Frequently Asked Questions

Serpentine is a unified security platform that combines detection, hardening, offensive validation, and governance into a single graph-based architecture. Unlike traditional security tools that operate in silos, Serpentine provides a continuous validation loop where every security claim can be tested and verified.

Traditional tools detect issues in isolation—your SIEM sees alerts, your scanner finds vulnerabilities, your compliance tool generates reports. None of them know if your controls actually work. Serpentine connects these dots through a unified graph, enabling you to validate that "firewall blocks port 22" rather than just assuming it does.

Serpentine serves organizations across financial services, healthcare, technology, government, and any sector with significant compliance requirements or complex security needs. Our architecture is particularly valuable for organizations managing multi-cloud environments or navigating multiple regulatory frameworks.

Serpentine can complement or replace existing tools depending on your needs. Many organizations use Serpentine alongside their current investments initially, then consolidate as they see the value of unified visibility. Our platform integrates with existing SIEMs, scanners, and cloud security tools.

The Security Substrate is Serpentine's core graph database that maintains relationships between all security entities—assets, controls, vulnerabilities, compliance requirements, and validation results. This unified data model eliminates the "swivel-chair" problem of switching between disconnected tools.

The Offense module runs controlled attack simulations based on real threat intelligence. Unlike annual penetration tests, these validations run continuously, testing whether your controls actually block the attacks they claim to block. Results feed directly into your security graph, creating evidence-based confidence.

Serpentine offers SaaS deployment for most organizations, with EU-sovereign hosting available for data residency requirements. For highly regulated environments, we offer private cloud and on-premises deployment options. All deployment models maintain the same feature set and API compatibility.

All data is encrypted at rest (AES-256) and in transit (TLS 1.3). For EU customers, we offer data residency guarantees with hosting exclusively in EU datacenters. We maintain SOC 2 Type II certification and are pursuing ISO 27001 certification. See our Security & Trust documentation for details.

Serpentine provides a comprehensive REST API and GraphQL endpoint for programmatic access. We offer native integrations with major cloud providers (AWS, Azure, GCP), identity providers, SIEM platforms, and ticketing systems. Custom integrations can be built using our SDK and webhook framework.

Serpentine provides mappings and evidence collection for SOC 2, ISO 27001, GDPR, NIS2, DORA, PCI DSS, HIPAA, and many other frameworks. Our graph architecture means implementing one control can automatically satisfy requirements across multiple frameworks—eliminating duplicate audit work.

Traditional compliance is point-in-time: you prepare for an audit, pass it, then drift until the next one. Serpentine maintains continuous evidence collection and control validation. When auditors ask "show me your access controls," you have real-time proof rather than stale documentation.

Yes. DORA requires ICT risk management, incident reporting, resilience testing, and third-party oversight—all areas where Serpentine excels. Our platform provides the continuous validation and evidence collection that DORA demands, with specific mappings to DORA's technical standards.

NIS2 expands cybersecurity requirements across the EU. Serpentine helps organizations meet NIS2's risk management measures, incident handling requirements, and supply chain security obligations. Our EU-sovereign deployment option ensures data residency compliance for NIS2-covered entities.

Serpentine uses asset-based pricing, calculated on the number of monitored assets (endpoints, cloud resources, network devices). This aligns costs with the value delivered. We offer Essentials, Professional, and Enterprise tiers with different feature sets and support levels.

We offer guided proof-of-value engagements rather than self-service trials. This ensures you see Serpentine working with your actual environment and use cases, not just a demo dataset. Contact us to schedule a personalized demonstration and pilot program.

All plans include initial onboarding and configuration support. Professional and Enterprise tiers include dedicated customer success management, custom integration development, and training programs. Enterprise customers receive architectural review and ongoing optimization services.

Essentials tier includes email support with 24-hour response time. Professional adds priority support with 4-hour response. Enterprise includes 24/7 support with 1-hour response for critical issues, plus a dedicated technical account manager and quarterly business reviews.