Production-Ready

RAVEN

All-in-one RMF. Air-gapped. DoD-ready.

An end-to-end Risk Management Framework and vulnerability management platform for DoD program offices, defense contractors, and federal agencies. Scanning, compliance authoring, ATO tracking, continuous monitoring, PKI, and signed air-gapped updates — consolidated into one on-premises product.

Current release: v0.40.1 — 18 scanner modules, 562 test files, greater than 82% line coverage.

Capabilities

What RAVEN Delivers

A unified RMF platform for vulnerability management, compliance authoring, continuous monitoring, and air-gapped update distribution.

18 Scanner Modules

OS and software inventory, services, ports, file permissions, registry, Docker, Kubernetes, firewall, crypto, audit, signature verification, file integrity, patch management, and more — enriched with EPSS scores and CISA KEV data.

SSP, SAR, POA&M Authoring

Generate System Security Plans (NIST 800-18), Security Assessment Reports (NIST 800-53A), and POA&M packages aligned to 800-53 rev 5, 800-171, CMMC 2.0, FedRAMP, and CNSSI 1253 baselines.

ATO Lifecycle & ConMon

Full-lifecycle tracking from system categorization through sustainment, with a continuous monitoring dashboard, scheduled ConMon evaluations, alert rules, and snapshot trending across control families.

PKI & Certificate Management

Trust store management, CRL import with freshness tracking, client certificate authentication, agent certificate lifecycle, and server certificate replacement.

Agent Fleet Management

Remote scan agents over mutual TLS with policy-based enrollment, agent groups, bulk operations, fleet health analytics, and remote configuration push. Systemd-hardened units ship with the product.

Air-Gapped Update Distribution

Signed .raven update packages and .raven-data feed packages (NVD, EPSS, KEV, STIG, CMVP, CA bundles, CRLs) are verified on import with Ed25519 signatures and auto-applied through a staged pipeline.

Why RAVEN

Built for Federal Authorization

Built by cleared, CISSP-led engineers with hands-on RMF experience across DoD environments.

Full RMF in One Product

Scanning, compliance authoring, ATO tracking, ConMon, PKI, and air-gapped updates live in a single application — not a stitched-together multi-vendor stack.

Air-Gap Pipeline by Design

Signed .raven and .raven-data packages were part of RAVEN’s design from the start — the canonical delivery mechanism for classified and closed networks.

DoD-First Hardening

Systemd units ship with SystemCallFilter allow-lists, RestrictNamespaces, LockPersonality, and CapabilityBoundingSet. DoD consent banner and classification markings enabled by default.

Frameworks Supported

Shipping Today

Control-selection wizard and artifact generation span the frameworks DoD and federal programs authorize against.

NIST RMF (SP 800-37)
NIST SP 800-53 rev 5
NIST SP 800-171
NIST Cybersecurity Framework
CMMC 2.0
FedRAMP
CNSSI 1253
DISA STIG / SRG
FIPS 140-3 (capable via OpenSSL FIPS provider)
CycloneDX 1.5 SBOM (416 components)

Deploy RAVEN

RAVEN is in production use today. Contact us to discuss a pilot on your network, or sign up for release updates.

Stay Informed

Get cybersecurity compliance updates, CMMC news, and security insights delivered to your inbox.

Release updates only. No spam, ever.