The Complete Security Assessment & Compliance Platform

43+ frameworks, 14 connectors, 6 GRC modules, cross-framework mappings, certification campaigns, evidence vault, continuous compliance engine with drift detection — in one platform.

AssessmentsCloud MonitoringEvidence Vault GRC SuiteCertificationPrivacy Continuous Compliance AI Document Parsing Training Platform Cross-MappingIndustrial OT/ICSConnectors
43+
Compliance Frameworks
14
Identity Connectors
45+
Cross-Framework Mappings
26
Cloud Security Checks
6
GRC Modules Included
Security Assessments

Multi-Framework Assessment Engine

43+ cybersecurity, AI governance, and cloud compliance frameworks. 8-stage workflow with task boards, PDF reports, and multi-user collaboration.

55 Frameworks

IRAP, Essential Eight, NIST CSF 2.0, ISO 27001:2022, SOC 2, PCI DSS 4.0, GDPR, DORA, NIS2, HIPAA, CIS v8, CMMC 2.0, 10 AI governance, and more.

8-Stage Workflow

CREATED → PLANNING → IN_PROGRESS → REVIEW → REMEDIATION → VALIDATION → COMPLETED → ARCHIVED with task boards and approvals.

AI Gap Analysis

Activitee AI Assessment Engine analyses control responses, identifies gaps, suggests remediation steps, recommends compensating controls, and highlights evidence to collect.

PDF Reports

One-click export: executive summary, control-level findings, risk heatmap, remediation roadmap. Branded with organisation logo.

Team Collaboration

Assign controls to team members, set due dates, track completion. Real-time progress dashboard with per-assessor metrics.

Analytics Dashboard

Compliance trend lines, framework comparison, risk distribution charts. Track maturity improvement over time.

Continuous Monitoring

Agentless Cloud Security Checks

26 automated compliance checks against Entra ID, AWS IAM, Okta, and Google Workspace. Scheduled runs, auto-created findings, evidence auto-collection.

Entra ID — 8 Checks

MFA status, stale accounts, guest access review, Conditional Access coverage, privileged role assignments, PIM eligibility.

AWS IAM — 8 Checks

Root account MFA, access key rotation, unused IAM users, S3 policies, CloudTrail, password policy compliance.

Okta — 5 Checks

MFA enrollment, inactive users, admin role review, password policy audit, application assignment compliance.

Google Workspace — 5 Checks

2SV enforcement, drive sharing, admin roles, MDM, third-party app access.

Internal Checks

Evidence freshness, compliance regression, access review currency, privileged audit, config drift detection.

Scheduled & Auto-Stored

Daily/weekly/monthly runs. Findings auto-create. Results stored as versioned evidence mapped to controls.

Evidence Vault

Audit-Ready Evidence Lifecycle

Continuously collects, versions, and maps evidence to controls — ready in minutes, not weeks.

Version-controlled vault with immutable 20-action audit trail Cross-framework mapping — one artifact satisfies ISM, NIST, ISO, SOC 2 Configurable retention (90/180/365 days) with auto-expiry alerts Auto-collection from cloud monitoring results AI Document Parsing — auto-extracts controls, frameworks, findings, risk ratings from uploaded documents Auto-linking — parsed control references automatically linked to assessment controls MFA-enforced access for evidence vault operations
Immutable Audit Trail
20 tracked actions per artifact
Enterprise GRC Suite

6 GRC Modules — Included Free

Full CRUD, org isolation, stats dashboards, create modals. No add-on fees.

Risk Register (FAIR)

5×5 matrix. SLE × ARO = ALE. Mitigate, Accept, Transfer, Avoid. Auto-generated risk IDs.

Vendor Risk (VRM)

SOC 2/ISO/GDPR/DPA status per vendor. Risk scoring, review cadence. Competitors charge $5-15K/yr extra.

Policy Library

Version-controlled policies mapped to controls. Draft → Review → Published → Retired.

Compliance Calendar

Certification renewals, audit windows, deadlines. Overdue highlighting, recurrence scheduling.

AI Gap Analysis

Activitee AI Engine: maturity scoring (0-5 CMM), effort/cost estimates. AI findings with transparency icon.

Security Training

2-section modules (Content + Knowledge Check). PDF upload, AI generation, or manual entry. Interactive viewer with pagination, quiz scoring, and My Training portal. Mapped to ISM-0252, NIST AT-2.

Certification Campaigns

5-Stage Access Certification Workflow

Automated stage progression with email notifications to owner and certifier at every stage.

Initiated
In Progress
Due
Overdue
End

5 Email Notifications

Activation, reminder, due, overdue, completion. Branded HTML with stage progress bars.

Configurable Day Windows

Set per-stage day limits. Daily scheduler (6AM) auto-progresses. SoD violation detection.

Rubber-Stamp Detection

Identify auto-approvers. Bulk certify/revoke. Compensating controls for exceptions.

Privacy Vault

Data Privacy & Consent Management

GDPR Article 30, Privacy Act/APP, ISO 27701 ready.

Data Registry (ROPA)

Classification, legal basis, storage, retention, cross-border tracking.

Consent Records

Purpose, method, version, IP, expiry, withdrawal. 9 consent methods.

Subject Requests

Access, erasure, portability, rectification. 30-day SLA tracking.

Breach Incidents

10 types, 72h authority notification, cross-border impact assessment.

Cross-Framework Mapping

Assess Once, Comply With Many

45+ pre-verified mappings. Coverage percentages and strength indicators.

SOC 2 CC6.1 → ISO 27001 A.5.3 → PCI DSS 7.2.1
Privacy Act APP 11 → GDPR Art 32.1 → IRAP ISM-1508
GDPR Art 28 → ISO A.5.19 → DORA Art 28-30
DORA Art 26 TLPT → PCI DSS 11.4.1 → NIST CSF DE.CM
EU Regulation

DORA & NIS2 — Built In

24 DORA controls + 16 NIS2 controls. Cross-mapped to ISO, NIST, PCI DSS, GDPR.

DORA: ICT Risk, Incident Reporting, TLPT, Third-Party, Info Sharing NIS2: Governance, Risk Management, Incident Notification GDPR Art 28: 9 processor obligation controls
Always-On Compliance

Continuous Compliance Engine — Never Scramble for an Audit Again

Activitee doesn't just assess your compliance at a point in time — it monitors it continuously. Your compliance posture is scored every hour, evidence expiry is tracked automatically, and drift is detected before your auditor finds it.

Compliance Pulse Score

A real-time 0–100 score per framework, updated hourly. Watch compliance improve over time with trend tracking and board-ready dashboards.

Evidence Lifecycle

Every piece of evidence has a validity window. Activitee tracks expiry, sends renewal reminders, and auto-creates tasks — so nothing slips through the cracks.

Drift Detection

Detects when compliance drifts: expired evidence, overdue training, degraded controls, offline connectors. Alerts are severity-graded and actionable.

Auto-Remediation

When evidence expires, linked controls auto-degrade. When training lapses, ISM-0252 and NIST AT-2 controls are flagged. Critical alerts escalate after 7 days.

Posture Dashboard

One screen shows overall score, framework-level breakdown with trends, evidence health bar, training compliance, and active drift alerts. CISO-ready.

Assess Once, Comply Many

Evidence collected for one framework automatically satisfies overlapping controls in others — saving up to 35% effort for multi-framework organisations.

Industrial Cybersecurity

OT, ICS & Critical Infrastructure — 9 Frameworks, 165 Controls

Purpose-built assessment support for energy, utilities, manufacturing, and critical infrastructure.

IEC/ISA 62443

Gold standard for IACS. Zones, conduits, Security Levels SL 1-4. Asset owners, integrators, suppliers. 5 domains, 23 controls.

NIST SP 800-82 Rev 3

Guide to OT Security (2023). ICS, SCADA, DCS, PLCs, safety systems. Maps to NIST 800-53. 5 domains, 17 controls.

NERC CIP

Mandatory for Bulk Electric System. CIP-002 to CIP-013: asset categorisation, ESP, supply chain. 10 domains, 26 controls.

AESCSF

Australian Energy Sector (AEMO). C2M2 + NIST CSF, mapped to ISM & Essential Eight. SP-1/2/3. 5 domains, 16 controls.

C2M2

US DOE maturity model (MIL 0-3). 10 domains for utilities, oil & gas, pipelines. Parent of AESCSF. 20 controls.

ISO/IEC 27019

Energy-utility extension of ISO 27002. Process control for electricity, gas, heat. 4 domains, 13 controls.

CISA CPGs

Voluntary baseline for US critical infrastructure. Outcome-focused, mapped to NIST CSF. 6 domains, 15 controls.

SOCI Act / CIRMP

Australian mandatory CIRMP for 11 sectors. Accepts NIST CSF, AESCSF, ISO 27001, Essential Eight. 6 domains, 17 controls.

MITRE ATT&CK for ICS

Adversary behaviour model for OT. Threat-informed assessments, purple-teaming. 5 tactics, 18 controls.

14 Connectors

Your Entire Identity Ecosystem

Bidirectional connectors for identity aggregation and compliance monitoring.

Active Directory

Users, groups, OUs via LDAP/LDAPS.

Entra ID

Graph API: users, groups, roles, MFA.

Okta

Users, groups, apps, factor enrollment.

Google Workspace

Admin SDK: users, groups, 2SV, licenses.

OpenLDAP

Standard LDAP with TLS support.

AWS IAM

Users, roles, policies, access keys.

GCP IAM

SAs, roles, bindings via CRM API.

Azure IAM

RBAC assignments, managed identities.

Jira

Users, groups, project roles, perms.

GitHub

Members, teams, repos, SSO identities.

SCIM 2.0

Slack, Zoom, Box, Salesforce. RFC 7644.

ServiceNow

Users, groups, roles, ITSM flows.

EmploymentHero

HRMS sync: joiners, leavers, movers. Auto-provision and disable. Departments, titles, managers.

SAP SuccessFactors

OData v2 API. Employee Central sync: joiners, leavers, managers, departments, job info. SAML Bearer auth.

Workday HCM

REST API + RaaS. Workers + contingent sync: joiners, leavers, sup orgs, locations, job profiles. OAuth 2.0 or ISU.

Webhook

HTTP + 4 auth methods. Custom endpoints.

CSV Import

Bulk import, auto-detect 40+ aliases.

See It In Action

Book a personalised demo and see how Activitee can transform your compliance operations.

Book a Demo
AI-Powered

AI Document Intelligence for Evidence Vault

Upload any compliance document — Activitee automatically extracts controls, frameworks, findings, and metadata. Evidence is auto-linked to assessment controls, eliminating manual tagging.

Smart Document Parsing

Upload a pen test report, policy document, or audit finding — Activitee identifies ISM, ISO 27001, SOC 2, NIST CSF, Essential Eight, GDPR, DORA, and EU AI Act control references automatically.

Auto-Link to Controls

Parsed control codes are matched against active assessments and linked to the correct control responses — no manual mapping required. Works across all 43+ frameworks.

Compliance Metadata Extraction

Document type, author, scope, date, risk rating, findings, and confidence score — all extracted and saved as searchable evidence metadata.

16 Document Types Recognised

Penetration test reports, vulnerability scans, access reviews, policies, IRPs, SOC 2 reports, configuration baselines, DPAs, change management records, backup tests, PAM reports, and more.

ISM-xxxx A.x.x (ISO 27001) CCx.x (SOC 2) NIST CSF EU AI Act / ISO 42001
Training Platform

Cybersecurity Training Modules — Built In

Full training lifecycle from content creation to knowledge assessment. Upload PDF training material, generate AI-powered quizzes, or write content manually. Users complete training in an interactive viewer with progress tracking.

2-Section Modules

Every training module has two sections: Training Content (the learning material) and Knowledge Check (the assessment). Each section supports three content sources independently.

3 Content Sources

Upload a PDF (auto-converted to interactive HTML), generate AI content (category-specific quiz banks), or manually enter HTML/question content. Mix and match per section.

Interactive Viewer

Paginated HTML content split by headings. Progress bar, section tabs, Previous/Next navigation. Knowledge check with clickable quiz options and automated scoring.

My Training Portal

User-facing dashboard: Pending/In Progress/Completed tabs. Due dates, mandatory/optional badges, overdue alerts. Graduation cap icon in top navigation.

Compliance Mapping

Training modules mapped to ISM-0252, NIST AT-2, ISO 27001 A.6.3, CPS 234. Completion records serve as assessment evidence.

Org-Scoped Analytics

Completion rates, overdue tracking, category breakdown. Training assignments with recurrence (annual, quarterly, one-time). Role-based training campaigns.

Hybrid AI

Activitee AI Copilot — Reads Your Systems, Not Just Your Frameworks

The only compliance advisor that queries your live identity systems, explains every control in plain English, and gives personalised guidance for your industry, jurisdiction, and tech stack. Hybrid architecture: Layer 1 delivers instant data-driven guidance. Layer 2 unlocks conversational AI powered by the Activitee AI Assessment Engine.

Layer 1: Instant Guidance (Free)

Plain-English control explanations, personalised action items for your tech stack (Microsoft 365, AWS, Google), evidence checklists, effort estimates, and cross-framework control mapping. Always available, instant response, zero API cost.

Layer 2: Conversational AI

Ask follow-up questions in natural language. "How do I configure Conditional Access in Entra ID?" — gets a step-by-step answer contextualised to your organisation's data, connected systems, and current compliance posture.

Live System Status

Auto-queries your connected identity systems for real-time compliance data. MFA enrollment, orphan accounts, SoD violations, vendor risk levels, training completion, evidence freshness — all checked per control.

"Check This For Me"

One-click auto-assessment for 11 control types. Queries AD, Entra ID, AWS IAM, and platform data. Returns ✅/⚠️/❌ findings with specific member names and counts — not just pass/fail.

Every Control Explained. Every Check Run Live. Every Answer Personalised.
The AI Copilot is embedded across three surfaces — Assessment Controls, Compliance Roadmap, and AceChatbot — each enriched with your live compliance posture from connected identity systems. Unlike US-focused competitors, Activitee offers native IRAP, ISM, Essential Eight, and CPS 234 coverage with AI copilot guidance for every control.
Assessment Controls Compliance Roadmap AceChatbot
New

Data Centre & Critical Hardware Infrastructure

10 frameworks covering data centre operations, physical infrastructure, energy efficiency, and sovereignty requirements across US, Canada, EU, Singapore, and Australia — including 3 Australian-specific frameworks.

AU HCF — Hosting Certification

Australian Government framework for certifying DCs hosting government data. Certified Assured (PROTECTED) and Certified Strategic (PROTECTED+). PSPF zones, AGSVA clearances, data sovereignty, IRAP assessment.

NABERS DC — Energy Rating

Mandatory 5-star energy rating for AU Government DC providers from mid-2025. PUE targets (<1.4 new builds), GreenPower sourcing, NGER emissions reporting, cooling efficiency.

AU DC National Interest

2025 framework for hyperscale and AI compute facilities. Sovereignty, grid stability (AEMC), water sustainability, workforce investment, SOCI Act compliance.

TIA-942 (US)

Data centre infrastructure standard. Tier I-IV classification covering electrical (UPS, generators), mechanical (cooling, fire), structured cabling, and physical security.

Uptime Institute Tier

Global reliability classification. Tier I (99.671%) to Tier IV (99.995% — fault tolerant). Covers power, cooling, and operational sustainability certification.

EN 50600 (EU)

European standard for DC design and operation. Availability classes, PUE/WUE, physical security zones, DCIM, and EU energy taxonomy alignment.

AU HCF NABERS DC TIA-942 Uptime Tier EN 50600 ISO 22237 SS 564 MTCS TSC Canada AU DC Strategy
1
A
Ace
Activitee Security Assistant
Hey there! 👋 I'm Ace, your Activitee security assistant. I can help with IAM, compliance frameworks, data privacy, and platform questions. What can I help you with?
Just now
Share info Powered by Activitee