Built for startups, not enterprises
Vulnerability management built into your compliance program
ComplyJet syncs vulnerabilities from the scanners you already use, ensures your team fixes them within SLA, and stores the evidence your auditor needs — especially for teams running compliance for the first time without a dedicated security hire.
Synced from your scanners
Your scanner finds vulnerabilities. ComplyJet makes sure they get fixed.
You likely already have a vulnerability scanner — Snyk, AWS Inspector, Dependabot, or something similar. The problem isn't finding vulnerabilities; it's having a process to track and close them before your auditor asks. ComplyJet syncs findings from your existing tools and takes it from there.
-
Integrates with Snyk, AWS Inspector, Dependabot, Wiz, and more
-
New findings synced automatically — no manual imports or CSV uploads
-
Full history preserved — auditors can see what you knew and when
SLA tracking
Found a vulnerability? ComplyJet makes sure it gets closed on time.
Finding vulnerabilities is the easy part. The compliance requirement is having a documented process to remediate them within defined timeframes — and evidence that you did. ComplyJet applies SLA deadlines based on severity, assigns findings to the right engineer, and tracks everything to closure so nothing slips through.
-
SLA deadlines applied by severity — critical findings get shorter windows
-
Each finding assigned to an owner with automated reminders
-
Overdue findings escalated and flagged in your compliance posture
Linked to your program
Vulnerabilities aren't just a security problem - they're a compliance requirement
Most frameworks require a formal vulnerability management process: regular scanning, risk-based prioritisation, remediation within defined timelines, and documentation. ComplyJet ties your vulnerability findings directly to the controls that govern them - so your compliance program and your security operations work together, not separately.
-
Vulnerability findings linked to your compliance controls
-
Open vulnerabilities visible in your risk register automatically
-
Remediation evidence stored as audit artefacts - timestamped and ready
Key capabilities
Key capabilities
Everything you need to run a real vulnerability management program - not just generate a report.
Scanner integrations
Syncs findings from Snyk, AWS Inspector, Dependabot, Wiz, and other vulnerability scanners — no new tooling required.
CVE tracking
Every discovered vulnerability matched against the CVE database with severity score, description, and recommended remediation steps.
Severity-based SLA enforcement
Define remediation windows by severity (e.g. critical: 7 days, high: 30 days) and track every finding against those deadlines automatically.
SLA-based remediation tracking
Define remediation SLAs by severity (e.g. critical: 7 days, high: 30 days) and track every finding against those deadlines.
Owner assignment
Findings assigned to the right engineer, with reminders and deadline tracking - nothing sits unaddressed because no one owns it.
Controls mapping
Every vulnerability category linked to the compliance controls that require you to address it - close the loop between scanning and your program.
Risk register integration
Open vulnerabilities surfaced in your risk register automatically - managed alongside other identified risks.
Audit-ready vulnerability report
Full scan history and remediation log exportable in the format your auditor expects - covering your entire observation window.
Framework requirements
Why your auditor requires it
These controls are non-negotiable for compliance.
SOC 2
Trust Services Criteria
CC7.1
To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
ISO 27001
Annex A Controls
A.8.8
Information about technical vulnerabilities of information systems shall be obtained in a timely fashion, the organization's exposure to such vulnerabilities evaluated, and appropriate measures taken to address the associated risk.
HIPAA
Security Rule
§164.308(a)(1)(ii)(A)
Risk analysis: Conduct an accurate and thorough assessment of potential risks and vulnerabilities to ePHI.
§164.308(a)(1)(ii)(B)
Risk management: Implement security measures sufficient to reduce risks to a reasonable and appropriate level.
Priced for startups, not enterprises
Included in your plan — not a bolt-on
Flat price per company. No per-seat fees.
Single framework
$5,000/year
SOC 2, ISO 27001, HIPAA, or any single framework. Flat price, no per-seat charges.
Two frameworks
$8,000/year
Run two frameworks simultaneously. Same flat price from 5 to 50 employees.
Price stays the same as you grow from 5 to 50 employees.
See full pricing details →
See vulnerability management in your compliance program
Walk through how ComplyJet connects scanning, remediation, and audit evidence - live, with your actual stack in mind. Built for teams doing this for the first time.
Book a Demo →
Full platform
Vulnerability management connects to your full compliance and risk program.
Every feature below is included in your ComplyJet plan — no bolt-ons, no extra modules to configure.
Compliance Automation
Connect your stack, automate evidence, and monitor controls 24/7 — your entire compliance program on autopilot.
Learn more →
Risk Management
Track threats, map them to controls, and keep your risk register audit-ready at all times.
Learn more →
Device Compliance
Enforce encryption, screen lock, and OS policies across every employee device.
Learn more →
Access Reviews
Schedule, run, and document access reviews across your identity systems — automatically.
Learn more →
Audit Management
Give auditors a pre-populated workspace. Fewer requests, faster close, no last-minute scramble.
Learn more →
Vendor Risk Management
Onboard vendors, score their risk, and track compliance across your entire supply chain.
Learn more →
Customer stories
Startups that went from zero to compliant with ComplyJet
Scanners connected. SLAs tracked. Auditor satisfied.
FAQ
Common questions
What vulnerability sources does ComplyJet sync from?
ComplyJet integrates with the scanners you're already using — Snyk, AWS Inspector, Dependabot, Wiz, and others. It pulls findings directly from these tools, so there's no need to run a separate scanner or change your existing security workflow. The coverage depends on which integrations you connect. Most startups already have at least one of these tools in place before they start a compliance program.
How is vulnerability management different from risk management?
Vulnerability management is specifically about technical weaknesses in your systems - missing patches, misconfigured services, known CVEs. Risk management is broader, covering business, operational, and third-party risks as well. ComplyJet supports both, and feeds open vulnerabilities into your risk register automatically.
How do SLA deadlines work?
You define remediation windows per severity level — for example, critical vulnerabilities within 7 days, high within 30 days, medium within 90 days. ComplyJet applies these deadlines to every synced finding automatically, tracks them against the clock, and flags anything overdue in your compliance dashboard. This is exactly what auditors look for when they review your vulnerability management process.
How do I know what to fix first?
ComplyJet surfaces findings with their severity level as reported by your scanner, and applies SLA deadlines accordingly — so the most critical items always have the shortest window. Findings closest to their SLA deadline are surfaced first. Your scanner does the severity assessment; ComplyJet enforces the remediation timeline.
What evidence does ComplyJet keep for auditors?
Full scan history across your observation window - every scan, every finding, every remediation action, every closure date. Your auditor can see what was found, when, who it was assigned to, and when it was resolved. This covers the documentation requirements for SOC 2, ISO 27001, and PCI DSS. For a startup going through its first audit, ComplyJet handles this evidence collection automatically — no spreadsheets, no manual exports required.
How is ComplyJet different from Vanta or Drata?
Vanta's vulnerability management integrates with a handful of scanners. Drata is similar. ComplyJet integrates with Snyk, AWS Inspector, Dependabot, Wiz, and more — and the focus is on what happens after discovery: enforcing SLA-based remediation timelines and storing the evidence your auditor will ask for. For a startup that already runs a scanner, ComplyJet doesn't ask you to switch — it makes your existing scanner output audit-ready.
.svg){kind=logo}
.png)
.png)
.png)
