See your real risk, act on it, prove it.
Scut builds a living risk register from your real architecture, correlates it with current threat intelligence, and keeps your control evidence honest. Every AI-derived asset, risk, and finding is proposed for review, never written to your register on its own.
Access is by invitation. Ask your organization's admin for an account.
Approach
Risk-first
Hosting
EU by default
AI
Proposes, humans dispose
Platform
Open API + webhooks
Assess
Get the real picture in
Onboarding & risk extraction
Feed in architecture diagrams, policies, and product context. An LLM proposes candidate assets, data flows, and risk scenarios to a review queue, so nothing enters your register unreviewed.
Architecture & data-flow mapping
Turn what you upload into a living map of assets and data flows, each tagged with sensitivity, so you can see where the crown jewels actually sit.
Understand
Make sense of the risk
A living risk register
Scenarios scored on an explainable likelihood by impact matrix, with mitigations, controls, and residual risk. The math is transparent, not a black box.
Threat modeling
Generate STRIDE and attack-tree models grounded in your real architecture, tagged to MITRE ATT&CK and linked back into the register.
Stay ahead
Watch what is moving
Threat-intel correlation
CISA KEV, NVD, and MITRE ATT&CK matched to your stack by tech tags, surfacing exposure that matters instead of a raw CVE firehose.
Scanning & OSV dependencies
Passive hygiene checks and OSV dependency scanning, gated behind proven asset ownership. Findings are proposed back, never applied silently.
Prove
Show your work
Continuous compliance
Map controls to NIST CSF, score coverage transparently, and let automated control tests propose evidence and status changes for your review.
Executive reporting & trends
Track posture over time and generate board-ready reports, with an optional governed AI narrative you stay in control of.
Operate
Run the program day to day
Third-party & vendor risk
Inventory vendors, assess them by questionnaire or LLM-parsed documents, and rate them with the same transparent scoring as everything else.
Tabletop exercises
Draft incident tabletop scenarios per risk, with injects and discussion prompts, ready to run with your team.
Integrations
Connect GitHub for branch-protection and dependency signal, and wire up SAML SSO through Zitadel. Credentials are encrypted per org.
Ask Scutty
A grounded AI analyst that reads your data through tenant-isolated tools and proposes changes. It never auto-commits, and your team always decides.
European by design
Your data, your keys, your rules.
Scut is built in the European Union and keeps your data in the EU by default. Privacy is the starting point, not an add-on, and you stay in control of where your data lives, who can read it, and what leaves.
Built in the EU
Developed in the European Union, with your data kept in the EU by default. GDPR is the baseline we design to, not an upsell.
Right to be forgotten
Ask us and your organization's data is fully deleted across every table. Erasure is a first-class operation, not a support ticket.
Bring your own AI keys
Supply your own AI provider keys and choose which models are allowed per org. Your prompts and data are never locked to one vendor.
A rich, open API
A full public API with scoped keys and webhooks. Your data is yours to read, export, and build on top of.
Built for trust
See where you actually stand.
Start with your real architecture and let the risk, the intel, and the evidence line up behind it.
Access is by invitation. Ask your organization's admin for an account.