← Pylon Command
Get notified
03 / COMMAND Coming soon

The operating system for your security program.

Not another GRC tool. GRC tools document the program. Command runs it. The assessment writes itself. The roadmap stays live. Findings get worked to closure. The board deck is always current. Built for security leaders running their own program, vCISOs running several at once, and PE firms managing security across a portfolio.

Want to talk before launch? Reach out →

A look at what we're building

Portfolio Lens.

The multi-program view for vCISOs and PE firms running security across multiple companies. Roadmap, audits, controls, exceptions, and board reporting consolidated into one workspace.

Command Portfolio Lens view: 11 portfolio companies tracked across compliance, findings, and monitoring, with risk stories, an action queue of upcoming audits, and a portfolio maturity trend chart.
The assessment that writes itself

Security Assessments.

Walk a framework control-by-control. Command transcribes the conversation in real time, drafts the implementation status and maturity rating from what was said and the evidence you've uploaded, and surfaces both next to the question for one-click approval or override. The assessment that writes itself while you do the actual work.

Command Security Assessments view: an in-progress CSPF 1.0 assessment with control GR-04 'Documented security strategy / roadmap' selected. Implementation Status options (Implemented, Partially implemented, Not implemented, Not applicable, Compensating control), a maturity rating scale from 0 (Nonexistent) to 5 (Optimizing), and a right-hand panel showing a 'Draft from conversation' narrative ready to apply, a suggested maturity rating of 3 (Defined) with medium confidence, and a suggested status of Implemented.
And the rest of the program

One workspace for everything that used to live in a spreadsheet.

Detail view of a KnowBe4 controls library entry showing description, deployment scope of 1,600 employees, vendor contact and contract dates, properties panel with owner and review dates, framework mappings to NIST CSF and CIS v8 tagged Primary, and a governing Acceptable Use Policy link.

Controls Library

Every tool, policy, and control documented once and mapped to the frameworks it satisfies. Ownership, review cadence, vendor contract dates, and framework coverage live on the same record so renewals and audit prep stop being two separate fire drills.

Finding detail page for FND-2026-001, 'Tabletop exercise not conducted this year,' with a Medium severity badge and Open status. The main column shows Description, Gap Summary citing BCP/DR for SOC 2 and HIPAA, and a Recommended Action to run a tabletop within 90 days, above an empty Remediation Actions panel. A right-hand Properties panel lists Status, Severity, Owner, Source Manual, Detected date, due date, controls, and a Risks linker.

Findings

Every gap from an assessment lands here as a finding with severity, owner, source, and detected date. Convert it into remediation actions, link the risks and controls it touches, and roll it up into a project on the funnel.

Project workspace for an EDR Deployment showing 10 percent complete progress, four phased task groups with completed and open items, status and timeline panels, and owner and sponsor assignments.

Project Management

Findings become projects with phased tasks, owners, sponsors, and health. Track an EDR rollout from vendor selection through tuning, with List, Board, and Coverage views and the controls each project closes.

FY2026 Security Budget detail page showing 18% utilization, $449,786 of $2,565,000 spent, status Draft, and a By Category summary with horizontal spend bars for Personnel, Tools, Services, Projects, Initiatives, Training, and Other.

Strategy & Budget

Run the security program against a real number. Plan the fiscal year by category, tie spend to projects and initiatives, and watch actual vs. planned move as the year burns down.

Plus all of this

Additional features.

Ships with three persona experiences out of the box. CISO lands in Command Center, vCISO in Practice Console, PE operator in Portfolio Lens. Navigation, terminology, and dashboards reshape per persona. The rest of the program runs the same underneath.

Archer (AI)
Ask anywhere via ⌘K. Drafts assessment responses, suggests evidence mappings, generates findings, and drafts remediation plans across every workspace.
Evidence Library
One SOC 2 report satisfies overlapping NIST CSF, ISO 27001, and CIS controls in a single pass. Coverage metrics roll up across every framework you run.
External Monitoring
Outside-in posture for every company you manage. Security ratings, CVE tracking, exposed services, sub-processor changes, dark-web and ransomware signals.
Risk Register
Residual-risk register with mitigation strategies and explicit linkage to the findings, controls, and projects each risk touches.
Incident Response
Full lifecycle from Open through Closed. MTTR metrics, postmortem workflow, and runbooks auto-suggested from finding patterns.
Governance
Committees, scheduled meetings with motions, votes, and action items, plus a 90-day rolling program calendar of audits, reviews, and renewals.
Program Documentation
Policy, standard, and procedure lifecycle from Draft through Retired, with review-date tracking and named ownership per document.
Diligence
Send and receive security assessments for M&A targets or client onboarding. Outbound for the teams you assess, inbound for the assessors who audit you.
Compliance & Certifications
Compliance obligation tracking and full certification audit lifecycle. Connected to the controls and evidence that prove each one.
Board-Ready Reporting
Reports across findings, risks, compliance, certs, assessments, and strategic plans. PDF, Word, or HTML, with OTP-gated shareable links for external stakeholders.

Command build status

Build Status · In Progress 95%
portfolio_lens ready
security_assessments ready
controls_library ready
findings + projects ready
strategy + budget ready
archer_ai_layer ready
evidence_library ready
external_monitoring ready
incident_response ready
governance ready
cross_app_integrations building
reporting building
launch q3 2026