TrulyOne is Osto’s vision of one cybersecurity platform for startups: everything a modern startup needs to stay secure and prove it. As a step toward that vision, today we are announcing Compliance Automation, new modules across endpoint and code security, and significant improvements platform-wide.
The state of compliance automation in 2026
Compliance has become a checkbox industry.
Founders need SOC 2 to close their first enterprise deal. They need ISO 27001 to expand into Europe. They need HIPAA to sell to a single hospital, and PCI DSS to take a payment. None of this is optional anymore, and the market knows it.
So a generation of compliance automation tools, Vanta, Drata, Sprinto, Secureframe, built fast paths to a certificate. Connect your stack, run the integrations, collect the evidence, hand it to an auditor, get the badge in weeks instead of months. They solved a real problem. Compliance used to take six to twelve months and a hired consultant. Now it takes weeks. That is a genuine win, and we are not here to pretend otherwise.
But the model has a quiet problem.
Most compliance platforms are evidence collection tools. The customer reports that a firewall is configured. The platform takes a screenshot. The auditor signs the report. Nobody checks whether the firewall is doing anything.
The industry has a name for what happens next: compliance theater. A clean SOC 2 report on the wall, and a security posture that breaks the moment a real attacker shows up.
The recent collapse of one well-known compliance vendor, caught manufacturing evidence that did not reflect reality, surfaced the pattern publicly, but the pattern was already there. Manufactured evidence. Screenshots that prove nothing. Certificates that do not survive contact with a breach.
A growing number of buyers, auditors, and CISOs have noticed. The certificate is not enough anymore. The harder question buyers are starting to ask is whether the security underneath the certificate is real.
That is the question our compliance module was built to answer. And it is the reason today’s launch is bigger than just compliance.
Why this release covers the whole platform
Osto has always been built as a single platform across the security stack. This release completes that platform across every segment.
- Cloud security was already deep, with Web App Protection, Web API Protection, Web Scanner, and Cloud Security Posture Management. With this release, Cloud Security gets new reporting, multi-subscription support, and custom rule capabilities across the existing modules.
- Network security was already complete with ZTNA Secure Access and Domain Filtering. With this release, ZTNA scales horizontally, removing the previous capacity ceiling.
- Endpoint security previously included Antimalware, Device Control, and App Control. With this release, the endpoint becomes a complete suite. File Access DLP, Screen Lock, and Disk Encryption close the gaps the existing modules did not cover.
- Application security is the new addition. Code Security launches today as a new category on Osto, with SAST and SBOM as the first two modules. The Mobile App Scanner sits here too, scanning APK and IPA files at the application level.
- Compliance ties it all together. SOC 2 Type II goes live today, with ISO 27001, HIPAA, and GDPR also on the roadmap.
The reason these all ship together is structural. The compliance module reads its evidence directly from every other module on the platform. Every cloud control, every network policy, every endpoint state, every code scan becomes evidence the moment a control needs it. Compliance does not sit alongside the security stack as a separate product. It runs inside it.
This is one coordinated release that closes the gaps between layers, completes the segments that were partially built, and tightens every module already in production. All of it in service of the same idea: security and compliance on one platform, evidence flowing directly between them.
New: Compliance Automation
Most compliance tools start from the audit and work backward. They ask what evidence the auditor needs, then collect it.
Osto took a different approach. We asked what the control requires in operation, and whether the platform can verify it.
The difference matters. A compliance tool that only collects screenshots and integration logs cannot tell the difference between a Web Application Firewall that is deployed and protecting traffic versus one that is installed and disabled. It cannot verify whether endpoint encryption is enforced or whether users have turned it off. It cannot confirm that access reviews caught the right people, or that the incident response plan would survive a real incident.
Most platforms paper over this gap with checklists and self-attestation. Did you do an access review this quarter? Click yes.
That is not compliance. That is documentation.
Real compliance, the kind that holds up in an audit room and survives a breach, requires evidence that the control is operating, not just that it exists. The only way to provide that evidence is to be the system running the control.
That is exactly the system Osto already is. The compliance module reads evidence directly from the underlying security stack.
When the compliance module reports that Web App Protection is enabled and blocking attacks, it is not because someone uploaded a screenshot. The WAF is running on the same platform, and the module reads its live state directly. The same applies to Web API Protection, Web Scanner, Cloud Security Posture Management, ZTNA, endpoint controls, and vulnerability findings. The security tools the customer is paying for are the evidence engine.
Most platforms allow self-attestation that a control is in place. Our module checks the underlying system. If a control depends on disk encryption being enforced across all endpoints, the module verifies the actual fleet, not the customer’s word for it.
Most compliance platforms assume the customer has a full-time GRC specialist. Most early-stage companies do not. We rebuilt the workflow as a guided task list. The platform handles the complexity. The user answers questions about their own company.
Compliance frameworks require ongoing security awareness training. We built it directly in, with a default curriculum and the option to upload custom training. Training records flow into the evidence pack automatically. No second platform, no second invoice. Customers with existing training records from another provider can attach those instead.
SOC 2 is live today. ISO 27001, HIPAA, and GDPR are also on the roadmap.
Why one platform changes the math
Most companies looking at compliance face the same exercise. They price out a compliance tool, somewhere in the range of twelve to fifteen thousand dollars a year. Then they realize the compliance tool does not include the security stack underneath. So they price out the security tools separately. A WAF, an endpoint product, a cloud security tool, a DLP solution, a vulnerability scanner. By the time the line items add up, the security spend dwarfs the compliance spend, and the two systems remain disconnected.
Osto took a different path. Because we already run the security stack, the compliance layer reads evidence directly from it. The same budget that would have bought a compliance tool plus a fragmented security stack now buys both, on one platform, with the security controls and the compliance evidence coming from the same source.
The structural benefit goes beyond cost. When security and compliance live on the same platform, evidence is always live. There is no quarterly cycle of re-running integrations and gathering screenshots. There is no gap between what the compliance dashboard reports and what the security stack is doing.
For systems outside our platform, the customer’s HR system, identity provider, or cloud workspace, the module includes guided manual steps. The customer is walked through what to capture and where to upload it, all inside the same flow.
When an auditor asks how the customer knows their WAF is operating, the answer is not a screenshot from last Tuesday. It is a live read from the system that is running it.
This is the version of compliance that holds up when someone actually checks.
New endpoint controls: File Access DLP, Screen Lock, Disk Encryption
Endpoint security on Osto already included Antimalware, Device Control, and App Control. This release completes the endpoint suite with three new controls that bring the endpoint to the same evidence-grade standard as the rest of the platform.
Data Leakage Prevention at the file level. The module classifies files into three categories on first scan, personally identifiable information, code, and finance, and applies real-time policies based on what the file is, where it lives, and who is trying to access it.
The hard part of DLP has always been resource consumption. A scanner that consumes the user’s CPU is a scanner the user will fight. We engineered around it. During the initial full-system scan, CPU usage stays in the eight to ten percent range. Once the scan is complete, steady-state usage drops to around half a percent. Effectively invisible.
The module also handles edge cases that most DLP tools miss. A user who tries to copy a flagged file to a USB drive is blocked. A user who renames the file extension to slip past detection is caught because the module reads content, not filenames. A user who creates a duplicate to escape policy finds the duplicate classified the same way. Every change is tracked in real time.
Auto-lock after idle, enforced by the Osto agent.
Most approaches to enforced screen lock work by changing the operating system’s own lock settings. The problem is that those settings sit in the OS, where the user can change them back. The admin sets a policy and the user quietly opts out.
The Osto agent runs its own idle-time listener, independent of the OS. When the admin configures a screen lock policy, the agent enforces it directly at the policy interval the admin sets. The user does not have a setting to turn off, because enforcement is not happening through any OS setting they can reach.
This is a small feature with an outsized effect on real-world security. Lost or stolen laptops are one of the most common breach vectors for early-stage companies, and almost every breach response begins with the same question: was the screen locked? Now the answer is yes, by default, across the fleet.
Full-disk encryption enforced at the platform level, so the policy holds across the fleet rather than depending on user setup.
Live for Mac and Windows today. Ubuntu support is in progress.
These three controls together make the endpoint a layer that compliance can verify. When the compliance module reports that disk encryption is enforced across the fleet, it reads from the same system that is enforcing it.
New category: Code Security on Osto
Osto has been strong on runtime security since launch. Web App Protection and Web API Protection sit at the front edge of customer infrastructure, blocking traffic that should not get through. The Web Scanner catches issues in production. Cloud Security Posture Management catches misconfigurations across deployed infrastructure. The Mobile App Scanner reads APK and IPA files at the application level. VAPT covers web, network, mobile, and source code at audit time.
The gap was the codebase itself, between commit and deploy. Code Security closes it. Two modules go live today, with two more coming.
Code-level scanning across the customer’s repositories, looking for vulnerabilities, deprecated libraries, broken patterns, and secrets accidentally committed. The module integrates with version control and runs continuously, with optional scheduled scans for teams that prefer batched workflows.
The triage workflow is the part most teams will care about. False positives are the persistent issue with every static analysis tool. Our module supports marking findings as false positive, won’t fix, mitigated, or accepted in test, with optional expiry dates and reasons attached. Each marking carries a full audit trail of who marked it, when, and why. Scheduled email reports go out daily, weekly, or monthly, configurable per team. The signal stays clean. The noise stays manageable.
A complete inventory of every library, third-party component, and dependency in each repository. Increasingly required for enterprise sales, mandatory for mobile app store submissions, and useful in supply chain risk reviews regardless. Our module generates SBOMs automatically, per repository, available as both a downloadable HTML report and a browsable component list.
Customers no longer need to build their own. Osto will scan the repositories and build it for them.
Coming next in Code Security: Software Composition Analysis (SCA) and License Compliance. Both modules are in active development.
Improvements across the existing platform
Beyond the new modules and the new category, every existing part of the platform got an upgrade in this release.
Previously, an organization’s ZTNA capacity was tied to a single instance. As users, servers, and active connections grew, the system eventually hit a ceiling. We rebuilt this layer so that ZTNA capacity grows with the organization, without limits.
Two things matter from the customer side. First, session continuity: when a client reconnects, its active session migrates automatically and existing connections do not break. Second, the new architecture is a self-healing mesh: if any path between components fails or degrades, the system detects it and recovers automatically. No migration was required. The previous capacity limit no longer applies.
Customers can configure scheduled WAF reports at any cadence, with the metrics that matter: threats blocked, malicious IPs and ASNs by volume, top attack origin countries, and a breakdown of incident types. Sub-path routing enables finer-grained control over which traffic flows through which policy. Custom rule creation is available for customers who need to extend the default rule set with their own logic. False positive marking is available across WAF findings, with the same audit trail that ships with SAST.
Customers running across AWS, Azure, and GCP, or across multiple subscriptions within a single provider, can manage all of them from one CSPM view. Scheduled CSPM reports follow the same model as WAF, configurable per customer. False positive marking is available across CSPM findings.
False positive, won’t fix, mitigated, or accepted in test, with optional expiry and reason. The same triage system as SAST and CSPM, applied to penetration testing results.
The onboarding journey is now driven by entitlements. A customer who buys a single module gets an onboarding flow tailored to that module. A customer who buys the full platform gets the full flow. A customer who buys compliance only sees only the compliance setup steps.
These are not headline features. But they are the kind of upgrades that compound. Every team that uses Osto every day is now spending less time on noise and more time on the issues that warrant attention.
What this unlocks
For Osto customers, all of this is in your dashboard now. Customers already running our security stack get automatic compliance evidence collection for everything we run. The new endpoint controls are available to deploy across the fleet. The Code Security modules connect to repositories with a single integration.
For companies evaluating compliance platforms right now, this is a different kind of evaluation than the standard one. Instead of buying a compliance tool and a separate security stack and hoping they cooperate, the customer gets one platform where the security tools are the evidence engine. Cloud, network, endpoint, code, compliance, VAPT. One vendor, one dashboard, one source of truth.
This is the version of the category we have been building toward.
What is next
This is the first version of compliance automation. SOC 2 is live today. The roadmap continues to extend each module released in this announcement.
On compliance, ISO 27001, HIPAA, and GDPR are also on the roadmap. Evidence pack export, admin audit logs, and risk assessments are coming as extensions of the compliance module.
On endpoint, Disk Encryption support for Ubuntu is in progress.
On Code Security, SCA and License Compliance complete the category.
The roadmap beyond that is long. We have been waiting to ship this release for some time. With this announcement out, the rest of the category becomes accessible.
If you are an Osto customer, you can find everything we shipped today in your dashboard.
If you are not, and you are evaluating compliance and security as two separate problems with two separate budgets, we would be glad to show you what it looks like when they are one. Compliance, as a byproduct of being secure.