CloudTwyst · Twyst Studio · EU SaaS

Security assessment for regulated EU businesses — in minutes, not months.

Twyst Studio is CloudTwyst's product portfolio. Leading with CloudTwyst Security Assess — a SaaS platform delivering automated NIS2, DORA, and ISO 27001 compliance assessments to regulated organisations across the EU. Online, subscription-based, and export-oriented. Irish customers are a beachhead, not the market.

01+
Products live now
3+
In active development
4
Compliance frameworks scored
42
Live API routes
Available now

CloudTwyst Security Assess

A cloud security assessment platform for organisations that need to understand their security posture across Azure, AWS, and GCP against NIS2, ISO 27001, DORA, and GDPR — with a governed path from gap to remediation to sign-off.

Available now
Product 01 — Cloud Security Assessment
CloudTwyst Security Assess
CloudTwyst Security Assess connects to your cloud environment — Azure, AWS, and GCP — via read-only connectors, scores your security controls against four major compliance frameworks, tracks remediation through a governed engagement lifecycle, and produces board-ready reports in Word, PowerPoint, and CSV. When the engagement is complete and signed off, all customer insight data is purged — leaving only a tamper-evident audit stub.
NIS2 ISO 27001 DORA GDPR Azure · AWS · GCP ADO Integration Runbook Gallery
Book a Demo Architecture Overview
4
Compliance frameworks scored (NIS2, ISO 27001, DORA, GDPR)
3
Report formats — Word, PowerPoint, CSV
3
Cloud providers — Azure, AWS & GCP
42
Live API routes — FastAPI backend
0
Customer data retained after sign-off

How CloudTwyst Assess works.

Six interconnected capability layers — from data ingestion to sign-off and purge. Each is independently testable; together they form a complete governed assessment pipeline.

01 — Cloud Connector
Read-only Data Ingestion — Azure, AWS & GCP
The connector runs inside the customer's own cloud environment, calls cloud provider APIs locally, and securely submits collected security posture data to CloudTwyst Assess via a single ingest endpoint. CloudTwyst never connects to the customer's cloud directly — no inbound connections, no persistent access.
  • Azure — PowerShell connector with Managed Identity ARM template
  • AWS — lightweight script with read-only IAM role, Security Hub & Config
  • GCP — Service Account with Security Command Center read scope
  • 4-hour short-lived engagement token scopes each submission to one assessment
  • TLS validation + connector version enforcement on every submission
02 — Framework Scoring
NIS2, ISO 27001, DORA & GDPR
Ingested data is evaluated against four major compliance frameworks. Per-control gap analysis produces a posture score, findings list, and prioritised remediation backlog.
  • NIS2 Article 21 controls mapped and scored
  • ISO 27001:2022 Annex A control evaluation
  • DORA ICT risk management and resilience controls
  • GDPR technical safeguard assessment
  • Per-framework posture score + gap count
03 — Assessment Lifecycle
State Machine from Draft to Purge
Every assessment follows a governed state machine with clearly defined transitions, sign-off gates, and an automatic or manual purge path at the end of the engagement.
  • States: draft → collecting → assessed → remediating → report_delivered → signed_off → purged
  • Two-step sign-off with out-of-band OTP confirmation
  • 30-day grace period after sign-off (configurable)
  • 90-day hard TTL catches abandoned engagements
  • Manual purge available immediately (right to erasure)
04 — Report Engine
Word, PowerPoint, CSV & ADO Export
Assessment findings exported as board-ready reports in multiple formats. Azure DevOps work item creation for gap-to-ticket automation at the end of the assessment.
  • Word (.docx) — full findings narrative report
  • PowerPoint (.pptx) — executive presentation deck
  • CSV — raw gap data for tooling import
  • ADO — one work item per gap; PAT never stored
  • Optional: trigger IaC pipeline after work item creation
05 — Enterprise Remediation
Runbook Gallery & Automation Webhooks
For regulated customers, CloudTwyst Assess can trigger remediation entirely inside the customer's own environment — across Azure, AWS, and GCP. CloudTwyst never gains write access to any customer environment.
  • Azure: signed PowerShell runbooks imported to customer's Automation Account
  • AWS: Systems Manager Automation documents in the customer's account
  • GCP: Cloud Run Jobs triggered via customer-provided webhook URL
  • Job outcome (success/fail) received via callback — nothing more
  • Gated behind enterprise licence flag + explicit customer opt-in
06 — Data Custody & Security
Transient Custody, Encryption & Audit
CloudTwyst Security Assess is a transient custodian of customer security metadata. Per-assessment encryption keys, crypto-shredding on purge, and a chain-hashed immutable audit log throughout the engagement lifecycle.
  • Per-assessment Fernet data key (column-level encryption)
  • KMS abstraction: local env var or Azure Key Vault RSA-OAEP
  • Crypto-shredding on purge — encrypted backups become unreadable
  • Append-only, chain-hashed audit log with external sink (Azure Monitor / webhook)
  • Multi-tenant row-level isolation enforced at every endpoint
Out of the box — CloudTwyst Security Assess

Everything needed for a governed cloud security assessment — from day one.

CloudTwyst Assess ships with all the components required to run a complete, auditable cloud security assessment against four compliance frameworks. No configuration marathon before you can start.

4 compliance frameworks pre-scored
NIS2, ISO 27001, DORA, and GDPR controls mapped to cloud provider security data across Azure, AWS, and GCP — no manual control mapping required at engagement start.
Cloud Connectors — Azure, AWS & GCP
Provider-specific read-only connectors for all three major clouds. No write access, no agents, minimum declared scopes — deployed in minutes.
Word, PowerPoint & CSV report templates
Board-ready executive reports and findings exports generated directly from assessment data — no manual formatting after the engagement.
Enterprise remediation — all three clouds
Azure Automation Runbooks, AWS Systems Manager documents, and GCP Cloud Run Jobs — triggered inside the customer's own environment. CloudTwyst never holds write access.
Complete RBAC model — 5 roles
platform_admin, assessor, customer_admin, customer_viewer, and auditor — JWT-based, enforced at every endpoint. Activate with AUTH_ENABLED=true.
3 data retention paths pre-configured
Sign-off + 30-day grace, 90-day hard TTL for abandoned engagements, and immediate manual purge — all with crypto-shredding and audit stub on purge.
On the Twyst Studio roadmap

More products in development.

Every Twyst Studio product starts with a real operational problem seen inside delivery environments. Register your interest to be notified when new products launch.

Coming soon
Enterprise Cloud Operations Platform
Continuous cloud operations monitoring across cost, identity, policy, and automation — five integrated modules giving operations, finance, and security teams a single governed control plane. Always-on, not engagement-based.
Cost ControlIdentity Gov.Policy EngineAutomation
Coming soon
Invoice Management
Cloud-native AP automation — from document intake to ERP posting. OCR extraction, configurable approval workflows, and full audit trail. Designed for finance teams in regulated industries.
AP AutomationOCRERP Integration
Coming soon
Timesheets
Timesheet management, approval routing, and reporting controls for operational teams. Role-based entry, configurable approval chains, and payroll system export — without enterprise-pricing middleware.
Time TrackingApproval FlowsPayroll Export
Register Interest
Get started with CloudTwyst Security Assess

From cloud data — Azure, AWS, or GCP — to NIS2, DORA, and ISO 27001 posture score. In one governed engagement.

Book a demo and we'll walk through a complete CloudTwyst Security Assess engagement — from connector deployment across your cloud estate to final report and purge.

Book a Demo Architecture Overview