Enterprise Risk Management Platform

The AI platform that runs your entire risk lifecycle

From infrastructure code to board-ready risk report — Citadel automates threat modeling, risk scoring, control tracking, and compliance posture in one unified platform. No spreadsheets. No silos.

AI-powered throughout 6 compliance frameworks Tenable · Rapid7 · Jira · Terraform Enterprise RBAC + SSO
app.citadel.antumsecure.com / dashboard
Live
TOTAL RISKS
47
↑ 3 this week
CRITICAL
7
Needs review
MITIGATED
22
↓ 23% QoQ
COMPLIANCE
84%
Avg. 6 frameworks
AI Insight 2.8s ago

Risk drift detected: 3 residual scores exceeded appetite thresholds since last review. Payment Gateway risk now Critical.

Anomaly View affected risks →
Top Open Risks
SQL Injection — Payment API Critical Review
Hardcoded JWT Secret Critical Open
Over-Privileged IAM Role High Review
PII Leaked in API Errors Medium Mitigated
Compliance Posture
ISO 2700191%
PCI-DSS v478%
SOC 284%
NIST SP 800-5367%
The Problem

Risk management is broken
for most security teams

Security analysts spend the majority of their time filling templates and chasing status updates — not reducing actual risk.

4–6 hours per risk record

Manually linking threats, scoring likelihood and impact, writing summaries, mapping controls — every single record. Teams document three risks a week, if they're lucky.

Spreadsheets diverge the moment they're shared

No audit trail. No version control. Owners change, cells overwrite, nothing is traceable. Auditors ask for evidence nobody can find.

Compliance gaps discovered pre-audit, not year-round

Most teams find NIST, ISO, and PCI gaps the week before an audit — not throughout the year. It becomes a fire drill every quarter.

Scanner findings float unlinked to risk

Tenable and Rapid7 produce thousands of findings. None of them automatically feed into your risk register or change your scores. That connection is made manually, or not at all.

Threat modeling is a once-a-year exercise, not a pipeline

Infrastructure changes every sprint. Threat models don't. There is no connection between your Terraform code and your risk register — so your risk picture is always months out of date.

One Platform

The full risk lifecycle — connected

Citadel connects the dots between infrastructure, threats, vulnerabilities, controls, and compliance — so nothing falls through the gaps.

Infrastructure
Terraform
CloudFormation
Tenable · Rapid7
Threat Model
AI DFD generation
STRIDE · PASTA
Attack Trees
Risk Register
AI scoring
Dual score model
Workflow states
Controls & Mitigations
15 deployment scopes
Effectiveness tracking
Jira · ServiceNow
Compliance Posture
6 frameworks
Evidence collection
Gap analysis
Dashboard & Reporting
AI insights
Anomaly detection
Board-ready exports

AI at every step

AI isn't an add-on — it's embedded in threat modeling, risk scoring, descriptions, attack tree review, asset summaries, mitigation recommendations, and the live dashboard. Native, not bolted on.

Scanner-to-risk pipeline

Tenable.io, Tenable.sc, and Rapid7 InsightVM findings are automatically imported and feed directly into risk scoring — no manual copy-paste between tools. Vulnerabilities become risk inputs the moment they're discovered.

Configurable, not rigid

Custom frameworks, configurable risk workflows with threshold-triggered automation, custom risk scales, and choice of AI provider (GPT-4o or Google Gemini). The platform adapts to your process, not the other way around.

AI Features

AI throughout — not bolted on

Every major workflow in Citadel has AI assistance built in. It's not a chatbot — it's native automation embedded at every step of the risk lifecycle.

Threat Model Generation

Paste Terraform or infrastructure state — Citadel generates a fully OWASP-compliant Data Flow Diagram and complete STRIDE classification automatically. No manual drawing.

AI Risk Descriptions

Select threats and vulnerabilities — Citadel drafts a complete, structured risk description automatically. Analysts review and refine, not write from scratch.

Attack Tree Review

Submit your attack tree in one click. Citadel's AI returns structured improvement suggestions, missing paths, and risk scoring adjustments — with cached results for performance.

Asset Risk Summaries

Generates executive-level exposure summaries per asset — combining threats, vulnerabilities, and active controls into a single readable narrative, cached for performance.

Mitigation Recommendations

Tailored remediation actions suggested per identified risk — not generic control templates. Each recommendation is contextualised to the specific threats and asset involved.

Dashboard Insights & Anomaly Detection

The live dashboard runs real-time anomaly detection, flags risk drift when scores exceed appetite thresholds, and surfaces AI-generated widget insights as your data changes.

Supports
OpenAI GPT-4o Google Gemini
— swap or configure models in settings, no redeployment required.
Product

See Citadel in action

Every screen you see is real — this is the platform your team will use from day one.

Secure
Risks Risk Register
JM
47Total Risks
7 Critical
18 High
22 Mitigated
Search risks…
Risk Asset Inherent Residual Status Owner
SQL Injection via Payment API
R-0041 · Updated 2h ago
Payment Gateway
20
12
In Review
JM
Hardcoded JWT Secret in Codebase
R-0039 · Updated 1d ago
Auth Service
20
18
Open
SR
Over-Privileged IAM Role — Lambda
R-0035 · Updated 3d ago
AWS Lambda
15
9
In Review
AL
PII Leaked in API Error Responses
R-0031 · Updated 5d ago
User API
12
3
Mitigated
KL
No Rate Limiting on Auth Endpoints
R-0028 · Updated 1w ago
Auth Service
9
9
Accepted
JM
Risks AI Risk Composer
AI Active
JM
RISK SQL Injection via Payment Gateway API Edit
Select affected assets
Payment Gateway API ✓ Selected
Application AWS · us-east-1 Confidential · PCI scope
C: 5 I: 5 A: 4 · Internet-facing
PostgreSQL — AppDB
Database · AWS RDS · Internal
S3 — prod-app-assets
Storage · AWS S3 · Internet-facing
Citadel AI
Inherent Score
20/ 25 · Critical
AI will generate
14 STRIDE threats
OWASP DFD diagram
Risk description draft
Mitigation suggestions
MITRE ATT&CK mapping
Threat Models
Infrastructure Input Terraform
resource "aws_api_gateway_rest_api" "payment_api" {
name = "payment-gateway"
description = "PCI-scoped payment API"
endpoint_configuration {
types = ["REGIONAL"]
}
}
resource "aws_lambda_function" "payment_handler" {
function_name = "payment-processor"
runtime = "python3.11"
role = aws_iam_role.lambda_exec.arn
}
resource "aws_db_instance" "payment_db" {
engine = "postgres"
instance_class = "db.t3.medium"
publicly_accessible = false
}
← 3 resources detected
STRIDE Analysis Generated · 2.8s
14 threats identified across 3 components
SSpoofing — API Gateway Identity
Attacker forges requests to payment API without valid auth headers. Missing request signing validation on REGIONAL endpoint.
MITRE: T1078 · Likelihood 4 · Impact 5
TTampering — Lambda Execution Role
Over-privileged IAM role allows Lambda to write to unintended resources. Policy wildcards detected in Terraform.
MITRE: T1098 · Likelihood 3 · Impact 4
IInfo Disclosure — DB Error Propagation
PostgreSQL errors may propagate to API response body, leaking schema information. No error sanitisation detected.
MITRE: T1213 · Likelihood 3 · Impact 3
+ 11 more threats — View full analysis →
Compliance Dashboard
ISO 27001:2022
93 controls mapped
91%
85 compliant5 partial3 gaps
PCI-DSS v4.0
264 requirements
78%
206 compliant46 partial12 gaps
SOC 2 Type II
5 trust services
84%
71 compliant6 partial7 gaps
NIST SP 800-53
20 control families
67%
54 compliant9 partial18 gaps
38 total gaps across 4 frameworks — visible all year
Gap analysis runs continuously as risks are documented. You'll never discover these the week before an audit again.
Integrations

Works with the tools your team already uses

All integrations include connection testing and credential validation before use — no blind configuration.

Infrastructure & IaC
Pulls state to feed AI threat model generation
Terraform Cloud Terraform Enterprise AWS CloudFormation Kubernetes YAML Azure Bicep
Vulnerability Scanners
Auto-imports assets and findings; feeds directly into risk scoring
Tenable.io Tenable.sc Rapid7 InsightVM
Vulnerability findings automatically feed into risk scoring — no manual copy-paste between tools.
Issue Tracking & ITSM
Push mitigations as tickets; sync vulnerabilities; publish threat models
Jira ServiceNow Confluence
Jira: push mitigations as tickets, pull vulnerabilities back
Confluence: publish threat models and controls as wiki pages
ServiceNow: open incidents or change requests for mitigations
Identity & Access
Enterprise SSO with automatic role sync on every login
Keycloak OIDC
6 built-in RBAC roles sync automatically on every login — no manual provisioning.
Compliance

Built for the frameworks
your auditors require

Track posture across all supported frameworks simultaneously — not one at a time, not pre-audit. Citadel maps controls automatically as risks are documented and keeps your posture score live all year.

Automatic control mapping

Controls link to framework requirements as you document risks — no manual cross-referencing spreadsheet required.

Evidence collection built in

Upload files, add URLs, or write notes — all linked directly to controls and accessible to auditors in a single export.

Real-time gap analysis

See what's unmapped — per asset or org-wide — all year. Gaps are visible the moment they appear, not the week before an audit.

NIST SP 800-53
20+ control families · Rev. 5
Full control family mapping with implementation status and evidence linkage.
ISO 27001:2022
93 controls · Annex A
Statement of applicability tracking with per-control compliance scoring.
PCI-DSS v4.0
264 requirements · 12 domains
Requirement-level mapping with cardholder data environment scoping.
SOC 2
5 Trust Service Criteria
TSC coverage tracking with evidence mapped to each common criterion.
CIS Controls
18 controls · v8
Implementation Group scoring with sub-control coverage visibility.
Custom Frameworks
Your own requirements
Define your own control frameworks via configuration. No code changes required.
Who It's For

Built for everyone in the risk workflow

Citadel serves every role in the security and compliance team — each with the right views and the right level of access.

Security Analyst

Run threat models and build attack trees in minutes. AI drafts documentation so you review and close, not write from scratch. Onboard in 2–3 days.

Risk Manager

Structured risk records with automatic dual scoring. Configurable workflows enforce your process. Full ownership and remediation tracking with immutable audit trails.

Compliance Officer

Live posture across 6 frameworks with evidence linked to every control. Gap analysis runs all year — not just the week before an audit.

CISO / Security Leader

Executive dashboard with AI-generated insights and risk drift alerts. Board-ready reports on demand. Full visibility without needing to dig through records.

DevSecOps Engineer

Paste Terraform, get a DFD and threat model instantly. Scanner findings from Tenable and Rapid7 flow into risk scoring automatically — risk management in the pipeline.

Auditor

Full read-only access to audit logs, evidence, control coverage, and risk history. Every change logged with user, IP, request UUID, and structured JSON diffs. Nothing is missing.

Enterprise-Ready

Built for enterprise security teams from day one

RBAC + Enterprise SSO

6 built-in roles — Admin, Analyst, Asset Owner, Auditor, Risk Manager, Viewer. Integrated with Keycloak OIDC; roles sync automatically on every login.

Immutable Audit Trail

Every create, update, delete, and workflow transition is logged with the user, IP address, request UUID, and structured JSON diffs. Nothing is ever lost.

Configurable Workflows & AI

Multi-stage workflows with threshold-triggered automation (e.g., auto-apply critical workflow when residual score exceeds threshold). Choose GPT-4o or Gemini — swap without redeployment.

70%
reduction in risk
documentation time
<30s
Terraform to
full threat model
2–3 days
analyst onboarding
vs. 4–6 weeks manually
90%+
STRIDE threat coverage
per asset analysis

Ready to see Citadel running on your infrastructure?

We'll walk you through the platform on a live demo — threat modeling from your IaC, your scanner findings, your compliance framework. No slides, no sales deck. Just the platform.

AI threat model from your Terraform in the call
Live compliance posture for your chosen frameworks
Answers to your specific workflow and integration questions
30–45 minutes, your team's schedule

Request a Demo

Or email us directly at info@antumsecure.com