Optimal Platform
Self-hosted CNAPP for regulated environments. Hardens containers and OT/IoT devices to DISA STIG, CIS, and IEC 62443 baselines. Ships live, branded compliance evidence as a product feature. Runs in your own Kubernetes cluster, never ours.
What it covers
- Cloud workloads — Kubernetes, Cloud Run, ECS, AKS, on-prem Kubernetes.
- OT and IoT devices — PLCs, HMIs, RTUs, sensors, edge gateways. The Edge Collector is a tiny binary that runs on Raspberry Pi-class hardware.
- Compliance frameworks — SOC 2, PCI DSS v4.0, HIPAA, ISO 27001, FedRAMP 20x KSI, MA-S2, CMMC, NERC CIP, IEC 62443.
- Agentic CD — the Recall Agent proposes a fix when a critical finding lands; an operator approves; the Orchestration Engine executes.
Topology
Three components, all self-hosted in your environment.
- Hub — the control plane. One per customer. Stores the catalog, plans, findings, and audit trail. Runs as a single FastAPI service backed by Postgres or Firestore.
- Spoke — the in-cluster agent. One per Kubernetes environment. Reports observed state to Hub, executes plan steps the operator approves.
- Edge Collector — the device-side agent. Ships telemetry from PLCs / HMIs / RTUs to Spoke. Runs on hardware the device's own OS can't accommodate a full Spoke on.