Kliper
Sign in Book a demo
Kliper
BUILT BY & FOR QSAs

The workspace where
PCI engagements get done.

Scoping, evidence, interviews, gaps, and ROC export — one tenant-isolated workspace, with Cortex drafting every testing procedure from your firm's own past work.

Start free trial See how it works
PCI DSS v4.0.1 Audit trail Per-tenant isolation Encrypted in transit & at rest
app.kliper.com/workbench
Tue, Jun 16 · 07:06 PM GMT+1
All systems ⌘ Command ⌘K + New engagement
Engagement
Acme Fintech
PCI DSS 4.0.1 · ROC Q4 ·24
Progress
74%
TPs drafted
242 / 268
+12 today
Open gaps
14
3 high · 8 med · 3 low
Awaiting client
7
2 overdue
Cortex queue
6
drafts ready to review
Days to deadline
31
QA: May 30 · Final: Jun 6
▶ Resume Last edited 2h ago · auto-saved
Requirement 12: Support Information Security with Organizational Policies and Programs
kortlabs · CertiScope PCI › §7 Findings › Req 12 · 1 of 37 answered
✦ Open in Cortex Continue →
Priority queue 23 ITEMS
All TP review Evidence Gaps
RefDescriptionStatus
TP 8.3.4.bCortex draft ready — MFA testing for non-console admin access
● drafted 14 min ago · 3 sources · 92% confidenceReview
REQ 3.6.1Client uploaded hsm-key-ceremony.mov — needs verification
● 2h ago · Marcus Chen (Acme) · 142 MBVerify
GAP 002Quarterly internal vuln scan — last scan 127 days ago
● overdue · owner: Acme IT · ETA: this FridayHigh
MSG 41Priya — can you confirm the CDE boundary in §1.2.1?
● Marcus Chen · 3h ago · awaiting replyReply
TP 1.2.1.aCortex draft ready — Network diagram review for CDE
● drafted 1h ago · 5 sources · 88% confidenceReview
EVID 18Awaiting upload — quarterly firewall ruleset export
● 6 days overdue · REQ 1.2.7 · sent reminder 2×Overdue
GAP 007Account lockout threshold set to 12 attempts (max 6 per 4.0.1)
● medium · plan due: May 12 · owner: D. ParkMed
TP 12.3.1.cCortex draft ready — Risk assessment methodology evaluation
● drafted 2h ago · 2 sources · 79% confidenceReview
+15 MORE
Show all →
Active engagement
Acme Fintech
PCI DSS 4.0.1 · Level 1 · ROC Q4·24
TPs
242/268
Evidence
94/108
Gaps
14
Risks
3
QA MILESTONEMay 30 · 24d
Next up
View all
TUE
14:00
Acme weekly sync
M. Chen, D. Park · 30 min
WED
10:30
Interview · Priya Shah, IT Director
REQ 8.3 walkthrough · 45 min
FRI
EOD
Vuln scan deadline · GAP 002
overdue 127 days · escalate
Team · 4 online
PS
Priya Shah YOU · LEAD QSA
editing TP 8.3.4.b
DP
D. Park
reviewing GAP 007
RM
R. Mitchell
in interview · back at 11:30
MC
Marcus Chen CLIENT · ACME
NorthbeamAXIOM/QSALedger & VauxCIPHERLINERedwall°paxos.trustKeelhaul QSABISON/42 NorthbeamAXIOM/QSALedger & VauxCIPHERLINERedwall°paxos.trustKeelhaul QSABISON/42
§01SCOPE & SETUP
PLATFORM.SPEC.01

Every phase of the engagement, in one workspace.

Replace the spreadsheet-plus-Word-plus-Sharepoint stack with a system that models the work itself — requirements, evidence, procedures, and the ROC output they feed.

01 · LIFECYCLE

Scoping → ROC, on a single timeline.

Kanban, Gantt, interviews, evidence, gap analysis — every artifact linked back to the testing procedure it satisfies.

PHASE
W01–03 W04–06 W07–09 W10–12
Scoping
100%
Evidence
92% · 4 open
Interviews
48% in prog.
Gap analysis
Queued — not started
ROC export
Pending
02 · CLIENT PORTAL

Evidence in, not lost in email.

Tenant-isolated portal for your client. Uploads land against the exact requirement.

ACME · INBOUND 4 NEW
Received
18 files
Verified
14
Pending
4
  • network-diagram-v4.pdf
    REQ 1.2.1 · 2h ago
    VERIFIED
  • hsm-key-ceremony.mov
    REQ 3.6.1 · today
    REVIEW
  • Awaiting upload…
    REQ 8.3.4 · 6d ago
    OVERDUE
03 · GAP & RISK

See the gaps before QA does.

Live heatmap across all 12 requirements. Every gap routes to an owner with a plan and a date.

COVERAGE · 12×16 93.9% IN PLACE
In place Comp. ctrl Gap
04 · ROC EXPORT

Your ROC template, rendered — not reformatted.

Upload your firm's DOCX once. Kliper maps every answered procedure into the exact styling your QA expects.

NORTHBEAM QSA ROC v3.1 · CONFIDENTIAL
PCI DSS v4.0.1 · REPORT ON COMPLIANCE
10 · Log and monitor all access
10.2.1.1 Audit logs capture all individual user access to cardholder data.
ASSESSMENT FINDING IN PLACE

Audit logging is enabled across all in-scope Linux hosts via auditd and forwarded to Splunk under a 12-month retention policy. Cardholder data access on the card_vault schema is captured through Postgres pgaudit. The assessor reviewed configuration and live log samples and confirmed coverage of all administrative and application identities.

EVIDENCE REF
auditd.conf — host CDE-01 EV-014
splunk-retention.png EV-021
REQ 10.2.1.1Page 142 of 186
  • Template styles preserved — TOC, headings, tables
  • 228 testing procedures mapped automatically
  • Evidence appendix + audit trail auto-generated
  • Redline diff against prior-year ROC
Procedures
228 mapped
Evidence refs
94 linked
Pages
186 generated
Export time
~12 seconds
Export Acme-ROC-Q4.docx
§02DRAFT WITH CORTEX

Grounded in your firm's ROCs.
Not the open web.

Cortex isn't a chat wrapper. It retrieves from your prior ROCs, templates, interview notes, and every piece of evidence already in your tenant.

CAP · 01
Drafts TP responses in your firm's voice

Retrieves phrasing from ROCs your partner already signed off on.

CAP · 02
Cites every sentence

Each claim maps back to a source document, interview, or config snippet.

CAP · 03
Scope-diff against last year

Flags where this year's scoping diverges from last year's, and explains why.

See Cortex in action Data stays in your tenant
Cortex req 8.3.4 · MFA coverage
grounded
R
Reem · Lead assessor · 2:14pm
Draft the TP response for 8.3.4. Use last year's ROC and check if Okta coverage changed.
Cortex · 2:14pm
MFA is enforced for all non-console administrative access via Okta + hardware tokens for the CDE. Compared to the 2024 ROC, coverage now extends to 14 additional bastion hosts added in Q2.
SRC·01Acme 2024 ROC · §8.3.4, p.98
SRC·02okta-coverage-export.csv
SRC·03Interview · Priya Shah, IT Director
R
Reem · 2:16pm
Any compensating controls we missed?
Cortex · 2:16pm
One candidate: the legacy payroll jumpbox jb-payroll-01 still uses password + TOTP. Previous ROC filed this as a compensating control with quarterly log review. Worth confirming the log review is current
Ask Cortex about this requirement…
⌘ K
Drafted
42 / 63 TP
Hours saved
≈ 4h / TP
Avg citations
3.2 / RSP
§03GAPS & REMEDIATION
PLATFORM.SPEC.03

The same engagement,
two very different weeks.

Gap tracking and the ROC write-up are where engagements stall. Here's what the last mile looks like on the old stack versus on Kliper.

Spreadsheets + Word + emailTHE OLD WAY
Gaps tracked in a side spreadsheetdrifts out of sync with the ROC
Evidence chased over email threadsno link between a file and the requirement
Each TP written from a blank pagecopy-paste from last year's Word doc
QA re-checks every citation by handdays of review before sign-off
One Kliper workspaceWITH KLIPER
Gaps live on the requirement itselfstatus rolls up to the ROC automatically
Evidence auto-linked on uploadCortex maps the file to its requirement
Cortex drafts each TP from your past workgrounded, in your firm's voice
Every sentence pre-cited for QAreview defensibility, not prose
§04WHO IT'S FOR

Two audiences, one source of truth.

01 · QSA FIRMS

Run every engagement from the same cockpit.

Reuse prior ROCs, templates, and interview banks. Stop reimplementing process for each partner.

  • Firm-wide ROC library + retrieval
  • Partner / manager / assessor roles
  • Your ROC template, not ours
  • Utilization across all engagements
02 · IN-HOUSE

Continuous readiness, not a fire drill.

Mid-to-large merchants running their own PCI program year-round, not just the six weeks before the QSA arrives.

  • Evidence expiry + refresh reminders
  • Route gaps to engineering owners
  • Hand QSA a clean package on day one
  • Jira / ServiceNow / Okta integrations
§05THE MATH

What a week back per engagement is worth.

Drag to match your firm. Estimate based on Cortex removing roughly 40% of ROC assembly time.

Engagements per year12
Avg hours per ROC today120 h
Today ≈ 1,440 h/yr on ROC assembly · with Kliper ≈ 864 h/yr.
Hours saved per year576 h
Weeks reclaimed
14
≈ Extra capacity
8 engagements
§06INTEGRATIONS

Evidence and project state flow in.

Connect the systems your evidence already lives in — Kliper keeps requirements, tickets, and access in sync.

Testing
ServiceNow
Ticketing & ITSM
Sync remediation tickets to gaps & findings — status flows both ways.
Testing
Odoo
Project management
Two-way project-management sync for engagement tasks.
Testing
Okta
Identity & SSO
SSO sign-in and automated access-review evidence.
Live
Jira
Issue tracking
Track gaps as issues your team already works in.
Request an integration
Anything else
Tell us where your evidence lives — we'll wire it up.
§07EARLY ACCESS

Be one of the first firms to run an engagement on Kliper.

We’re onboarding a small founding cohort ahead of public launch — from solo and freelance assessors to multi-QSA firms. No customer logos here yet, by design. The people who join now help decide what Kliper becomes.

Shape the roadmap

Your workflow, your ROC quirks, your house style drive what we build next — with a direct line to the people writing the code.

Founder-led onboarding

Solo or a full firm, we migrate your past ROCs and templates with you, hands-on, until Cortex drafts in your own voice.

Founding pricing, locked

Lock early-partner pricing for the life of your account — set before public plans go live, and it doesn’t move.

Request founding access Limited founding cohort · onboarding now
§08PLANS

Pricing that scales with your practice.

From solo assessors to mid-size QSA firms — change or cancel anytime via Polar.

FREE

Free

Get started with basic compliance tracking.

$0/month
  • 1 user
  • 1 assessment / client
  • 5 DOCX / assessment / month
Get started free
SOLO

Solo

For independent compliance consultants.

$49/month
  • 1 user
  • 5 assessments / client
  • 10 DOCX / assessment / month
  • 10 Cortex AI summaries / mo
  • Priority support
Start free trial
PROPOPULAR

Pro

For small QSA firms running parallel engagements.

$199/month
  • 10 users
  • 20 assessments / client
  • 25 DOCX / assessment / month
  • 100 Cortex AI summaries / mo
  • Advanced reporting
Choose Pro
TEAM

Team

For mid-size QSA firms — no limits.

$499/month
  • 25 users
  • Unlimited assessments
  • Unlimited exports & AI
  • White-label reports Coming soon
Choose Team
ENTERPRISE

Enterprise

For top-100 QSA firms — unlimited everything with the controls your security team expects.

  • Unlimited users & assessments
  • SSO / SAML Coming soon
  • Dedicated CSM
  • Custom contract & SLA
  • Audit log export
  • White-label Coming soon
Custom
Annual contract
Contact sales

Checkout and card storage are handled by Polar (Merchant of Record) — card data never touches Kliper. Prices in USD; tax may apply at checkout. See full plan comparison →

§09QUESTIONS

Asked by every firm we onboard.

Where does our engagement data live?
Each firm runs in its own isolated tenant — separate storage, separate keys, encrypted in transit and at rest. Your ROCs and evidence are never used to train shared models or visible to any other tenant.
Does Cortex make things up?
Cortex drafts only from your firm's own cited past work — every sentence carries a source reference, and anything it can't ground is flagged for the assessor instead of invented. Your QA reviews defensibility, not prose.
Can we keep our own ROC template?
Yes. Kliper exports into your firm's ROC template — formatting, numbering, and house style intact — not a generic layout you have to re-edit.
How do clients get evidence to us?
Through the client portal: you request evidence, the client uploads via a magic link, and Cortex auto-scans each file and suggests which requirement it answers — with a human always in the loop.
What happens when an engagement ends?
The engagement is archived read-only with a complete audit trail, and you can export everything. Retention defaults align with PCI SSC workpaper rules — evidence held a minimum of three years.
§10GET STARTED

Ship your next ROC
on Kliper.

A 25-minute walkthrough with one of our engineers. Bring your ugliest past engagement.

Book a demo Start free trial

No credit card · Full product · 14 days