JupiterOne has launched Continuous Controls Monitoring, a product for security and compliance teams in cloud, SaaS and hybrid environments.
Live control checks
The offering, called JupiterOne CCM, is designed to help organisations determine whether security and compliance controls are operating as intended by testing them against live asset data. It is intended to replace manual evidence gathering and point-in-time reviews with a current view of control effectiveness.
Compliance shift
The launch reflects a broader shift in compliance work as companies seek to move beyond periodic attestations and static audit preparation. Many organisations still rely on multiple systems, manual configuration reviews and ad hoc evidence collection to assess whether controls remain effective after implementation.
Graph data model
JupiterOne CCM evaluates controls through a graph data model that links assets, identities and configuration relationships. Each test is visible to security teams and auditors, including the query used, the integration source and the test logic.
The approach builds on JupiterOne's existing platform, which includes more than 200 integrations. The platform is designed to evaluate controls across assets, identities, cloud resources, SaaS applications and security findings rather than treating each source in isolation.
AI queries
JupiterOne is also adding artificial intelligence to the product through a natural language interface. Teams can ask questions about control status, supporting evidence, drift and framework alignment and receive responses based on current data.
One issue the product targets is control drift, where settings or conditions change over time and weaken a control's effectiveness. In practice, that can leave framework managers, control owners and asset owners trying to prove compliance through screenshots, spreadsheets and manually assembled records.
JupiterOne says the product can continuously evaluate controls, maintain audit evidence from current data sources and map controls across multiple frameworks, including SOC 2, ISO, NIST, FedRAMP and HIPAA.
Kevin Tonkin, Chief Product Officer at JupiterOne, outlined the company's view of shortcomings in existing compliance processes.
"Most organizations can show that a policy exists. Far fewer can prove, at any moment, that the control behind that policy is actually working," said Kevin Tonkin, Chief Product Officer at JupiterOne.
He said security teams need a different approach from traditional governance, risk and compliance systems.
"GRC tools were built to manage compliance workflow. Security teams need something different - a way to prove that the technical controls behind every policy are actually working, in environments that change by the hour. JupiterOne CCM brings a security lens to GRC," said Tonkin.
JupiterOne positions the product as an extension of its graph-based approach to security data. The company argues that linking technical assets and controls within the same data structure gives users a way to trace both risk and supporting evidence across changing environments.
Earlier JupiterOne launches included AI Attack Surface Management and Unified Vulnerability Management. With CCM, the company is tying together asset visibility, vulnerability context and control testing within the same platform.
That could matter for organisations in regulated sectors, where audit scrutiny often extends beyond whether a policy has been documented to whether a control can be shown to work in practice. A central challenge for many teams is producing current, defensible evidence without long manual collection cycles.
JupiterOne says feedback from early customers pointed to demand for faster answers on control effectiveness and less manual evidence gathering. The product is intended to give security and compliance teams a more immediate view of whether controls remain aligned to policy and framework requirements.
The release adds another product category to a market where compliance automation tools have largely focused on workflow and documentation. JupiterOne is seeking to differentiate itself by centring the product on live operational data rather than records prepared for audits.
JupiterOne says CCM helps teams monitor control performance, maintain supporting evidence and respond when controls drift from their intended state.