Testify — Complete Feature Inventory
Version: 1.8.1 | Date: February 16, 2026 | Status: Production (AWS EKS)
Platform Overview
Testify is a multi-tenant GRC (Governance, Risk, and Compliance) platform purpose-built for private equity firms managing cybersecurity posture across portfolio companies. It replaces point-in-time assessment snapshots with a continuously updated security posture that reflects assessments, incidents, remediations, and manual overrides in real time.
1. Multi-Tenant Architecture
| Capability | Detail |
|---|---|
| Tenant hierarchy | Parent-child relationships (PE firm → portfolio companies → subsidiaries) |
| Role-based access | 4-tier RBAC: Portfolio Principal, Admin, Analyst, Viewer |
| Division scoping | Organize companies into logical groups (sector, region, fund); scope visibility per division |
| Division-aware filtering | All portfolio views, analytics, and bulk actions respect the active division selector |
| JWT authentication | Access + refresh token flow with automatic refresh and session management |
| Two-factor authentication | TOTP-based 2FA with setup wizard, QR code provisioning, and recovery codes |
| Password reset | Email-based forgot-password flow via Google Workspace SMTP |
| Inactivity timeout | Configurable session expiry with toast notification and redirect |
2. Compliance & Assessment Engine
| Capability | Detail |
|---|---|
| CIS Controls v8 | Full 153-safeguard library with IG1/IG2/IG3 classification |
| NIST CSF support | Multi-framework architecture — CIS and NIST with crosswalk mapping |
| Custom controls | Organization-specific controls with categories and supplemental questions |
| Assessment workspace | CSAT-methodology workspace with per-safeguard maturity scoring (P/I/A/R dimensions, 0-5 scale) |
| Evidence attachments | Per-safeguard file uploads with evidence tracking |
| Bulk assessment save | Auto-save and bulk submission for efficient assessment completion |
| Assessment validation | Completeness checks before submission with missing-item summary |
| AI document import | Ollama-powered extraction from security documents (pen test reports, EDR coverage, Purple Knight AD assessments, IR reports) |
| Spreadsheet import | Bulk import from Excel/CSV with field mapping |
3. Live Control State
| Capability | Detail |
|---|---|
| Real-time state register | TenantControlState per company per control — always current, not point-in-time |
| Four input sources | Assessments, incidents, remediations, and manual overrides all update state |
| Immutable audit trail | Every state change produces a StateChangeEvent with source, user, timestamp, justification |
| Manual overrides | Analysts can adjust state with required justification — fully audited |
| State timeline | Visual history of all changes per control with source attribution |
| Portfolio summary | Aggregate view of control state across all companies |
4. Health Review Campaigns
| Capability | Detail |
|---|---|
| 8-step campaign wizard | Name, framework, control scope, scoring config, documents, attestations, assignments, review |
| Quick campaign creation | Single-click campaign from treemap or gap analysis — skip the wizard for targeted reviews |
| Control scope flexibility | IG1/IG2/IG3 baselines + individual control additions/exclusions |
| Multi-framework support | CIS Controls and NIST CSF with framework-specific control selection |
| Document requirements | Configurable document types with expiration policies and upload instructions |
| Supplemental questions | PE-defined scoring questions (text, multiple choice, boolean) with categories and weights |
| Policy attestations | Compliance attestation requirements with optional evidence upload |
| Campaign directives | Admin instructions displayed prominently to assigned companies (vendor recommendations, policy mandates) |
| Auto-activation | Create campaigns in draft or immediately activate with webhook notifications |
| Portco self-service | Companies see assigned campaigns, complete assessments, upload documents, and submit |
| Review workflow | PE admin review with approve/reject per submission, gated on completeness |
Campaign Scoring Engine
| Capability | Detail |
|---|---|
| 4-category composite scoring | Controls (live state), supplemental questions, documents, attestations |
| Configurable weights | Default 50/20/15/15 — adjustable per campaign |
| Maturity threshold | Configurable minimum score for a control to count as meeting requirements |
| Campaign scores dashboard | Cross-portfolio view of all company scores with per-category breakdowns |
| Per-assignment scoring | Individual company score detail with requirement-level progress |
5. Incident Response
| Capability | Detail |
|---|---|
| Incident lifecycle | Create, investigate, remediate, close — with status tracking and assignment |
| MITRE ATT&CK mapping | Tactic and technique mapping per incident with auto-suggest |
| Attack chain builder | Interactive step-by-step attack reconstruction with MITRE technique linking |
| Evidence management | File upload with SHA-256 hashing, chain of custody tracking, and download logging |
| IR investigations | 5-phase NIST SP 800-61 / SANS PICERL workflow with 53 questions and conditional follow-ups |
| Root cause analysis | Control failure correlation with at-incident vs. current state comparison |
| Control degradation | Incident creation automatically degrades affected controls via MITRE-to-CIS mapping |
| Portfolio control failures | Cross-company view of which controls fail most often, ranked by frequency and financial impact |
| Bulk import | Import incident records from third-party IR reports |
6. Remediation Management
| Capability | Detail |
|---|---|
| Remediation tracking | Open → In Progress → Resolved → Verified lifecycle with priority and assignment |
| Control gap creation | Create remediations directly from gap analysis, treemap, or assessment results |
| Bulk remediation | Create remediations for all delinquent companies on a control in a single API call |
| Deduplication | Automatically skips companies with existing open/in-progress remediations |
| Technology-based bulk | Create remediations for all companies using a specific vulnerable technology |
| State integration | Completed remediations automatically upgrade control state in live register |
7. Portfolio Analytics & Intelligence
| Capability | Detail |
|---|---|
| Analytics hub | Central dashboard with compliance trends, incident stats, and remediation status |
| Asset exposure treemap | D3.js treemap sized by gap severity, colored by remediation coverage, with per-control detail panel |
| Risk constellation | D3.js force-directed graph visualizing risk clusters and control relationships |
| Dimension radar | P/I/A/R maturity comparison across companies with radar chart visualization |
| Gap cascade (Sankey) | Flow visualization showing how control gaps cascade across the portfolio |
| Maturity heatmap | Grid view of control maturity by company with color-coded cells |
| Maturity trends | Historical trend analysis of maturity scores over time |
| Control gap analysis | Ranked list of weakest controls across portfolio with company breakdown |
| Technology inventory | Cross-portfolio technology deployment tracking with vendor coverage analysis |
| Technology effectiveness | Correlation between technology deployments and control maturity outcomes |
| Company archetypes | Automated detection of company security posture patterns |
8. Bulk Actions System (v1.8.1)
| Capability | Detail |
|---|---|
| Reusable architecture | useBulkActions.js composable + 2 backend endpoints — any view can invoke |
| Bulk remediation from control | Single API call creates remediations for N companies with dedup |
| Quick campaign creation | Focused campaign scoped to specific controls + tenants, bypassing wizard |
| Campaign directives | Actionable instructions (vendor recommendations, mandates) displayed to portcos |
| Treemap integration | Remediate All + Launch Campaign buttons in detail panel |
| Control gap integration | Same actions available from Control Gap Analysis view |
| Division scoping | All bulk actions respect active division filter |
9. Theming & Accessibility
| Capability | Detail |
|---|---|
| Theme system | Light + Midnight, with Auto preference following OS; persisted in localStorage |
| Theme toggle | Sidebar footer three-state segmented control (Light / Midnight / Auto) |
| Theme coverage | Sidebar + login persistent dark zones; first-slice routes use theme tokens; long-tail routes audited progressively (see frontend/STYLE.md) |
| Responsive design | Adaptive layouts for desktop, tablet, and mobile viewports |
10. Platform Administration
| Capability | Detail |
|---|---|
| Organization management | Add companies, set parent-subsidiary hierarchy, create divisions |
| User management | CRUD for users with role assignment and tenant scoping |
| Custom controls library | Organization-specific control definitions with categories |
| Document type management | Configure document types, expiration policies, upload permissions |
| Integration settings | Webhook configuration for external notifications |
| Portco upload settings | Control which companies can upload assessments |
| Feature tour | Interactive onboarding walkthrough for new users |
| Admin guide | In-app documentation with role-specific guidance |
11. Infrastructure & DevOps
| Capability | Detail |
|---|---|
| Docker Compose | Local development with hot-reload (backend + frontend + PostgreSQL + Redis) |
| Kubernetes + Helm | Production deployment with Helm charts and values overlays |
| AWS EKS | Current production cluster (testify-production) |
| ECR container registry | Automated image tagging and push |
| Cross-architecture builds | --platform linux/amd64 for M-series Mac → Intel EKS nodes |
| Database migrations | Django migration framework with zero-downtime patterns |
| Celery task queue | Redis-backed async task processing |
| Health check endpoint | Unauthenticated /api/v1/health/ for load balancer probes |
12. API Surface
| Area | Endpoint Count | Auth |
|---|---|---|
| Authentication | 9 endpoints | Mixed (login/reset public, others authenticated) |
| Assessments | 12+ endpoints | Role-based |
| Campaigns | 15+ endpoints | PE admin for management, authenticated for portco |
| Incidents | 10+ endpoints | Role-based |
| Remediations | 5+ endpoints | Role-based |
| Analytics | 8+ endpoints | PE admin |
| Control State | 5 endpoints | Role-based |
| Bulk Operations | 4 endpoints | PE admin |
| Frameworks | 3 endpoints | Authenticated |
| Admin | 6+ endpoints | Admin/Superuser |
13. AI Hygiene Assessment
| Capability | Detail |
|---|---|
| Feature name | AI Hygiene Review |
| Module / app | backend/apps/assessments + backend/apps/frameworks |
| Framework anchored | AI SAFE² v1.0 (Cyber Strategy Institute, MIT + CC-BY-SA) |
| Crosswalks | NIST AI RMF 1.0, ISO/IEC 42001 AIMS, EU AI Act High-Risk Obligations, OWASP LLM Top 10 (2025) |
| Assessment scope | AI in product (customer-facing AI features) — internal tooling and dev assistants are Q0 out-of-scope |
| Three exit paths | Q0 scope-out (no AI in product, signed attestation); Q1 third-party override (upload existing ISO 42001 cert / NIST AI RMF audit / HITRUST AI / Big4 audit / red-team report); full 30-question questionnaire |
| Question bank (Phase 1) | 30 questions across 5 SAFE² pillars: Audit & Inventory (8), Sanitize & Isolate (6), Fail-Safe & Recovery (5), Engage & Monitor (6), Evolve & Educate (5) |
| Response values | Yes / Partial / No / N/A — defined in QUESTION_RESPONSE_VALUES (frontend/src/types/ai_hygiene.js:154) |
| Score computation | Per-pillar mean (Yes=1.0, Partial=0.5, No=0.0, N/A excluded); weighted overall via AI_HYGIENE_DEFAULT_WEIGHTS (audit 0.25 / san 0.20 / fai 0.15 / eng 0.20 / evo 0.20); all-N/A pillars excluded and remaining weights renormalized |
| Q1 accepted score | Fixed 100; provenance label Audited externally — accepted |
| Evidence chain of custody | SHA-256 hash on every upload; re-verified on every download; download-logged |
| AI Hygiene Officer | Named via CampaignPolicyAttestation.policy_type='ai_hygiene_officer' + AttestationResponse.attested_by — identity and attestation text travel with submission |
| New assignment states | not_applicable_attested, submitted_via_third_party_pending, submitted_via_third_party_accepted, submitted_via_third_party_rejected (added in migration 0039) |
| New model fields | DocumentUpload.ai_evidence_type, third_party_assessment_type, validator_status; CampaignPolicyAttestation.policy_type; AttestationResponse.attestation_text (all in migration 0039) |
| Permission gate | IsSubsidiaryOverseerOrPortfolioAdmin throughout — subsidiary overseers have first-class access |
| Parent-side surfaces | Sortable rollup list (AIHygieneList.vue) with score / status / provenance / evidence-backed columns; third-party review queue (ThirdPartyAssessmentReviewQueue.vue) |
| Tenant-side surface | Campaign assignment entry in existing assessments dashboard; Q0 → Q1 → questionnaire flow (AIHygieneAssessment.vue) |
| Phase | 1 (self-attestation + third-party override + scoring + rollup) |
| Roadmap | Phase 2: full 128-control SAFE² set, schema-validated AI BoM / Model Card evidence, crosswalk-based auto-credit, scheduled re-assessment cadence, cross-tenant heatmap. Phase 3: apps/ai_governance/ module, per-tenant AI inventory, EU AI Act exposure scoring, AI sub-score in Exit Readiness, opt-in Cranium connector. |
| Spec | docs/superpowers/specs/2026-04-30-enterprise-ai-assessment-design.md |
Technology Stack
| Layer | Technology | Purpose |
|---|---|---|
| Backend | Django 5.0 + DRF | REST API, ORM, migrations |
| Frontend | Vue 3 (Composition API) | SPA with reactive UI |
| State Management | Pinia | Frontend stores (auth, theme, UI) |
| Styling | Tailwind CSS | Utility-first CSS framework |
| Visualization | D3.js | Treemap, constellation, radar, Sankey, heatmap |
| Database | PostgreSQL 15 | Primary data store |
| Cache/Queue | Redis 7 | Session cache + Celery broker |
| Task Queue | Celery | Async processing |
| AI/LLM | Ollama (local) | Document parsing and extraction |
| Auth | SimpleJWT + pyotp | JWT tokens + TOTP 2FA |
| Container | Docker | Development and production |
| Orchestration | Kubernetes + Helm | Production deployment |
| Cloud | AWS (EKS, ECR) | Current production environment |
| Google Workspace SMTP | Transactional email (password reset, notifications) |
This document is maintained as the authoritative feature reference for Testify. Last updated: v1.8.1, February 16, 2026.