SARC · regulated software delivery, auditor-ready

The orchestration layer above Kosli + ServiceNow.
Multi-cloud. Multi-CI. Auditor-ready.

SARC doesn't replace your compliance investments — it's the surface that turns their data into the story your regulator, auditor and change board actually want. It unifies Kosli evidence and ServiceNow workflow into one auditable pipeline that runs identically on AWS, Azure, GCP and on-prem, across GitLab CI, GitHub Actions and Azure DevOps.

See the live walkthrough Why it exists In the portfolio

SARC operator dashboard — The operator dashboard — pipelines, change requests and compliance state in one view.

The pain SARC removes

Four things repeat in every regulated delivery shop. Each one is a place where evidence, risk or reality falls through the cracks.

Evidence is scattered

Nobody owns the whole story

SonarQube, Snyk, Wiz, GitGuardian, Trivy, ServiceNow, Kosli, GitLab, GitHub Actions, Azure DevOps — each owns a fragment of the audit story, and no one tool owns the whole of it.

Approvals are a bottleneck

A typo waits as long as a migration

A one-character fix and a schema migration both get the same 48-hour CAB review, because nothing makes the difference in risk visible.

The CMDB is always stale

Records drift from reality

What's actually running in production at month-end has drifted a long way from what the CMDB believes is running.

Cloud lock-in, too early

Audit stories break on migration

Compliance tooling wired to one cloud's primitives breaks the audit story the moment a workload moves somewhere else.

What SARC actually delivers

One auditable pipeline on top of the tools you already own — computing the things neither Kosli nor ServiceNow can see on their own.

A 5-axis risk clearance score per change, derived from Kosli attestations and written back into the ServiceNow change request — a number no other system in the stack computes.
Vulnerability SLO burndown with cost-to-fix correlation — remediation priced in dollars per month, not abstract severity labels.
One-button evidence packaging for SOC 2, ISO 27001, DORA, PSD2, NIST 800-53, PCI-DSS and SOX — the feature customers cite first.
AI agent recipes that turn findings into one-click fix merge requests across all three CI platforms.
An MCP gateway that lets AI agents query Kosli, ServiceNow and portal data in plain language — without breaking compliance boundaries.
Service-to-incident correlation over a directed graph that Kosli doesn't compute and ServiceNow can't see.

5-axis risk clearance score — 5-axis risk clearance per change

Compliance dashboard with framework coverage — Multi-framework coverage

Multi-cluster overview across clouds — Multi-cluster, multi-cloud overview

What it means in the boardroom

The same platform answers three very different executives.

For the CFO

Audit cost, quantified

Audit prep drops from weeks of compilation to one click. Cost–vulnerability correlation puts remediation ROI in dollars. One platform replaces 4–6 manual processes previously held together by spreadsheets.

For the CIO / CTO

Real parity, no capture

Cloud parity is real — the same Terraform shape on AWS, Azure, GCP and on-prem. CI parity is real — the same gates on GitLab CI, GitHub Actions and Azure DevOps. You own the open architecture end to end, deployed in your cloud.

For the CCO / Head of GRC

Evidence on demand

Auditors get their own time-boxed, magic-link session, read-only to the audit and compliance routes. Evidence is reproducible per deployment, not compiled per quarter. AI governance for the EU AI Act, NIST AI RMF and ISO 42001 is built in, not bolted on.

By the numbers

7 frameworks

SOC 2, ISO 27001, DORA, PSD2, NIST 800-53, PCI-DSS, SOX — one-click evidence each.

3 CI platforms

GitLab CI (source of truth), GitHub Actions (full parity), Azure DevOps.

5 deploy targets

AWS EKS, Azure AKS, GCP GKE, OpenShift and a local k3d cluster from one switch.

37 portal screens

Operator, change requests, vulnerabilities, control mapping, evidence, audit log and more.

Tamper-evident

A hash-chained audit log, so the trail can't be quietly rewritten.

MCP-native

Ask the compliance state of a commit in plain English, via the MCP gateway.

What SARC is not

The scope guards matter as much as the features — SARC is a thin, honest orchestration layer, not a land-grab.

Not a SaaS competing with ServiceNow — the workflow control plane stays in ServiceNow.
Not a SaaS competing with Kosli — the evidence data plane stays in Kosli.
Not a CI platform. Not a cloud. Not a CMDB replacement. Not an authentication system.

How you adopt it

SARC is a reference architecture and demo platform — you don't subscribe to it, you adopt it.

A typical engagement is a 4–8 week MVP install. After that, the customer owns and operates it: no SaaS bill, no per-seat fee, no vendor capture — the open architecture is deployed in your cloud and audited by you.

→ Walk through the live portal · See SARC in the portfolio

The orchestration layer above Kosli + ServiceNow.Multi-cloud. Multi-CI. Auditor-ready.