Viwago
Sign inTry it on your scan
Evidence-to-Audit Layer

Turn the scan you already run into auditor-ready compliance evidence

Upload the output of an open-source security scan. Get provenance-stamped, multi-framework compliance evidence in minutes — without ever giving us access to your cloud.

See it on your scanHow it works

No agents. No IAM roles. No API keys. We never hold your credentials.

The spreadsheet gap

Open-source scanners are free and everywhere — but they hand you hundreds of pass/fail rows of technical noise. Translating that into ISO 27001 and SOC 2 evidence is manual spreadsheet labor. The heavyweight GRC suites that automate it cost $15k–$100k a year and want agents in your environment. Viwago sits in between: the translation, without the custody.

How it works

1

Run your scan

Use the open-source scanner you already trust (Powerpipe today). It runs on your machine, with your credentials.

2

Upload the output

Drop the JSON result into Viwago. We only see the scan output — never your infrastructure or keys.

3

Get translated evidence

In minutes: a provenance-stamped, multi-framework posture and auditor-ready exports. No spreadsheets.

What Viwago does today

Everything below is in the product now. We don’t list what we haven’t built.

Zero-custody ingestion

You run your own scan with your own tools and credentials. Viwago only ever reads the output file. No agents, no IAM roles, no API keys — we never touch your cloud.

Cross-framework translation

One CIS scan, mapped to ISO 27001 and SOC 2 today, with more frameworks expanding. Stop re-doing the same control mapping by hand for every standard.

Provenance & chain-of-custody

Every score states where it came from (“based on your uploaded Powerpipe scan”). Export to OSCAL, the NIST machine-readable format auditors expect.

Manual attestation

Cover the controls a scanner can’t check — physical access, offboarding, policies — with evidence, and watch coverage climb toward complete.

Auditor-ready exports

Hand your auditor a real artifact: PDF for the board, CSV for your workflow, OSCAL for their tooling, JSON for your pipeline.

Built zero-custody, secure by construction

We never deploy an agent, assume an IAM role, or hold an API key — so there’s no cloud access for a vendor review to scrutinize. The scan results you upload are encrypted in transit and at rest, and strictly tenant-isolated: access is derived only from a verified identity token, fail-closed by design.

SOC 2 in progress. We publish what is true and nothing that isn’t.

Pricing

Starter
$99/mo
  • CIS + ISO 27001 mapping
  • 5 scan uploads / month
  • PDF / CSV / OSCAL / JSON exports
Professional
$299/mo
  • All frameworks (SOC 2, NIST, HIPAA, PCI, CCPA)
  • 100 scan uploads / month
  • Manual attestation + full control detail

Framework coverage expands as our control mapping grows.

We don’t scan your systems. We make your scans audit-proof.

Try it on your scan