Accepting early customers

Prove risk reduction.
Not just security activity.

A proven cybersecurity methodology, distilled into one portfolio-native platform for private equity. Verification campaigns confirm controls operate as designed — and outcomes over time prove the program is working across every portfolio company, on one normalized scale.

Request a Demo See How It Works
Portfolio-native
Parent-child hierarchy from the ground up
Secure deployment
Docker container, your cloud, your rules
<0 day
AI-powered onboarding per company
FIG.01 Live portfolio ledger Overview
Company Normalized maturity Status

Illustrative data. Figures shown are sample portfolio companies, not customers. CME tier reflects organizational complexity; underlying scoring methodology is proprietary.

01 The product

One portfolio. One scale. Every company on it.

A 20-person SaaS startup and a 20,000-person logistics company are not the same — so Testify holds them to calibrated expectations, then rolls everything into a single normalized maturity score. Select a company to see what's underneath the number.

02 The problem

PE firms are flying blind on portfolio cyber risk

  1. 01

    No standard measurement

    Every portfolio company tracks security differently — if they track it at all. There's no common baseline to compare maturity across the fund.

  2. 02

    Point-in-time blindness

    Annual audits create a false sense of security. Posture degrades between reviews, and nobody knows until an incident forces discovery.

  3. 03

    No accountability trail

    When a breach hits, there's no record of whether known gaps were communicated, tracked, or addressed. Liability is undefined.

▸ Read the ledger for exposure → Two companies sit below their calibrated expectation — a combined $5.3M in annualized loss expectancy the fund cannot currently see.

FIG.02 Capability manifest 8 / 8 Online
01

Live Control State

Active
Register · Continuous

Security posture that updates itself. Assessments, incidents, and remediations feed a continuously current register — no stale dashboards, no manual sync.

6 / 6 entities current
02

Risk-Adjusted Expectations

Active
Calibration · CME tiers 1–4

A 20-person SaaS startup and a 5,000-person logistics company aren't the same. Maturity expectations automatically calibrate to each company's size, complexity, and data sensitivity.

Expectations auto-calibrated
03

AI-Powered Onboarding

Active
Ingest · Local model

Import existing assessments, policies, and audit findings. AI extracts structured maturity data in hours — not the weeks of interviews traditional onboarding requires. Runs locally. Your data never leaves.

< 1 day per company
04

Verification Campaigns

Active
Evidence · Score-gated

Don't take their word for it. Evidence-based, score-gated campaigns verify that controls operate as designed — targeted to each company's actual technology stack, reviewed against the evidence.

Controls verified, not asserted
05

Attack Surface Intelligence

Active
OSINT · External

See what adversaries see. Continuous external exposure monitoring across the portfolio — credential leaks, certificate issues, open services — correlated across companies to surface systemic risk.

Continuous exposure scan
06

AI Risk Governance

Active
SAFE² · EU AI Act / NIST / ISO 42001

Structured AI hygiene assessments across every portfolio company, anchored to SAFE² with crosswalks to the EU AI Act, NIST AI RMF, and ISO 42001. Measure AI risk the same way you measure everything else.

Crosswalked frameworks
07

Built to Extend

Active
Overlay SDK · MCP

Overlay SDK and MCP server. Define custom frameworks, gates, and verdicts — no forking, no code changes. Jira, ServiceNow, Slack, and Teams included. Developer-grade extensibility no competitor offers.

Jira · ServiceNow · Slack · Teams
08

Board & LP Reporting

Active
Reporting · Anonymizable

One reporting workspace. Generate board cybersecurity briefings and LP portfolio reports — configurable, anonymizable, defensible — in hours instead of weeks. The same numbers, framed for whoever is asking.

Hours, not weeks

03 The platform

One platform for portfolio-wide security governance

Single-company tools can't do this. Testify was architected from day one for the parent-child relationships, cross-portfolio correlation, and calibrated expectations that PE oversight requires.

Eight modules · one continuously current register

04 Data sovereignty

Your portfolio data never leaves your infrastructure

Testify deploys as a Docker container into your own cloud or on-prem environment. No SaaS multi-tenancy. No vendor with access to your portfolio company data. No third-party AI providers.

Deployment targets AWSAzureGCPOn-prem
Deployment

Your cloud, your rules

AWS, Azure, GCP, or on-prem — same container, same platform. Deploy where your data governance policy requires.

Local inference

Local AI inference

All AI features — document import, assessment coaching, natural language queries — run on a local model inside your deployment. Zero data transmitted to external providers.

Evidence

Auditable by design

Every control state change logged with source, timestamp, and actor. Board-ready reports and M&A due diligence packages generated in hours, not weeks.

Local AI · Zero egress

Ask your portfolio in plain language.

The assistant runs on a local model inside your own deployment — no API calls, no third-party provider. Ask about any company's control gaps, attack paths, or dollar exposure and get an answer backed by the evidence already in your register. No portfolio data ever leaves the environment.

Testify · Assistant Local model

Illustrative — local model output on a sample portfolio company.

05 How it works

The continuous improvement cycle

Closed loop · running today

  1. 1Assess
  2. 2Monitor
  3. 3Detect & Correlate
  4. 4Remediate & Verify
  5. 5Validate

Every incident drives a remediation. Every remediation improves a control. Every improvement is verified against evidence and recorded — that closed loop is how the platform operates today, not a roadmap. Validation is the longer arc it builds toward: fewer incidents, lower premiums, and defensible valuations that prove the program is working over time.

06 Who it's for

Built for the people who own the risk

Portfolio Directors & Operating Partners

Portfolio-level oversight

  • Compare security maturity across all portfolio companies with calibrated expectations
  • Identify systemic gaps before they become fund-level risks
  • Generate board-ready reports that demonstrate diligence
  • Track remediation commitments with built-in accountability
Portfolio Company CISOs

Operational security command

  • Run assessments against CIS, NIST, ISO, SOC 2 — or all of them
  • Manage incidents with MITRE ATT&CK mapping and automated control degradation
  • Verify control effectiveness with evidence-based campaigns
  • Communicate risk posture to the parent firm through shared dashboards

07 Who's behind it

Advisory-grade methodology, distilled into software

Testify isn't a feature list someone assembled. It's a cybersecurity methodology refined across years of enterprise advisory work — the kind of portfolio assessment large consultancies build over years — systematized so it runs continuously, at portfolio scale, for a fraction of the cost. Founder-led, built by practitioners.

ProvenanceFounder-ledPractitioner-built
The methodology

Backed by results

The scoring model, the four maturity dimensions, the calibrated CME tiers — built on how the world's best-resourced security programs actually operate. These are the practices proven where budgets are largest and the stakes are highest, now running across every company in your portfolio.

The engineering

Built to a higher bar

Portfolio-native architecture, a private locally-hosted AI model, and an Overlay SDK for custom frameworks. No SaaS multi-tenancy, no third-party AI, no data leaving your environment. Engineered for the rooms that ask hard questions.

The posture

Early by design

Cyber Flag is taking a deliberately small number of founding customers. You work directly with the team who built the methodology and the platform — not a support queue. First movers shape the roadmap.

08 Questions, answered

Common questions about Testify

Q.01

What is Testify?

Testify, by Cyber Flag, is a cyber GRC platform purpose-built for private equity firms to govern cybersecurity across every portfolio company. It maintains a continuously updated, evidence-backed security posture for each company, prices that posture in dollars, and runs all AI locally so portfolio data never leaves your environment.

Q.02

How is Testify different from compliance tools like Vanta or Drata?

Vanta and Drata help a single company earn a certification such as SOC 2; Testify governs cybersecurity maturity across an entire portfolio for the investor. A portfolio company can be SOC 2 compliant and still have controls that are not automated or enforced. Firms often run a compliance tool inside individual companies and use Testify on top to measure, compare, and prove control efficacy across the whole portfolio.

Q.03

Does my portfolio data ever leave my environment?

No. Testify deploys as a Docker container into your own cloud or on-prem environment, and all AI inference runs locally on open-weight models. There is no SaaS multi-tenancy and no third-party AI provider — portfolio data never leaves your infrastructure.

Q.04

How does Testify compare security across companies of very different sizes?

Testify calibrates maturity expectations to each company's size, complexity, and data sensitivity, then rolls every company onto one normalized 0–100 maturity scale. A 20-person SaaS startup and a 20,000-person logistics company are held to appropriate expectations and still compared on a common baseline.

Q.05

What frameworks does Testify support?

Testify assesses against CIS Controls v8, NIST CSF, ISO 27001, and SOC 2, with crosswalk mapping and support for custom frameworks. AI risk is covered through an AI hygiene assessment with crosswalks to the EU AI Act, NIST AI RMF, ISO 42001, and OWASP-LLM.

More in the full FAQ, or start with What is Testify and how it compares.

09 Get started

See it live

Testify is accepting early customers. Portfolio Directors and Fund Operating Partners get priority access to a guided walkthrough.

Request a Demo Or reach us directly at [email protected]

What you'll see

  • Live portfolio ledger · 6 entities
  • Normalized maturity · 0–100
  • Verification campaigns · evidence
  • Annualized loss expectancy · $
  • Local AI · zero data egress