Frequently Asked Questions

ArcScan is an AI-powered platform for auditing Ansible playbooks, scanning cloud infrastructure security posture, generating Terraform configs, and managing the full infrastructure lifecycle. Built by Arcus Forge LLC, an SDVOSB.

Playbooks are scored 0-100 (A-F grades). The AI analyzes for security issues, idempotency, deprecated modules, missing best practices, and more. Each finding carries a severity-weighted deduction. Cloud posture scans use the same 0-100 scale with deterministic CIS-benchmark checks.

Ansible playbooks (.yml, .yaml), inventories, role directories, and zip archives containing multiple YAML files. You can paste content directly, upload a file, or scan from connected cloud storage (Google Drive, OneDrive, Dropbox, GitHub, GitLab, Bitbucket).

AWS, Microsoft Azure, and Google Cloud Platform (GCP). You can connect multiple accounts per provider using API keys, service accounts, or IAM roles.

20+ deterministic checks aligned with CIS benchmarks — no AI required. Checks include: open security groups/firewalls, publicly accessible databases, unencrypted storage, overly permissive IAM, missing tags/labels, stale users, public IPs, and more. Each finding includes severity, CIS reference, remediation, and Ansible module hints.

Cloud Inventory pulls your live infrastructure data and uses AI to analyze it for security, cost, drift, compliance, and automation opportunities. Security Posture runs fast, deterministic CIS-benchmark checks against that same inventory — no AI call needed, instant results. You can optionally add AI-generated remediation playbooks to posture scans.

Cloud credentials are encrypted in the database and only decrypted at scan time. They are never logged, never sent to AI providers, and never leave your ArcScan instance. Enterprise customers can self-host for full control.

Anthropic Claude (recommended), OpenAI GPT-4o, Google Gemini, DeepSeek, and Nvidia AI. Each user brings their own API key via the Settings page. Enterprise orgs can configure managed keys.

Approximately $0.003–$0.015 per scan depending on playbook size and provider. 500 scans/month is roughly $5–$7 in API costs. Cloud posture scans are free (deterministic) unless you opt for AI-generated remediation playbooks.

Only when you run an AI-powered scan. The content is sent to the provider you choose, using your API key. It is not shared with any other party. Cloud posture checks run locally without any AI calls.

Discover (pull cloud inventory) → Tag (map resources to business applications) → Scan (posture checks + AI analysis) → Build (generate Terraform HCL for tagging + infrastructure) → Provision (generate/audit Ansible playbooks) → Operate (ServiceNow/Jira/FreshService tickets, CMDB sync, Slack alerts, remediation PRs) → Monitor (scheduled scans, drift baselines, regression detection). You can enter the lifecycle at any stage.

Yes. ArcScan offers a REST API with webhook tokens, plus a Workflow Builder that generates configs for GitHub Actions, GitLab CI, Jenkins, Azure DevOps, and AWX/Tower — with quality gate scoring.

Storage: Google Drive, OneDrive, Dropbox, GitHub, GitLab, Bitbucket. SCM: PR comments and remediation PRs for GitHub, GitLab, Bitbucket. ITSM: ServiceNow (change requests + CMDB CI push + application dependency sync), Jira (issues + Epic sync), FreshService (tickets/changes + asset sync). Automation: AWX/AAP, HashiCorp Vault. Alerts: Slack, Teams, Discord webhooks. Auth: SSO (Google, GitHub, Microsoft, GitLab) + TOTP/SMS/Email 2FA.

Yes. When you tag cloud resources to an application in the Cloud Inventory snapshot view, check the Sync to ITSM checkboxes that appear below the application selector. ServiceNow creates a Business Service CI in the CMDB and relationship records linking each resource. Jira creates an Epic for the application with sub-tasks for each resource. FreshService creates an Asset for the application with linked resource assets. Checkboxes only appear when the corresponding integration is configured and active.

Open a cloud inventory snapshot, select resources using the checkboxes, then click Tag Application. Choose an existing application or create a new one (name, owner, environment, criticality, data classification). Click Apply Tags. The mapping persists across scans and can be exported as Terraform HCL to apply arcscan:* tags to real cloud infrastructure.

Free: 5 scans/month, BYOK only. Pro ($49/user/mo): 500 scans, all features. Enterprise ($199/user/mo): Unlimited scans, SSO, white-label, audit logs, self-hosted Docker, dedicated support with SLA. AI provider costs are separate.

Yes — every account can activate a 7-day Pro trial from the Billing page. No credit card required. Full access to all Pro features during the trial.

Yes. Arcus Forge LLC is SDVOSB-certified, eligible for sole-source and set-aside federal contracts. ArcScan supports air-gapped Docker deployment, FedRAMP-aligned security controls, and DISA STIG compliance reporting.

Yes. The Docker deployment can run fully self-hosted with no external API calls. In air-gapped mode, cloud posture scans still work (deterministic checks against manually imported inventory). AI features require network access to the chosen provider's API endpoint, or you can configure a local LLM endpoint.