A proven cybersecurity methodology, distilled into one portfolio-native platform for private equity. Verification campaigns confirm controls operate as designed — and outcomes over time prove the program is working across every portfolio company, on one normalized scale.
A 20-person SaaS startup and a 20,000-person logistics company are not the same — so Testify holds them to calibrated expectations, then rolls everything into a single normalized maturity score. Select a company to see what's underneath the number.
Illustrative data. Figures shown are sample portfolio companies, not customers. CME tier reflects organizational complexity; underlying scoring methodology is proprietary.
Every portfolio company tracks security differently — if they track it at all. There's no common baseline to compare maturity across the fund.
Annual audits create a false sense of security. Posture degrades between reviews, and nobody knows until an incident forces discovery.
When a breach hits, there's no record of whether known gaps were communicated, tracked, or addressed. Liability is undefined.
Single-company tools can't do this. Testify was architected from day one for the parent-child relationships, cross-portfolio correlation, and calibrated expectations that PE oversight requires.
Security posture that updates itself. Assessments, incidents, and remediations feed a continuously current register — no stale dashboards, no manual sync.
A 20-person SaaS startup and a 5,000-person logistics company aren't the same. Maturity expectations automatically calibrate to each company's size, complexity, and data sensitivity.
Import existing assessments, policies, and audit findings. AI extracts structured maturity data in hours — not the weeks of interviews traditional onboarding requires. Runs locally. Your data never leaves.
Don't take their word for it. Evidence-based, score-gated campaigns verify that controls operate as designed — targeted to each company's actual technology stack, reviewed against the evidence.
See what adversaries see. Continuous external exposure monitoring across the portfolio — credential leaks, certificate issues, open services — correlated across companies to surface systemic risk.
Structured AI hygiene assessments across every portfolio company, anchored to SAFE² with crosswalks to the EU AI Act, NIST AI RMF, and ISO 42001. Measure AI risk the same way you measure everything else.
Overlay SDK and MCP server. Define custom frameworks, gates, and verdicts — no forking, no code changes. Jira, ServiceNow, Slack, and Teams included. Developer-grade extensibility no competitor offers.
One reporting workspace. Generate board cybersecurity briefings and LP portfolio reports — configurable, anonymizable, defensible — in hours instead of weeks. The same numbers, framed for whoever is asking.
Testify deploys as a Docker container into your own cloud or on-prem environment. No SaaS multi-tenancy. No vendor with access to your portfolio company data. No third-party AI providers.
AWS, Azure, GCP, or on-prem — same container, same platform. Deploy where your data governance policy requires.
All AI features — document import, assessment coaching, natural language queries — run on a local model inside your deployment. Zero data transmitted to external providers.
Every control state change logged with source, timestamp, and actor. Board-ready reports and M&A due diligence packages generated in hours, not weeks.
Every incident drives a remediation. Every remediation improves a control. Every improvement is verified against evidence and recorded — that closed loop is how the platform operates today, not a roadmap. Validation is the longer arc it builds toward: fewer incidents, lower premiums, and defensible valuations that prove the program is working over time.
Testify isn't a feature list someone assembled. It's a cybersecurity methodology refined across years of enterprise advisory work — the kind of portfolio assessment large consultancies build over years — systematized so it runs continuously, at portfolio scale, for a fraction of the cost. Founder-led, built by practitioners.
The scoring model, the four maturity dimensions, the calibrated CME tiers — built on how the world's best-resourced security programs actually operate. These are the practices proven where budgets are largest and the stakes are highest, now running across every company in your portfolio.
Portfolio-native architecture, a private locally-hosted AI model, and an Overlay SDK for custom frameworks. No SaaS multi-tenancy, no third-party AI, no data leaving your environment. Engineered for the rooms that ask hard questions.
Cyber Flag is taking a deliberately small number of founding customers. You work directly with the person who built the methodology and the platform — not a support queue. First movers shape the roadmap.
Testify, by Cyber Flag, is a cyber GRC platform purpose-built for private equity firms to govern cybersecurity across every portfolio company. It maintains a continuously updated, evidence-backed security posture for each company, prices that posture in dollars, and runs all AI locally so portfolio data never leaves your environment.
Vanta and Drata help a single company earn a certification such as SOC 2; Testify governs cybersecurity maturity across an entire portfolio for the investor. A portfolio company can be SOC 2 compliant and still have controls that are not automated or enforced. Firms often run a compliance tool inside individual companies and use Testify on top to measure, compare, and prove control efficacy across the whole portfolio.
No. Testify deploys as a Docker container into your own cloud or on-prem environment, and all AI inference runs locally on open-weight models. There is no SaaS multi-tenancy and no third-party AI provider — portfolio data never leaves your infrastructure.
Testify calibrates maturity expectations to each company's size, complexity, and data sensitivity, then rolls every company onto one normalized 0–100 maturity scale. A 20-person SaaS startup and a 20,000-person logistics company are held to appropriate expectations and still compared on a common baseline.
Testify assesses against CIS Controls v8, NIST CSF, ISO 27001, and SOC 2, with crosswalk mapping and support for custom frameworks. AI risk is covered through an AI hygiene assessment with crosswalks to the EU AI Act, NIST AI RMF, ISO 42001, and OWASP-LLM.
More in the full FAQ, or start with What is Testify and how it compares.
Testify is accepting early customers. Portfolio Directors and Fund Operating Partners get priority access to a guided walkthrough.