JupiterOne launches CCM platform with AI & graph modelling

JupiterOne has introduced a new offering for continuous controls monitoring (CCM), targeting the needs of enterprises operating in highly regulated and complex environments. The platform uses a graph-based approach that allows technical teams to monitor and validate security controls across hybrid, multi-cloud, and legacy systems in real time.

Graph-based validation

The company's CCM leverages its proprietary Cyber Asset Graph to provide comprehensive visibility into IT infrastructure and highlight risks that conventional methods may overlook. The graph model maps the relationships and dependencies between assets, controls, and risks, enabling more in-depth analysis compared to traditional, table-based approaches.

One of the key challenges addressed by the platform is the ability to validate security controls on a continual basis, rather than relying on periodic audits. With regulatory frameworks pushing for constant effectiveness of controls instead of point-in-time compliance, many organisations require systems that can constantly monitor and test their technical environments.

"Working with Klarna's engineering team to deploy their cloud inventory solution, we gained invaluable insights into operationalising continuous control monitoring at scale," said Chad Richts, Director of Product Strategy, JupiterOne.

"Graph databases unlock what seemed impossible-testing complex security policies that span multiple assets and their relationships. Traditional approaches simply don't scale when you need to validate controls across the interconnected systems that characterise enterprise environments. By mapping asset dependencies natively, graphs reveal hidden risks in milliseconds, far outperforming relational models."

Capabilities for engineers

The CCM platform allows platform engineering teams to query and test live hybrid environments such as AWS, Azure, and Google Cloud Platform. Automated tests can be run continuously, closing the gap between written policy and technical reality. The system's architecture exposes hidden dependencies, which helps teams identify risks not flagged by linear data models.

Teams can also use the MCP Control Builder, an AI-assisted component, to draft custom control queries. This feature automates the process of defining technical requirements aligned with multiple regulatory frameworks, including SOC 2, ISO 27001, PCI DSS, and HIPAA. Evidence is automatically collected for audit purposes, supporting faster responses to regulatory requests.

AI integration

JupiterOne also unveiled the general availability of its MCP Server. This product supports the Model Context Protocol, an emerging standard for how large language models interact with enterprise security and IT systems. The MCP Server enables AI-driven agents to access, analyse, and act on live security data with all necessary access controls. This capability is positioned to help teams move from manual analyses to automation of vulnerability triage and remediation workflows, using natural language queries.

The MCP Server currently operates as a standalone solution, but its infrastructure will underpin forthcoming AI-assisted features in the CCM platform. By connecting these AI tools to the Cyber Asset Graph, platform engineers can assign tasks to AI partners that work directly with up-to-date asset inventories, with enforced security constraints.

Regulatory frameworks

The system features out-of-the-box support for several widely used benchmarks, including CIS benchmarks for leading cloud providers and compliance frameworks such as SOC 2 and PCI DSS. JupiterOne intends to extend support to additional frameworks in the near future to further assist organisations in achieving operational resilience.

"Graph architecture maps relationships between assets and controls, exposing dependencies and connected risks that flat data models cannot detect," said Richts.