KaitoSec

KaitoSec - Resilience made easy

A resilience platform that respects your time.

Built in Germany for the mid-market and public sector. Read what we stand for and sign up for the beta.

Join the beta

For the security teams their tool stacks forgot.

Security teams in the mid-market. Small and mid-sized public bodies - Stadtwerke, Kommunen, Landesbehörden. KRITIS operators below the DAX-30 line. The teams who have to carry real regulatory weight, without an enterprise budget.

You probably know the playing field.

  1. 01

    Excel and Jira.

    What most teams actually use. Excel collapses by the third audit, Jira was built for product teams, not for an ISMS. Neither was meant for this work - and it shows.

  2. 02

    The enterprise suites.

    Built for ministries and the DAX-30. Cost like it, configure like it. You spend more on the consultant than the license.

  3. 03

    The US-imports (and EU-covers).

    Get you a badge fast. On BSI Grundschutz, NIS2 thresholds, or the Verarbeitungsverzeichnis your team actually files, they have little to say.

  4. 04

    The DACH classics.

    Know the standards - but feel like 2010 SharePoint with a Java GUI bolted on.

KaitoSec fills the gap. DACH by default. Built for mid-market and public sector - and architected to grow with you. Less governance noise means more capacity for actual resilience - for the decisions and systems that really matter.

Why now

Two clocks are ticking. Neither favors the defender.

01

Regulation is stacking.

NIS2 has been in force in Germany since December 2025 - no transition period, active BSI enforcement, personal liability for management under §38 BSIG. BSI Grundschutz++ has been the standard your auditor will use for years to come since January 2026. DORA has required continuous evidence from the financial sector since January 2025, not annual audits. ISO 27001 remains the baseline everyone still asks for. The work doesn't replace itself. It accumulates.

02

Budgets aren't keeping pace.

The German government estimates NIS2 alone will add €2.3 billion in annual compliance costs to the German economy. Large enterprises are budgeting for it - the Mittelstand is shouldering the same obligations with significantly less. Teams running the DACH classics are quietly looking for the exit. AI governance lands on the same desk on top of that, usually in a separate spreadsheet that nobody has connected to the ISMS.

03

The defender's clock just sped up.

Time from disclosure to first exploit collapsed from 771 days in 2018 to hours in 2024. The majority of exploited vulnerabilities are now weaponized before they're publicly disclosed. Anthropic restricted its most capable model to twelve hyperscalers under Project Glasswing, because in the wrong hands it industrializes zero-day discovery. The Fortune-12 get a head start. The German Mittelstand does not.

Disclosure → first exploit

  1. 2018771days
  2. 202084days
  3. 20226days
  4. 20244hours
  5. 20250minutes

Sources: Mandiant M-Trends, Rapid7 Global Threat Landscape Report 2026, VulnCheck Known Exploited Vulnerabilities (2018-2025).

Attackers need hours. You need weeks, with your 2010 toolchain.

The obvious objection

“There are already 150 ISMS tools. Why another one?”

Fair question. The BSI list alone has around 46. The wider DACH region has well over a hundred, plus the EU and US vendors. The market isn't empty.

But it's sorted wrong.

Most of these tools were built between 2008 and 2016, in a world where compliance was a yearly audit, NIS2 didn't exist, AI governance wasn't a topic, and “continuous” was a DevOps buzzword. They've added modules since, repainted GUIs, sometimes bolted on a cloud variant - but the data model underneath is the same one.

That was good enough for a long time. Not anymore. And "that's how it's always been" stops here.

If you're maintaining ISMS, BCMS, and DSMS separately because your tool expensively sells them to you as three modules - you're working against reality.

If your security culture only lives in the tool that three people log into - you don't have a culture, you have a database.

If your auditor wants to know how a control is performing this week, and your tool only knows last quarter - you're living in audit time, not risk time.

If you want to handle AI governance in the same platform where you run ISO 27001, and there's simply no place for it - you're working around your tool, not with it.

We're not building another ISMS tool. We're building the operating system your entire compliance work runs on.

Manifesto

What we stand for.

  1. 01Your data is not our leverage.

    You own the model. Export it, take it with you - anytime. We don't hold customers hostage to keep them.

  2. 02One model, not five spreadsheets.

    Controls, threats, assets, evidence, processes, BCM plans, GDPR records - one unified data model. Relational at the core, extensible with custom attributes, freely connectable. Anything can link to anything - but doesn't have to. You change one record, the whole picture follows.

  3. 03Bring your own model.

    Anthropic, OpenAI, or a local model behind your firewall. Agent-agnostic by default. No vendor lock, no forced AI upsell. Digital sovereignty starts with your ISMS documentation, not with your cloud region.

  4. 04Built like the tools you enjoy opening. Not the ones you endure.

    Multi-user, live, fast. Resilience work is a team sport - your tool should feel like one.

  5. 05One control. Every framework.

    ISO 27001, BSI Grundschutz++, NIS2, DORA, GDPR - mapped and deduplicated. Write once, satisfy all of them.

How we build

Four principles underneath every feature.

01

Security is motion, not architecture.

“Security house”, “building block”, “module”, “target object groups” - the language of established tools is built from masonry. It suggests you build something once and it stands. Resilience doesn't work that way. Threats shift, processes change, people leave. We're not building a house, we're building a living organism - structured enough to be auditable, mobile enough to stay relevant.

02

PDCA isn't a module, it's the heartbeat.

Plan, Do, Check, Act isn't a phase you work through once a year. It's the rhythm in which risks emerge, get treated, reviewed, and refined. Every record in KaitoSec - every control, every measure, every risk - knows its phase in the cycle and moves through it.

03

From the ivory tower to the floor - and back.

Resilience can't stay stuck in the security team. Risks emerge in accounting, in sales, on the shop floor. Business units work as naturally as the security team. Their results land directly in the ISMS, without unnecessary email detours.

04

Before and after matters as much as next to.

Nobody in 2026 should have to manually fill in fields that are already maintained somewhere else. Tickets from Jira, findings from your scanner, contracts from your DMS, records from your HR system. We build flexible integrations and an MCP server so your data lands where it's needed - instead of being re-typed three times. It can be different.

The consequence: we ship the whole stack.

Most tools ship a single bolt for your Frankenstein monster of Excel, wiki, ticket system, and audit folders. We think that's the wrong approach. Resilience work needs a platform that works on day one, not another body part you have to stitch onto the monster.

How it feels

The work gets smaller. The decision stays with you.

01

Many management systems. One model.

ISMS, BCMS, DSMS, DMS, KIMS share a common data reality - the same assets, the same processes, the same people. We map that reality once. Your business continuity plan and your up-to-date asset register don't drift apart anymore. They share a data foundation.

02

Continuous, not annual.

NIS2 and DORA don't ask “did you have a control last March?” They ask “is it working right now?” KaitoSec treats evidence as a stream, not a milestone. Auditors get the picture as it is. From now on, so do you.

03

AI that does the work, not more work.

Risk analysis on a new asset. Statement of Applicability across mapped frameworks. Drafting a measure from a finding. These are the time-consuming tasks. We hand them to an agent - the one you choose - you review and approve. The work shrinks. The decision stays with you.

Community Edition

Our contribution to Grundschutz++. An open note to the BSI.

The modernized Grundschutz is the most important regulatory work happening in Germany right now. It only works if the public bodies meant to implement it actually have the tooling - without license hurdles, without cloud lock-in, without vendor traps.

That's why, after the beta, we're releasing the KaitoSec Community Edition: self-hosted, continuously maintained, free of charge. Available exclusively to public bodies in the DACH region - Kommunen, Stadtwerke, Landes- and Bundesbehörden, KRITIS operators in public service.

Not a time-limited offer. Not a "free tier" we'll quietly cap later. Same release track as the commercial edition - not a stripped-down public sector version, but the same software, maintained by us. For as long as KaitoSec exists.

And because we know how grinding public procurement is: the Community Edition sidesteps the problem entirely. No Vergabeverfahren, no business case justification, no twelve-month procurement marathon. You download it, you use it. That's it.

And no deployment theatre. One container, one database, half an hour. No Kubernetes cluster, no six-figure hardware list, no three consultants in the onboarding room. If you have a server, you have KaitoSec.

If you work in a public body and deal with Grundschutz or Grundschutz++ - get on the list. We'll be in touch when the Community Edition is ready.

Join the beta

Roadmap

What's shipping, and when.

  1. April - August 2026

    Beta phase

    Invite-only cohort. We build with the first teams, not at them. Weekly releases, direct line to the team.

  2. May - June 2026

    AI workflows

    Risk analysis, Statement of Applicability, measures from findings. Agent-agnostic - pick your model.

  3. July 2026

    Integrations

    Connectors to the tools your beta feedback points us to first - identity, ticketing, evidence sources. We build what customers actually ask for, not a preset list.

  4. August / September 2026

    General release

    Public availability. Self-serve onboarding for mid-market and public sector. On-prem option in parallel.

We're building this in the open, with the people who'll actually use it.

If your current toolchain feels like a cage, get on the list. Beta cohort opens April 2026.

First things first - to set expectations: things are very early with this project. Uncomfortably early, even.

We could keep working on this behind closed doors for another six months. But the product will get a lot better, a lot faster, if we work closely with the right early customers to shape it together.

If you're hoping for a polished, Apple-level experience, we're not ready for you yet. Give it a couple of months and come back once we've had time to improve it alongside early adopters.

But if you want to try it now, help us make it better, and be in the room while it takes shape - drop your email below.