Give your security program a memory.

Most security programs live in spreadsheets and someone's head. Command puts the whole program in one place, keeps it current between meetings, and lets Hudson drive every step.

One loop replaces the GRC stack PlanAssessmentsFindingsControlsEvidence

A GRC binder is a snapshot. Evidence goes stale and the board deck is rebuilt every quarter. Command keeps the program live and moving, with Hudson doing the work in between.

One loop, run every day Plan Assessments Findings Controls Evidence Projects
Why Command exists

Your program already
exists. It's just scattered.

The plan, the frameworks, the findings, the evidence, the board deck — every piece already lives somewhere. A spreadsheet here, a binder there, a deck rebuilt the night before the meeting. Command isn't one more place to keep up. It's the system that pulls every piece into one loop, and keeps it moving.

Frameworks
NIST CSF ISO 27001 SOC 2
The daily work
Spreadsheets Tickets Email threads
The evidence
Drive SharePoint Exports
The board
Slide deck Last quarter's PDF Spreadsheet
Command
Every piece of the security program, centralized and running in one place.
A planBoard goals & OKRs everything traces to.
One operating loopAssessments · Findings · Controls · Evidence · Projects.
HudsonThe analyst that drives every step.
A board deck that's already current Rebuilt from the live program on demand, not the night before.
One ranked action queue The most overdue work surfaced on top, the same way every day.
Evidence that stays fresh Collected as the work happens, never stale when the auditor asks.

It isn't a tool you maintain.
It's a program that runs.

Walk the loop.
Every screen connects.

A plan sets the goals; the work flows through the same loop and back. Every stage is a real screen in the product, each one connected to the next.

A board-approved plan with goals and OKRs. Everything in the program traces back to it.

Command Strategic Plan
ActiveFY2026 · Jan–Dec
2026 Strategic Plan
OwnerJSJohn Smith · CISO
Goals42 ahead of plan
Initiatives117 in flight
On track82%by target date
Strategic goals 4
Active · 3
Reduce Third-Party Risk
Mature Detection & Response
Achieve SOC 2 Type II
Planned · 1
Zero Trust Rollout
Reduce Third-Party RiskHighDue Q3 2026
45% complete
Initiatives · 2
Procure TPRM ToolBegin 3rd Party Continuous Monitoring
Linked project · 1
Scout Deployment
Linked risk · 1
Concentration risk in core vendors
Assessments NIST CSF 2.0
NIST CSF 2.0 Assessment
MRMarcus Reed · updated 2h ago
68%complete
Govern14/14
Identify18/22
Protect21/31
Detect6/14
Respond4/16
Recover2/9
SubcategoryStatusMaturity
GV.OC-01Organizational mission understoodMet4.0
ID.AM-01Hardware inventories maintainedMet4.0
PR.AA-01Identities and credentials managedPartial3.0
DE.CM-01Networks and environments monitoredPartial2.0
RS.MA-01Incident response plan executedGap1.0
Findings
27 open · 2 critical · 4 overdue
AllOpenOverdue+ New finding
SeverityFindingFrameworkOwnerStatusAge
CriticalAWS access keys unrotated 90+ daysFND-2026-002NIST CSFJDOpen12d
CriticalPublic S3 bucket exposed to internetFND-2026-024CIS v8PMTriage3h
HighNo MFA on administrative accountsFND-2026-007CIS v8MFIn progress4d
HighDisaster recovery plan review overdueFND-2026-014ISO 27001MFIn review6d
MediumBackup restore not tested this quarterFND-2026-011SOC 2PMOpen1d
MediumVendor SOC 2 report expiring in 30 daysFND-2026-021NIST CSFJDOpen9d
LowLogging gaps in staging environmentFND-2026-018SOC 2MFResolved2d
LowStale IAM role detected in productionFND-2026-026CIS v8PMOpen5d
Controls Access Control
Controls
Mapped142 Tested86% Evidence71%
6.5Multi-factor authenticationMet
6.3Unique account credentialsMet
8.2Audit log collectionPartial
5.1Asset inventory maintainedMet
11.1Data recovery testedGap
4.1Secure configuration baselineMet
3.3Data access control listsPartial
CIS v8 · 6.5
Multi-factor authentication
Met
Require MFA for all administrative and remote access to in-scope systems and applications.
Mapped frameworks
NIST PR.AA-03ISO A.5.17SOC 2 CC6.1
Evidence · 3
Okta-MFA-policy.pdfApr 2026
Admin-MFA-export.csvfresh
Access-review-Q2.pdfJun 2026
MFMia Flores · Control ownerTested quarterly
Projects EDR Deployment
EDR Deployment
DCMFPM
8 of 14 done
To do 3
Pilot ring expansion
EDR-31PM
Tune detection rules
EDR-34MF
Decommission legacy AV
In progress 2
Phase 2 fleet rollout
60%DC
Endpoint coverage report
30%MF
Blocked 1
Server fleet agents
Awaiting change approval
EDR-22PM
Done 8
Phase 1 rollout
Vendor onboarding
Tooling procurement
INC-2026-004Phishing campaign — finance teamHighContained
Export AAR
Detected09:02
Triaged09:18
Contained09:30
Eradicatein progress
Recover
Timeline
ReportUser reported a suspicious invoice email.
ActionHudson flagged 14 matching messages across mailboxes.
Status3 accounts isolated, passwords reset, MFA re-enrolled.
ActionMalicious mailboxes purged, inbox rules removed.
PostMonitoring for re-compromise over 72 hours.
After-action reportDraft ready

Hudson drafted the AAR from the timeline: root cause, impact, response and three follow-up actions.

Runbook
Phishing Response · v1
Time to contain28m
Accounts hit3
Program Calendar
Every meeting, deadline, renewal and review in one place.
MonthWeekDay
Audits Reviews Renewals Board Vendor Deadlines
June 2026Today
Sun
Mon
Tue
Wed
Thu
Fri
Sat
31
1
2
3ISO audit kickoff
4
5
6
7
8
9Q2 access review
10
11
12SOC 2 renewal
13
14
15
16
17Board update
18
19
20
21
22
23Vendor risk review
24
25
26Policy review due
27
28
29
30
1
2
3
4
Documentation
Every policy, plan, report and attestation, synced and current.
Drive SharePoint Draft with Hudson
Library
Policies24
Plans8
Evidence116
Reports12
Attestations9
DocumentSourceOwnerStatus
Information Security Policyv4.2 · reviewed Apr 2026
Drive DC Current
Incident Response Planv3.0 · tabletop scheduled
SharePoint MF In review
Q2 SOC 2 Evidence Pack142 controls · auto-collected
Drive PM Current
Vendor Management PolicyDrafted by Hudson from the framework
Hudson HU Draft
Board Report — JuneDrafted by Hudson, ready for review
Hudson HU Draft
Connections AWS
AWS Active
Last synced Jul 2, 2026 · 11:00 PM
▶ Run now Test connection Delete
Security-posture checks
Latest reading per check, collected by this connector.
CheckLatest valueStatus
CloudTrail multi-region logging enabled0%Failed
Root account MFA enabled0%Failed
IAM password policy meets baseline0%Failed
S3 buckets block public access0%Failed
S3 buckets have default encryption100%Met
Security groups: no public admin ports100%Met
IAM access keys rotated within 90 days100%Met
IAM console users have MFA0%Failed

Command is the security program’s command center: strategy, risk, controls, and reporting for a CISO, or a whole portfolio for a vCISO or PE firm. It closes the loop with continuous control monitoring and audit-ready evidence, so the same platform that sets the strategy also proves it’s working.

The program,
always current.

Because every part feeds one loop, the numbers stay live. Maturity, risk, findings and coverage move the moment the work does, not when someone rebuilds the deck.

Maturity trajectoryNIST CSF · 5 snapshots
NIST CSF 2.0 adopted
3.6▲ 0.9 ytd/ 5.0 Managed

Maturity that climbs on the record

Program maturity tracked over time against the plan, with every assessment and milestone marked on the line.

Findings by severity27 open
2critical findings,
of 27 open
Critical 2High 12Medium 12

Findings, criticals first

Every open finding across the program by severity, with the criticals surfaced before anything else.

Action queue12 open
AWS keys unrotated 90+ days
12d overdue
No MFA on admin accounts
4d overdue
Backup restore untested
due today
DR plan review due
in 3d
8 more open →

Nothing slips past due

Every open finding across the program, ranked by how overdue it is, so the most urgent work is always on top.

Risk, before & after controlsRISK-2026-001
Inherent
Residual
5 controls linked · residual within appetite

Risk Management

Rate inherent risk, link the controls that reduce it, and Command derives the residual, with the heatmap showing the shift.

Self-assessmentPCI DSS 4.0
Requirements assessed54%
3.3.1.2CVV not retained after authorizationCovered
8.3.6MFA on all administrative accessPartial
10.2.1Audit logs for all user accessGap

Self-assessments, requirement by requirement

Score the program against any framework, with coverage and gaps tracked as you go, ready for the auditor.

BudgetFY26 · 21% used
Personnel$360K / $1.86M
Tooling$128K / $410K
Services$52K / $240K
Training$9K / $40K

The budget, against the plan

Security spend tracked by category against plan, so what's committed and what's left is always current.

Hudson · AI analyst

The analyst that runs the loop with you.

Hudson opens with a briefing, drafts assessments and policies, investigates findings, plans remediation, and keeps the board deck current, and always asks before it acts. Reach it anywhere with ⌘K.

See how Hudson works
Hudson Today, 8:02 AM
What should I focus on today?

Three things need you today:

Rotate AWS access keysCritical finding · 12d overdue
Approve SOC 2 evidence7 controls awaiting sign-off
Review risk acceptanceRISK-2026-014 expires Friday

Want me to draft the remediation plan for the first one?

One program model.
Three seats.

A CISO runs their own program in Command. For the operators who run security for many companies, Command reshapes into a console built for the job.

The work between the meetings, done.

Command absorbs the operational load a program carries between board cycles, so the time goes to decisions, not assembly.

One source
Plan, risk, findings and evidence connected, so the board deck is never rebuilt from scratch.
Minutes
To draft an assessment from a walkthrough, with status and maturity scored for review.
Always on
Hudson works the loop between meetings, drafting the next action before you ask.
Integrations

Built for the tools your team already runs.

Sign in with the identity provider you already trust, get briefings where your team already talks, and push remediation into the ticketing system that already owns the work. Connect the cloud and code you run, and Command scans your live configuration to validate control implementation automatically. Command fits the stack you have.

Identity
SSO with the providers you already use.
Communication
Briefings and alerts in the channels your team lives in.
Ticketing
Remediation flows into the queues that drive the work.
Control validation
Connect your cloud and code; Command scans live configuration and validates control implementation.

Be first when Command launches.

One note when it's live, or reach out for a look before then. We'll walk through your program and what running it in Command looks like.