A governance tool built to bridge PeopleSoft-era systems and AWS-era cloud — without pretending they behave the same.
Most state agencies don't need another cloud-first IGA platform. They need governance that works today on the systems they actually run — PeopleSoft, Oracle EBS, RACF, on-prem AD — without opening firewall ports, without ripping out legacy investments, and without a 3-year transformation project to close a 4-hour revocation gap.
That's exactly what STRATUS was built for.
Across 47 enterprise studies, the average gap between a termination event and full access revocation is 4 hours and 17 minutes. In lab validation, STRATUS closed the revoke loop across AD, Okta, and AWS in 8 seconds — HR event in to sealed evidence pack out. Production timing varies by connector maturity tier, approval policy, target system API rate limits, and workflow-dependent paths. POC-ready without upfront platform replacement.
Methodology: 4h 17m reflects the average termination-to-revocation gap across 47 enterprise studies conducted FY2025 with mixed legacy + cloud environments. 8 seconds is the measured time for STRATUS to fan out a revoke across AD, Okta, and AWS in a lab environment from HR event in to evidence pack sealed. Customer production timing varies by connector maturity tier, approval policy, target system API rate limits, and workflow-dependent paths. Methodology notes available on request as part of a Founding Partner POC.
SailPoint and Saviynt are real platforms with real customers. But their go-to-market and their architecture were both built for cloud-native enterprises with 30-person IAM teams and 18-month transformation budgets. State CIOs running mixed-tier environments under procurement constraints have been an afterthought. STRATUS isn't.
State agencies run a mix of legacy and cloud. We're transparent about which connector tier each of those systems falls into today, not which tier we hope to reach by year-end.
Active Directory · Okta · AWS IAM · Workday · GCP IAM · Salesforce · GitHub · Snowflake
Discover, certify, revoke, evidence — production-ready for Founding Partner POCs.
Microsoft Entra ID · PeopleSoft · Oracle EBS · SAP · ServiceNow
Discover and evidence work today. Certify is partial. Revoke is workflow-driven or partner-dependent depending on your specific configuration — validated together during Days 1-7 of the POC.
RACF / Mainframe Bridge · DSPM
Architecture defined, not production-ready. If your beachhead revoke flow requires RACF on day one, we will say so before the POC.
Full per-system Discover / Certify / Revoke / Evidence breakdown lives in the Connector Maturity Matrix. The 30-day Proof of Revoke explicitly scopes which of your systems land in each tier before kickoff — no surprises mid-POC.
Your network team owns the firewall and treats inbound firewall openings as non-negotiable. We respect that. The Hybrid Connector Gateway dials out from inside your VPC over mutual TLS — no listener, no VPN, no firewall change request. Network security review scope is reduced because there is no inbound listener, VPN, or firewall opening — they still evaluate egress, mTLS, logging, data flow, and vendor risk, but the surface is smaller.
The systems you can't replace — PeopleSoft HR, Oracle EBS, RACF, on-prem AD, custom apps with read-only LDAP — are governed through the same control plane as your cloud stack. AD and on-prem AD are Available Now. PeopleSoft, Oracle EBS, and SAP flows are in Private Beta (discover and evidence work today; certify is partial; revoke is workflow-driven or partner-dependent depending on configuration — validated together during Days 1-7 of the POC). RACF/mainframe is on the Roadmap with Founding Partner prioritization. The 30-day POC scopes which of your systems land in each tier before kickoff.
Every policy decision is hash-chained, signed, and written to S3 in compliance mode with 7-year retention. Evidence records are written to S3 Object Lock in Compliance Mode with customer-configured retention, making deletion or modification preventable within the configured evidence boundary. When the legislative auditor asks for proof, you produce it with math — not policy.
No 200-person enterprise sales org. Designed to reduce procurement friction. Founding Partners get direct founder access, lifetime price lock, custom connector priority, and roadmap influence. The team that ships the product is the team that takes your call.
The frameworks state and federal agencies actually have to satisfy.
NIST 800-53 Control Alignment PDF
Technical alignment only. Not certification. Final control satisfaction depends on customer configuration, operating procedures, and shared responsibility.
Plug in our Hybrid Connector Gateway. Within Days 1-7 we discover identities and access across your scoped systems; ghost-account and toxic-access reports follow in the same week. Revoke maturity per connector — discover/certify/revoke today on AD, Okta, AWS, Workday; Private Beta on PeopleSoft, Oracle EBS, SAP; Roadmap on RACF — validated together during scoping, captured in the Evidence Pack. Founding Partners get lifetime price lock and direct founder support.