for FedRAMP, ITAR, defense, classified networks, and financial-services environments where every byte of egress requires legal sign-off.
Container images mirrored to your private registry, Docker Hub, ECR, GCR, Artifactory, or Harbor.
Models served from your own Anthropic Bedrock, Vertex AI, Azure OpenAI, or self-hosted endpoint.
No phone-home, no expiry-day surprises. Validation runs entirely inside your network.
Update bundles delivered as signed artifacts, applied on your schedule via your change-management process.
Plugs into the tools your security and engineering teams already run. Native connectors for source control, identity, container registries, ticketing, and AI inference.
The complete platform plus the service wrap, in one license. End-to-end coverage, a unified findings layer, and the support to make it land.
Finds exploitable vulnerabilities, not just pattern matches.
Simulates real attacker behavior against running applications.
Identifies workflow and authorization flaws traditional tools miss.
Terraform, CloudFormation, Kubernetes manifests.
Dependency and supply-chain risk.
Image and runtime configuration.
Committed credentials, tokens, keys.
Unified across all scanners. One queue, one triage model.
Tunable to your risk model and asset criticality.
Jira, GitHub, GitLab, Azure DevOps, Slack.
Granular permissions per project, scanner, and finding action. Inherit roles from your IdP groups.
Every scan, finding mutation, status change, suppression, role grant, and integration call recorded with actor, timestamp, source IP, and diff. Searchable, filterable, and exportable as JSON or CSV for SIEM ingestion or auditor evidence.
Provisioning, de-provisioning, and group mapping inherit from identity.
All scanners, all findings, no per-scan quotas.
Bring your own keys for infrastructure and AI providers.
A single point of contact, embedded with your team.
Usage, findings, and roadmap alignment, every quarter.
Custom SLAs written directly into your contract.
Typically 4 to 8 weeks, end to end.
JSON/CSV export for SIEM ingestion and compliance evidence.
No add-ons. All scanners, integrations, and service items are included in the base license, you do not buy modules.
Annual contracts. Net 30 standard. Procurement-friendly paper available: MSA, DPA, and security addendum templates ready for redline.
Schedule time with a solutions engineer. We will walk through your current AppSec architecture, identify coverage gaps, and design Keygraph's deployment into your environment.
