Engagements
Sectum AI ships a free Apache-2.0 core that produces auditor-grade
evidence by itself, plus a ladder of scoped engagements each calibrated
to a specific buyer — from an engineer who just wants the OSS
managed for them, up to a DPO commissioning a one-time erasure
attestation. Each engagement is scoped to the surfaces in scope;
contact us to scope yours.
The ladder
Engineers — the open-source core
| SKU | What you get |
| Open Sectum | The Apache-2.0 OSS core: substrate, attack catalog, adapters, evidence chain, sectum-ai verify. Wire into CI, run locally, free forever. |
Sales engineering / CISO — annual artifacts for security questionnaires and audits
| SKU | What you get |
| Trust Evidence Pack | Annual tamper-evident attestation of multi-tenant isolation for your data room. Drop it into every enterprise security questionnaire response for 12 months. |
| SOC 2 Tenant Isolation Evidence Pack | Per-audit-cycle attestation, control-mapped to CC6.1 / CC6.6 / CC6.7. Plugs into a Vanta- or Drata-driven Type II audit. Sold direct or via audit-firm partners. |
DPO / Privacy — event-triggered bespoke
| SKU | What you get |
| Erasure Attestation — Standard | A one-time GDPR Article 17 engagement proving a churned tenant's data has left every AI surface; a DPO-ready PDF. Standard scope (2–4 surfaces). |
| Erasure Attestation — Extended | Same deliverable, extended scope: 5+ AI surfaces including fine-tune adapters, search indexes, and full observability backends. |
Continuous Multi-Tenant Verification — ongoing tiers
| SKU | What you get |
| Continuous — Starter | Monthly scheduled runs against one stack, dashboard, regression baselines. |
| Continuous — Growth | Up to three stacks, threshold alerting on regressions, quarterly review. |
| Continuous — Scale | Multi-environment continuous verification, on-call threshold support, custom adapter coverage, monthly executive review. |
Same evidence, same verifier
Every paid SKU produces an evidence pack with the same format as the
OSS — an auditor or DPO opens it the same way regardless of how
it was produced, and sectum-ai verify (Apache-2.0) is the
canonical verifier for all of them. By design; see ADR-0002.
Open Sectum vs Sectum Cloud
| Open Sectum | Sectum Cloud |
| License | Apache-2.0 | Commercial |
| Marker substrate, attack catalog, adapters | ✓ | ✓ |
Evidence chain + independent sectum-ai verify | ✓ | ✓ |
sectum-ai CLI (init / seed / probe / report / verify / erasure / baseline / adapters) | ✓ | ✓ |
| Continuous scheduled runs against a customer stack | — | ✓ |
| Attestation hosting and managed audit-pack delivery | — | ✓ |
| Dashboard, alerting, and regression baselines across runs | — | ✓ |
| Third-party signed attestation | — | ✓ |
Which SKU is right for you?
- I'm a platform engineer wiring this into CI →
the OSS, free,
forever.
- I'm answering enterprise security questionnaires that ask
about AI isolation → Trust Evidence
Pack, an annual artifact.
- I'm prepping for a SOC 2 Type II audit and the auditor wants
AI evidence → SOC 2 Tenant
Isolation Evidence Pack, scoped per audit cycle.
- I'm a DPO with an active GDPR Article 17 erasure
request → Erasure Attestation,
scoped per engagement.
- I want ongoing assurance with regression detection across
multiple environments → Continuous
tier, scoped to the environments in scope.
Start an engagement Compare to alternatives