Architecture

How Obsinto works

Obsinto runs your entire compliance program. Two layers work together: observability surfaces the signals across your systems and documents, and intelligence interprets what they mean for your posture.

1 Connect

Instrument your systems

Connect your cloud and the systems your program runs on. A single read-only connection reads your configuration and activity across AWS, Azure, or GCP, while document sources like Google Drive, SharePoint, and S3 sync in alongside it. Obsinto instruments your whole stack from one connection.

Source

AWS Config

Resource state snapshots

Source

CloudTrail

API activity events

Source

Security Hub

Security findings

Also supports: Google Drive, SharePoint, S3 for document-based evidence sync.

2 Collect

Upload the evidence your systems cannot emit

Policies, attestations, access reviews, vendor assessments. Drag in the artifacts that live in Drive, Notion, or a shared folder, and Obsinto parses, tags, and maps them to the controls they satisfy.

PDF

Access Control Policy v3.2.pdf

Manual upload → Parsed → AC-1, AC-2, AC-6 mapped

Approved

PNG

Q1 Quarterly Access Review screenshot

Manual upload → Tagged → AC-2(1), AC-6(7) mapped

Approved

DOC

Vendor attestation, payroll processor

Manual upload → Parsed → SA-9, SA-12 mapped

Approved

3 Observe

Signals emit as your systems run

Every event across your connected systems becomes a compliance signal automatically. Deployments, IAM changes, config updates, each one classified as evidence and mapped to the controls it affects. No manual collection. No re-collection sprints before audit.

IAM policy change detected

CloudTrail → Signal emitted → AC-6(9) control mapped

Approved

S3 encryption config verified

AWS Config → Signal emitted → SC-8, SC-28 controls mapped

Approved

Least-privilege review completed

Security Hub → Signal emitted → AC-6 control family mapped

Approved

4 Intelligence

Know your live compliance posture

Every signal and uploaded document is classified and matched to specific framework controls. Obsinto scores the match, surfaces gaps, generates audit-ready narratives, and tracks how your posture evolves. One live view of what passes, what drifts, and what needs attention.

Control Match

50% match

AC-6(9): Log Use of Privileged Functions

Supports 0 covered statement(s) and 0 covered objective(s). Still missing 1 statement(s) and 0 objective(s).

Intelligence-Generated SSP Narrative

"The organization employs automated mechanisms to audit the execution of privileged functions. AWS CloudTrail logging captures all IAM policy changes and privilege escalations..."

Citations valid Human-in-the-loop review

Live posture

Updated continuously

Audit package

Builds every day

Frameworks supported

One platform. Multiple frameworks. Evidence mapped natively across all of them.

SOC 2 (Type I & II)

Primary entry point. Trust Services Criteria mapped to infrastructure evidence.

NIST SP 800-53 Rev. 5

Full control catalog with 19 families. Baseline-aware scoping.

FedRAMP

OSCAL-native from day one. Supports Low, Moderate, and High baselines. Built for FedRAMP 20x machine-readable evidence requirements.

See it on your stack

20-minute call to see if your stack fits. If it does, we connect and you see compliance signals in days, not months.

Apply for early access →