SDVOSB · Air-gap ready · FIPS 140-2 mode

Find every CVE in your estate. Fix it with one click.

ArcScan sweeps your network, builds a live CMDB from agentless probes, matches every package against NVD, OSV, KEV, RHSA, USN, GHSA, and Alpine feeds, then applies verified Ansible remediation — with a human-in-the-loop audit trail your QSA, FedRAMP assessor, or 3PAO can sign off on.

Start free — no credit card Book a 20-min demo
0
Compliance frameworks
0
Live CVE feeds
Air-gap
Self-host ready
SDVOSB
Federal-eligible
arcscan — discover 10.0.0.0/16
Built for teams across regulated industries
NIST 800-53 325 controls
CIS AWS · Azure · GCP
HIPAA 47 safeguards
PCI-DSS 4.0 12 requirements
SOC 2 Type II evidence
DISA STIG federal-ready
What it does

A CMDB, a vuln scanner, and a remediation engine — in one platform

Replace BMC Discovery, ServiceNow Discovery, and a half-dozen point tools with one platform built for regulated mid-market and federal teams.

Arc Discover — network sweep to CMDB

Agentless masscan/zmap sweep, then credentialed SSH/WinRM/SNMP/SMB probes build a typed asset graph with software, packages, and open ports. 34 ship-day patterns recognize the stacks you actually run.

Live CVE matching, every asset

Every discovered package is matched against NVD, OSV, KEV, GHSA, RHSA, USN, DSA, Alpine, and ALAS feeds — with KEV exploitation status and EPSS scoring pulsed onto your topology map.

Verified one-click remediation

Trust-tier model: deterministic, registry-checked, syntax-validated playbooks auto-apply under policy. Generated playbooks dry-run only. Every action is logged for your auditor.

Air-gap and FIPS, day one

Self-extracting offline bundle ships ArcScan, Ollama, and a GGUF model — no outbound calls. FIPS 140-2 AES-256-GCM mode for FedRAMP and DoD environments. SDVOSB sole-source eligible.

Continuous ATO + compliance evidence

15 frameworks loaded: NIST 800-53, FedRAMP, DISA STIG, CIS, HIPAA, PCI-DSS 4.0, SOC 2 Type II, ISO 27001, FFIEC CAT, NCUA ACET, NIST 800-171, GDPR, MITRE ATT&CK. SSP, POAM, and evidence export for cATO.

Terraform-to-CMDB sync

After every terraform apply, parsed tfstate upserts to ServiceNow CMDB, Jira, and FreshService. Closes the "CMDB is 60% out of date" gap regulated buyers know they have.

How it works

From unknown estate to remediated in under an hour

Three steps. No agents to deploy. Works in air-gapped networks.

1

Sweep & probe

Point ArcScan at a CIDR or cloud account. Agentless masscan/zmap sweep, then credentialed SSH/WinRM/SNMP probes pull packages, open ports, and software stacks.

2

Match & rank

Every package is matched against 9 live vulnerability feeds. KEV-listed and high-EPSS CVEs surface first, with blast-radius context from your asset graph.

3

Remediate & prove

Apply a verified Ansible playbook with one click, open a remediation PR, or file a ServiceNow ticket. Every action is auditor-signed and framework-mapped.

Full lifecycle

Manage infrastructure from discovery to operations

A complete IaC security and automation platform — not just a linter. Discover, audit, build, provision, and monitor your entire cloud estate from a single pane of glass.

Discover
Connect AWS, Azure, or GCP and pull live infrastructure inventory
Cloud Inventory
Scan
Run CIS-benchmark posture checks and AI security analysis on configs
Posture Scanner
Build
Generate Terraform HCL from inventory or from a plain-text description
Terraform Generator
Provision
Generate and audit Ansible & Terraform IaC to configure and harden systems
IaC Engine
Operate
Create ServiceNow tickets, Slack alerts, and remediation PRs automatically
ServiceNow · SCM · Slack
Monitor
Scheduled scans, drift baselines, regression alerts, and compliance tracking
Analytics · Baselines
Or start from existing automation

Scan existing IaC

Paste, upload, or zip-scan your existing Ansible, Terraform, or mixed IaC repos. Get scored findings, verified one-click remediations, and compliance mapping instantly.

Generate from scratch

Describe what you need in plain English — ArcScan generates production-ready, security-hardened Ansible and Terraform IaC using AI.

Import from storage

Connect Google Drive, OneDrive, Dropbox, GitHub, GitLab, or Bitbucket and scan playbooks directly from where your team already works.

FAQ

Frequently asked questions

What is ArcScan?
ArcScan is an AI-powered IaC security and automation platform. It analyzes Ansible, Terraform, and cloud infrastructure for misconfigurations, generates hardened remediation code, maps findings to compliance frameworks (NIST, CIS, HIPAA, PCI-DSS, SOC2), and manages the full infrastructure lifecycle from discovery to operations. Built by Arcus Forge LLC, a Service-Disabled Veteran-Owned Small Business (SDVOSB).
What cloud providers are supported?
ArcScan supports AWS, Microsoft Azure, and Google Cloud Platform (GCP). You can connect multiple accounts per provider, pull live inventory, run CIS-benchmark security posture scans, detect drift, and generate Ansible or Terraform remediation automation — all from the Cloud dashboard.
What AI providers can I use?
ArcScan supports five AI providers: Anthropic Claude (recommended), OpenAI GPT-4o, Google Gemini, DeepSeek, and Nvidia AI. Each user brings their own API key via the Settings page, or enterprise admins can configure managed platform keys for their organization.
What does the Cloud Security Posture scanner check?
The posture scanner runs 20+ deterministic (no AI required) checks aligned with CIS benchmarks across all three cloud providers. It checks for: open security groups and firewalls, publicly accessible databases, unencrypted storage, overly permissive IAM policies, missing tags/labels, stale IAM users, public IPs on compute instances, and more. Each finding includes a severity rating, CIS reference, remediation steps, and an IaC remediation hint for Ansible and Terraform.
How does the full infrastructure lifecycle work?
ArcScan covers six stages: Discover (pull cloud inventory from AWS/Azure/GCP), Scan (posture checks + AI analysis), Build (generate Terraform HCL), Provision (generate and audit Ansible & Terraform IaC), Operate (ServiceNow tickets, Slack alerts, GitHub/GitLab remediation PRs), and Monitor (scheduled scans, drift baselines, regression detection). You can start from existing IaC, cloud inventory, or generate everything from a plain-English description.
Is my data safe? Are playbooks or credentials stored?
Cloud credentials are encrypted (base64-obfuscated) in the database and only used at scan time. API keys are stored per-user and never shared. Playbook content is stored for your report history but never sent to third parties — only to the AI provider you choose, using your API key. Enterprise customers can self-host with Docker for full data sovereignty.
Can I integrate with CI/CD pipelines?
Yes. ArcScan provides a REST API with webhook tokens for CI/CD integration. It also includes a Workflow Builder that generates ready-to-use pipeline configs for GitHub Actions, GitLab CI, Jenkins, Azure DevOps, and Ansible AWX/Tower — with configurable quality gate scores so builds fail if IaC doesn't meet your security threshold.
What integrations are available?
Cloud: AWS, Azure, GCP inventory and posture scanning.
Storage: Google Drive, OneDrive, Dropbox, GitHub, GitLab, Bitbucket.
SCM: Post findings to GitHub PRs, GitLab MRs, Bitbucket PRs; create remediation PRs.
Automation: AWX/AAP project imports, HashiCorp Vault secret scanning.
ITSM: ServiceNow incident creation from critical findings.
Notifications: Slack, Microsoft Teams, and Discord webhooks.
Auth: Google, GitHub, Microsoft, GitLab SSO; TOTP/SMS/Email 2FA.
Is ArcScan suitable for government and defense?
Yes. Arcus Forge LLC is a Service-Disabled Veteran-Owned Small Business (SDVOSB), eligible for sole-source and set-aside federal contracts. ArcScan supports air-gapped deployment via Docker, FedRAMP-aligned security controls, and DISA STIG compliance reporting. It can run entirely self-hosted with no external API calls in air-gapped mode.
How much does it cost?
Free: 10 scans/month with your own API key — no credit card required, 1 user.
Pro ($100/user/mo): 500 scans, up to 3 users, up to 10 cloud endpoints, all AI providers, cloud scanning, Terraform generation, scheduled scans, CI/CD integration, baselines, and PDF exports.
Enterprise (contact sales): Unlimited scans, unlimited users and cloud endpoints, compliance frameworks (SOC 2, NIST, PCI-DSS, HIPAA, DISA STIG), SSO/SAML, ITSM integrations, white-label branding, and dedicated SLA. Required for teams of 4+ or 10+ cloud endpoints.
AI provider costs are separate and depend on your chosen provider (~$0.003–$0.015 per scan).
Can I try Pro features before buying?
Yes. Every new account can activate a 7-day free trial of the Pro tier from the Billing page. No credit card is required for the trial. You get full access to all Pro features including cloud scanning, Terraform generation, scheduled scans, and all integrations.
Pricing

Self-serve to start. Annual contracts for regulated teams.

Free and Pro tiers for evaluation and small teams. Mid-market, Enterprise, and Federal annual platform contracts unlock unlimited sweeps, all 15 compliance frameworks, air-gap deployment, and SSO/SAML.

Free

For individuals and evaluation

$0 / mo
  • 10 scans per month
  • AI security analysis
  • Bring your own API key
  • 1 user
  • Scheduled scans
  • Cloud / Terraform
Get started free
Most popular

Pro

For teams — up to 3 users

$100 / user / mo
  • 500 scans per month
  • Up to 3 users
  • Up to 10 cloud endpoints
  • Scheduled scans & CI/CD
  • Cloud & Terraform analysis
  • Baseline & PDF export
  • Compliance frameworks
  • SSO / SAML
Start Pro trial

Enterprise

4+ users or heavy cloud usage

Custom
  • Unlimited scans
  • Unlimited users & cloud endpoints
  • SOC 2, NIST, PCI-DSS, HIPAA, STIG
  • SSO / SAML
  • ITSM (ServiceNow, FreshService)
  • White-label & dedicated SLA
Contact sales

Teams with more than 3 users or more than 10 cloud endpoints are automatically moved to the Enterprise tier.

Government & defense

Built for federal contracts

ArcusForge LLC is a Service-Disabled Veteran-Owned Small Business (SDVOSB) eligible for sole-source and set-aside federal contracts. ArcScan supports air-gapped deployment for classified environments, FedRAMP-aligned security controls, and DISA STIG compliance reporting.

SDVOSB certified
Air-gap ready
GSA Schedule eligible
DISA STIG reports
Contact for federal pricing
Use cases

Built for regulated industries

Purpose-built for the compliance realities of healthcare, federal agencies, and financial services — the three verticals where IaC risk and audit pressure converge.

Healthcare
HIPAA-governed IaC
HIPAA-ready by default
Target outcome for healthcare DevOps teams

Healthcare IaC teams typically manage hundreds of Ansible and Terraform modules across clinical, billing, and infrastructure systems. Manual pre-deployment security review can consume 12–16 hours per sprint and frequently delay releases.

How ArcScan fits
  • Automated HIPAA Technical Safeguard mapping
  • Per-sprint audit-ready compliance export
  • ServiceNow change-ticket integration
HIPAA HITRUST-aligned ServiceNow
Federal government
Air-gap + ATO workflows
ATO-ready
NIST 800-53 + DISA STIG automation

Federal civilian and defense agencies running AWS GovCloud or classified air-gapped environments need consistent NIST 800-53 and DISA STIG validation across every IaC module — without sending source code to a SaaS.

How ArcScan fits
  • Air-gapped Docker deployment, fully offline
  • Automated DISA STIG & NIST 800-53 reporting
  • SDVOSB sole-source & set-aside eligibility
NIST 800-53 DISA STIG AWS GovCloud
Financial services
PCI-DSS & SOC2 evidence
Audit-ready
PCI-DSS 4.0 continuous evidence

Credit unions, payment processors, and regional banks face annual PCI-DSS QSA audits that can require 4–6 weeks of manual evidence collection — screenshots, policy documents, and system check exports across dozens of IaC modules.

How ArcScan fits
  • PCI-DSS 4.0 control mapping per module
  • Automated QSA evidence packs
  • SOC 2 Type II continuous monitoring hooks
PCI-DSS 4.0 SOC 2 Type II NCUA-aligned

Target deployment profiles. ArcScan is a pre-revenue platform actively exploring design-partner relationships in each vertical.

White paper

Shifting security left in IaC: a practical guide

Infrastructure as Code has transformed how teams deploy systems — but it has also moved security risk upstream. Traditional security tooling was built for running systems, not declarative configuration files. This white paper examines how automated IaC security analysis closes that gap.

The IaC security gap
Why CSPM and SAST tools miss 60–70% of Ansible and Terraform misconfigurations before deployment
Framework mapping at scale
How to automatically map playbook tasks to NIST 800-53, CIS, HIPAA, PCI-DSS, and SOC2 controls
CI/CD integration patterns
Practical patterns for integrating IaC security gates into GitHub Actions, GitLab CI, and Jenkins pipelines
Remediation playbooks
Ansible and Terraform snippets for the 25 most common IaC security findings, ready to copy into your codebase
ROI and risk-reduction metrics
Industry data on the cost of a misconfigured deployment and how shift-left tooling reduces mean-time-to-remediation
Download white paper (PDF)
Free download — no email required.
ArcusForge LLC · Technical white paper
Shifting security left in Infrastructure as Code
A practitioner's guide to automated IaC security analysis
Coverage
Ansible Terraform
Frameworks NIST · CIS · HIPAA · PCI-DSS · SOC2
Pages 42 pages + appendices
Audience DevSecOps · Security Architects · CTOs
Table of contents
  1. The state of IaC security in 2025
  2. Understanding the misconfiguration attack surface
  3. Automated detection: how security rules work
  4. Mapping IaC to compliance frameworks
  5. Integrating security gates into CI/CD
  6. ITSM workflows for IaC findings
  7. Measuring and reporting security posture
  8. Remediation reference library

Run your first network sweep this afternoon

Start free with your own AI key, or book a 20-minute demo and we'll walk a sweep + CVE match + verified remediation on real infrastructure.

Start free — no credit card Book a 20-min demo
Free forever tier Air-gap self-host FIPS 140-2 mode SDVOSB — federal-eligible