Self-hosted open-source cybersecurity governance for ISMS, product security, AI governance, and regulatory evidence.
ISCY connects security risks, controls, assets, incidents, evidence, suppliers, product-security data, and AI systems in one auditable platform. It is designed for organizations working with ISO 27001, NIS2, DORA, the Cyber Resilience Act, the EU AI Act, GDPR, and KRITIS.
The application follows a local-first, privacy-conscious approach. Its production runtime is implemented in Rust with Axum and supports NixOS and Docker-based deployments.
Project status: ISCY is actively developed and is in an early community-adoption phase. Interfaces and operational procedures may still evolve.
| Area | Examples |
|---|---|
| ISMS and governance | risks, controls, requirements, assets, processes, evidence, management reviews |
| Incident response | case files, timelines, runbooks, regulatory reporting packages |
| Product security | SBOM, CSAF, SPDX, CycloneDX, VEX, CVE correlation, PSIRT evidence packages |
| Third-party risk | supplier criticality, dependencies, reviews, contracts, evidence |
| AI governance | AI-system inventory, classification, oversight, risks, monitoring plans |
| Zero Trust | endpoint posture, enrollment, policy evaluation, device-bound credentials |
| Operations | audit-ready exports, health endpoints, Prometheus, Grafana, backup and restore checks |
./start.shOpen http://127.0.0.1:9000/login/ and use the development-only demo account:
admin / Admin123!
cp .env.development.example .env
make dev-upFor stage and production deployment, use the dedicated environment examples and complete the documented readiness checks:
cp .env.production.example .env
chmod 600 .env
make prod-readiness
make prod-upDo not use demo credentials or demo seeding in production.
ISCY is a multi-tenant, security-sensitive application. Core security boundaries include:
- server-side authentication and tenant-scoped authorization
- authenticated Evidence downloads with protection-class checks
- no public static delivery of uploaded Evidence
- fail-closed production preflight and explicit proxy trust
- locked Rust builds, advisory scanning, and dependency license/source policy checks
- non-root containers and verified backup/restore procedures
Start with the threat model, authorization model, production hardening guide, and security policy.
ISCY has not undergone an independent penetration test or certification. Regulatory support does not constitute legal advice, certification, conformity assessment, or an audit opinion.
The protected CI workflow checks Rust formatting, Clippy, locked tests, dependency advisories, dependency licenses and sources, HTTP/database smoke tests, Nix execution, Compose configurations, and the hardened Docker image.
Local validation:
cargo test --locked --manifest-path rust/iscy-backend/Cargo.toml
make rust-smoke
make rust-restore-smoke- Handbook
- Strategic roadmap
- GUI screenshots
- Configuration reference
- Operations and monitoring
- Production hardening
- Proxmox production runbook
- Zero-Trust agent
- Release notes
Focused, tested, and documented contributions are welcome. Security-sensitive changes require explicit trust-boundary analysis and negative authorization tests.
Please read CONTRIBUTING.md, AGENTS.md, CODE_OF_CONDUCT.md, and SECURITY.md.
OpenAI Codex has assisted implementation, migration, testing, and review. Human contributors remain responsible for correctness, security, licensing, provenance, and validation.
Copyright (C) 2026 Enrico Wilhelm.
ISCY is licensed under the GNU Affero General Public License v3.0 only (AGPL-3.0-only). See LICENSE for the license text and NOTICE.md for copyright, attribution, third-party, and AI-assistance information.