OpsArmor Gate reviews every PR that touches cloud config. Blast radius and fix diff posted as a comment — before merge.
SOC 2 Type II in progress · GDPR-aligned · Self-host option
No modules to buy. No add-ons to price. The list below is the product — and the numbers we hold ourselves to.
Gate parses every plan touching IaC, IAM, security groups, or bucket policies and scores changes against CIS, NIST, and SOC 2 — reasoning, not checklists.
Plan: 2 to add, 1 to change, 0 to destroy. - aws_security_group.db_prod.cidr_blocks[0] + aws_security_group.db_prod.cidr_blocks[0] = "0.0.0.0/0" + aws_db_instance.orders_prod (publicly reachable)
Identity, data flow, and network reachability modeled as one graph. Gate names the prod resources that actually become reachable.
Every role change in the PR annotated with what new permissions it unlocks — and who inherits them. (Continuous drift scans land Q3 '26.)
Public ACLs, wildcard principals, cross-account exports. Flagged with one-line rationale.
Gate posts exactly one comment per pull request — what changed, new attack paths, prod resources reachable, and a suggested tightening. No drift into ten duplicate alerts.
GitHub OIDC federation, short-lived tokens, zero stored cloud keys in your CI.
Install once. First findings within the next PR. Gate stays read-only — your team writes the fix.
Gate reads the Terraform / Pulumi / AWS CDK plan on every pull request. Parse, normalize, hash.
Identity, network, and data-flow edges reconciled against your live cloud metadata. Read-only, least-privilege role.
Policy engine runs on the delta only — CIS, NIST, SOC 2, plus your own rules. Highlights the exact line.
One comment per PR. Blast radius, fix diff, compliance matches, signed audit bundle. You approve or you don't.
The same policy, rendered three ways. Pattern-match in your stack — Gate reads Terraform, Pulumi, and AWS CDK.
1
2
3
4
5
6
7
8
9
10
11resource "aws_security_group" "db_prod" {
name = "db-prod"
description = "Postgres — prod"
ingress {
from_port = 5432
to_port = 5432
protocol = "tcp"
cidr_blocks = ["10.0.0.0/8"] # internal only
}
}
1
2
3
4
5
6
7
8
9
10
11import pulumi_aws as aws
db_prod = aws.ec2.SecurityGroup(
"db-prod",
description="Postgres — prod",
ingress=[{
"from_port": 5432,
"to_port": 5432,
"protocol": "tcp",
"cidr_blocks": ["10.0.0.0/8"],
}])
1
2
3
4
5
6
7
8
9
10
11import { SecurityGroup, Peer, Port } from "aws-cdk-lib/aws-ec2";
const dbProdSg = new SecurityGroup(this, "DbProdSg", {
vpc,
description: "Postgres — prod",
allowAllOutbound: false,
});
dbProdSg.addIngressRule(
Peer.ipv4("10.0.0.0/8"),
Port.tcp(5432),
);
Gate flags the identical policy violation in all three — CIS AWS 4.1 · SOC 2 CC6.6.
Reverse-chronological. Dates on the left. In preview while Gate rolls out across design partners — GA items move up the list as they ship.
GitHub App reads IaC diffs, models reachability across identity and network, posts one comment per PR. Three IaC languages supported — Terraform, Pulumi, AWS CDK.
Multi-cloud inventory, misconfiguration detection, blast-radius reasoning across identity and network. Powers every Gate finding.
Incident co-pilot with runbook execution and post-incident reports. Human-in-the-loop by default. Signed actions, guardrailed autonomy.
Per-contributing-developer, with seat minimums so small teams stay affordable and big teams pay fairly. Preview pricing — design-partner rates lock for 12 months from GA. New teams join through the waitlist while items marked Q3 '26 ship before GA.
Up to 5 devs · solo & OSS
Min 10 devs · $290/mo floorMin 10 devs · billed annually · saves 20%
Min 20 devs · $1,180/mo floorMin 20 devs · billed annually · saves 20%
annual · custom seats
Read-only to your cloud. Ever. Seats = humans who push config changes; bots and service accounts are free. Pricing covers OpsArmor Gate only — the broader posture & attack-path platform is sold separately.
Join the preview waitlist.
Tell us which cloud, which IaC, and where Gate would help first. We’re onboarding new teams through the waitlist and replying in batches.