Scut
Risk-first posture management

See your real risk, act on it, prove it.

Scut builds a living risk register from your real architecture, correlates it with current threat intelligence, and keeps your control evidence honest. Every AI-derived asset, risk, and finding is proposed for review, never written to your register on its own.

What Scut does

Access is by invitation. Ask your organization's admin for an account.

Approach

Risk-first

Hosting

EU by default

AI

Proposes, humans dispose

Platform

Open API + webhooks

Assess

Get the real picture in

Onboarding & risk extraction

Feed in architecture diagrams, policies, and product context. An LLM proposes candidate assets, data flows, and risk scenarios to a review queue, so nothing enters your register unreviewed.

Architecture & data-flow mapping

Turn what you upload into a living map of assets and data flows, each tagged with sensitivity, so you can see where the crown jewels actually sit.

Understand

Make sense of the risk

A living risk register

Scenarios scored on an explainable likelihood by impact matrix, with mitigations, controls, and residual risk. The math is transparent, not a black box.

Threat modeling

Generate STRIDE and attack-tree models grounded in your real architecture, tagged to MITRE ATT&CK and linked back into the register.

Stay ahead

Watch what is moving

Threat-intel correlation

CISA KEV, NVD, and MITRE ATT&CK matched to your stack by tech tags, surfacing exposure that matters instead of a raw CVE firehose.

Scanning & OSV dependencies

Passive hygiene checks and OSV dependency scanning, gated behind proven asset ownership. Findings are proposed back, never applied silently.

Prove

Show your work

Continuous compliance

Map controls to NIST CSF, score coverage transparently, and let automated control tests propose evidence and status changes for your review.

Executive reporting & trends

Track posture over time and generate board-ready reports, with an optional governed AI narrative you stay in control of.

Operate

Run the program day to day

Third-party & vendor risk

Inventory vendors, assess them by questionnaire or LLM-parsed documents, and rate them with the same transparent scoring as everything else.

Tabletop exercises

Draft incident tabletop scenarios per risk, with injects and discussion prompts, ready to run with your team.

Integrations

Connect GitHub for branch-protection and dependency signal, and wire up SAML SSO through Zitadel. Credentials are encrypted per org.

Ask Scutty

A grounded AI analyst that reads your data through tenant-isolated tools and proposes changes. It never auto-commits, and your team always decides.

European by design

Your data, your keys, your rules.

Scut is built in the European Union and keeps your data in the EU by default. Privacy is the starting point, not an add-on, and you stay in control of where your data lives, who can read it, and what leaves.

Built in the EU

Developed in the European Union, with your data kept in the EU by default. GDPR is the baseline we design to, not an upsell.

Right to be forgotten

Ask us and your organization's data is fully deleted across every table. Erasure is a first-class operation, not a support ticket.

Bring your own AI keys

Supply your own AI provider keys and choose which models are allowed per org. Your prompts and data are never locked to one vendor.

A rich, open API

A full public API with scoped keys and webhooks. Your data is yours to read, export, and build on top of.

Built for trust

Row-level tenant isolation in Postgres Append-only audit log Secrets stay server-side AI proposes, humans dispose

See where you actually stand.

Start with your real architecture and let the risk, the intel, and the evidence line up behind it.

Access is by invitation. Ask your organization's admin for an account.

Scut. Keeping your guard up, even against certifications.

© 2026 Scut