Skip to main contentSkip to navigation

Compliance, made doable — no GRC expert required

GRC Is a Mountain of Busywork.
Let the AI Carry It.

GRC & vCISO compliance automation for ISO 27001, SOC 2, NIS2 & GDPR.

You don’t need a compliance team or a hired CISO. Answer a few plain-English questions in a chat and MerlinAI drafts your policies. Scanners find your risks from the outside and the cloud, and AI maps them to the right controls, drafts the fixes, and collects the evidence — your team reviews and approves. Small businesses do it themselves.

Built by operators who ran a Security Operations Center for banks and governments — not a template vendor.

Author: Menachem Tauman — Co-Founder & CEO, former CISO, 28 years in IT & cybersecurity. Written to our editorial policy.

See How the Chat Works
Answer questions, get real documentsScanners find the risk for youNo compliance expertise needed
Are you an MSP?Resell Fortress GRC as a vCISO managed service →
680+
Cloud posture checks
Outside-in
Attack-surface recon
Findings→Controls
Mapped by AI
6+
Frameworks, one control set
Weeks→Days
Audit prep time

Protecting 200,000+ assets in production.

Runs on the same stack we protect customers with
SentinelOneHornetsecurityDefensXAcronisCloudflare

MerlinAI — your compliance assistant

Answer a few questions. Get real compliance documents.

The hardest part of compliance is knowing what to write and where to start. So we made it a conversation. MerlinAI asks plain-English questions — one at a time — and drafts your policies, assessments, and evidence for you to review. No jargon, no consultant, no blank page.

Built for people who aren’t compliance experts — a small-business owner or a junior team member can drive it
Each answer is written into your compliance record and mapped to the controls it satisfies
Step by step, it assembles your whole audit — so when the auditor logs in, everything’s already there

Why GRC feels impossible

Compliance is real work. Most of it is the wrong work.

Every business now needs a security program and audit-ready compliance. But the way GRC is done today assumes you have an expert — and buries whoever’s doing it in manual effort before anyone gets to the part that actually reduces risk.

The busywork tax

Spreadsheets, questionnaires, evidence hunts

Copying findings into a register. Filling out the same questionnaire for the fifth framework. Chasing screenshots to prove a control works. Hand-mapping a vulnerability to the right ISO and SOC 2 controls. It’s slow, error-prone, and it never ends — so GRC gets skipped until an audit forces it.

The expertise gap

It assumes you’re a compliance pro

A small business can’t afford a CISO, and a junior team member stares at a blank policy template with no idea what to write. So compliance stalls — or a business pays a consultant by the hour. Either way, the knowledge barrier, not just the workload, is what stops it getting done.

The AI does the heavy lifting

GRC without the grind

Same outcome — a defensible risk program and a passed audit. The difference is who does the work. Fortress moves the manual load off your team and onto the scanners and the AI.

GRC by hand

The old way

Find risks by emailing a questionnaire and hoping it’s honest and current
Copy every finding into a spreadsheet risk register by hand
Figure out which ISO, SOC 2, and NIS2 controls each finding maps to — one at a time
Write each treatment plan from a blank page
Chase screenshots and exports to prove controls the week before the audit
With Fortress AI + scanners

The Fortress way

Risks are discovered by scanners — outside-in recon and cloud posture checks, not self-reported answers
Findings flow into the Risk Register automatically, scored and tied to the affected asset
AI maps each finding to the right controls across every framework at once
Treatment plans and questionnaire answers are drafted for you — your team reviews and confirms
Evidence is collected and refreshed continuously, so the audit packet is already built

Risk you find, not risk you ask about

Scanners find the problems. The register writes itself.

A questionnaire tells you what you think is true. Fortress scans for what’s actually exposed — from the attacker’s side of the internet and inside your cloud — and turns every finding into a tracked, mapped risk.

Attack Surface Management

See yourself as an attacker sees you

External reconnaissance maps everything you have exposed to the internet — including the assets you forgot about. No agent, no questionnaire. Just live recon against your real footprint, on a schedule.

SubdomainsOpen ports & servicesExposed endpointsExpired / weak TLS certsLeaked & exposed dataShadow ITMisconfigured storageWeb vulnerabilities
Recon scanFindingRisk Register (auto)
Automated Compliance & Cloud Scanners

Control checks that run themselves

Continuous scanners inspect your cloud and SaaS against hundreds of security-posture checks — then log the result as evidence. No one screenshots a config; the scanner records it and proves the control.

AWSAzureGCPMicrosoft 365Okta680+ posture checksVulnerability scansEvidence, auto-logged
Control scanPass / fail + evidenceFrameworks updated

What Fortress GRC gives you

A full GRC program, in one place

The scanners and AI feed a complete GRC platform — the register, the frameworks, the plan, the report — everything a virtual CISO delivers, in one place. No new hires, no stitched-together tools.

Risk Register

Scanner findings land here automatically — scored, owned, and tracked, inherent vs. residual, with a clear treatment status for each one.

  • Auto-populated from ASM & cloud scans
  • FAIR-based scoring, quantified in dollars
  • Owners, due dates, accept / mitigate / transfer

Compliance Frameworks

One control set mapped across every major standard. Satisfy one control, advance several frameworks at once.

  • NIS2, ISO 27001, SOC 2, GDPR, NIST CSF 2.0, PCI-DSS
  • Cross-framework crosswalk — "1 fix = 3 frameworks"
  • Readiness % per certification, live

CISO Dashboard

The board-ready view: one screen showing posture, top exposures, and readiness — ready to present.

  • Inherent vs. residual risk at a glance
  • Ranked top exposures with owners
  • Export board & auditor reports

Treatment Plans

Turn every open risk into a prioritized work plan — sequenced by risk reduced per dollar, with a 1/2/5-year roadmap.

  • Auto-drafted from open findings
  • Effort, cost, and expected risk drop per task
  • Assign, deadline, and track to close

Asset Register

The hub everything wires to. Each asset carries its criticality, data, findings, and the controls that protect it.

  • Auto-populated from your security stack
  • Criticality cascades into risk and BIA
  • Every control links back to an asset

Evidence & Audit Prep

Continuous control monitoring collects the proof as you go, so audits become an export instead of a fire drill.

  • Automated evidence collection
  • Assessment questionnaires per framework
  • Audit-ready packet, on demand

From zero to audit-ready in three steps

How it works

1

Scan your business

Sign up, then let Fortress scan your attack surface, cloud, and vendors. Assets, findings, and controls populate on their own — no questionnaire required.

2

Let the AI map & draft

AI ties every finding to the right controls across NIS2, ISO 27001, SOC 2 and more, drafts the treatment plans, and collects evidence. You review and confirm.

3

Stay audit-ready

Present the CISO Dashboard, work your treatment plans, and export board and auditor reports on demand — with evidence collected continuously in the background.

Frameworks supported

Map once. Satisfy many.

NIS2ISO 27001SOC 2GDPRNIST CSF 2.0PCI-DSS

Also mapped: HIPAA · DORA · CIS Controls · CMMC — one control satisfied advances every framework it touches.

Primary sources: NIS2 · ISO 27001 · SOC 2 · GDPR · NIST CSF 2.0 · PCI-DSS

One risk story, not two

Your posture and your supply chain

Your risk doesn’t stop at your own perimeter — it runs through every vendor you trust. Fortress scans and assesses those third parties too, so vendor risk lands in the same register as everything else. Your own posture and your supply chain, one unified picture, one CISO Dashboard.

Explore third-party risk management (TPRM) →

In plain terms

Definitions

What is a vCISO?

A virtual Chief Information Security Officer — outsourced access to senior security leadership (strategy, compliance, risk decisions) without a full-time executive hire. Fortress delivers vCISO-level guidance through AI plus human review.

What is GRC?

Governance, Risk, and Compliance — the practices an organization uses to meet regulatory obligations (e.g. ISO 27001, SOC 2, GDPR), manage security risk, and prove it to auditors.

Questions small teams ask

Frequently asked

Can a non-expert really do compliance with the chat?
Yes — that's who it's built for. MerlinAI asks plain-English, one-at-a-time questions (no jargon) and turns your answers into finished policies, assessments, and evidence, each mapped to the controls it satisfies. A small-business owner or a junior team member can drive the majority of the work without hiring a consultant, and everything is assembled so an auditor can log in and review it.
How does Fortress cut down the manual GRC work?
Three ways. MerlinAI writes your documents from a few answers. Scanners find risks automatically — external attack-surface recon plus cloud posture checks — instead of questionnaires, and those findings flow straight into the Risk Register. Then AI maps each finding to the right controls across every framework, drafts the treatment plans, and collects the evidence. You review and confirm instead of assembling everything from scratch.
What does the external attack surface scan actually check?
It sees you the way an attacker does — from outside, with no agent. It discovers subdomains, live IPs and open ports, exposed endpoints, weak or expired TLS certificates, misconfigured storage, exposed or leaked data, and shadow IT you didn't know was public, plus web vulnerability scans. It runs on a schedule, so new exposures surface as findings continuously.
Which frameworks are covered, and does it include vendor risk?
The core six are NIS2, ISO 27001, SOC 2, GDPR, NIST CSF 2.0, and PCI-DSS, with HIPAA, DORA, CIS Controls, and CMMC also mapped — one control satisfied advances every framework it belongs to. Third-party (vendor) risk is part of the same picture: Fortress scans and assesses your vendors and lands that risk in the same register, so your own posture and your supply chain sit side by side.
Do I still need a compliance consultant?
For most of the work, no. MerlinAI and the scanners do the drafting, mapping, and evidence collection; you review and approve. For a formal certification audit you still engage an accredited auditor — but you arrive with the risk register, controls, and evidence already assembled, so the engagement is shorter and cheaper.

Compliance without the expert

Start your compliance in a chat. Let the AI do the rest.

Answer a few questions and watch your first policy draft, your scanners surface real exposures, and your CISO Dashboard build itself. See how far Fortress gets you without hiring a compliance team.

I’m an MSP →
MerlinAI Compliance AssistantASM + Cloud Scanning6+ FrameworksEvidence & Audit Prep