How Andesite achieved enterprise-grade security and continuous compliance in record time

The company

Andesite leaders spent decades protecting our nation and large global enterprises against sophisticated adversaries, and are committed to develop products that empower those who protect others. Their proprietary AI technology enables cyber defense teams to assess and determine risk, accelerate time to investigate and respond, and reduce inefficiencies across the security ecosystem.

When Dave Brown, a cybersecurity executive with over 20 years of experience and a published author, joined Andesite in April 2024 as Head of Security & Compliance, the stealth-mode AI platform faced a looming deadline: achieving FedRAMP High readiness by February 2025 to support its commercial launch. With no existing security or compliance framework and a small team, Dave needed to build everything from the ground up. Partnering with TrustCloud, he not only met that aggressive timeline but created a continuous control monitoring and third-party risk program at the scale of a large enterprise, all within a small startup.

The challenge

The team experienced a number of key challenges, including building out security processes at high quality level with limited resources. Below is a list of top challenges that Andesite experienced in the area of security and compliance:

• Rapid build-out of security and compliance, starting from zero policies or processes
• Aggressive FedRAMP High target to launch general availability by February 2025
• Limited resources meant bootstrapping the entire program on a tight budget

Managing third-party and AI vendor risk was non-negotiable for an AI company

The Solution

1. Framework definition and stakeholder alignment
   Dave worked with the board and senior leadership team to map FedRAMP High controls to concrete requirements. They established monthly deliverables to demonstrate progress against business goals.
   The buy-in from the executive team from the start was critical to make this endeavor a success and to progress. Dave added: ‘ I’m lucky to have a board and executive team, who get it – in other words, they’re willing to make the investments necessary to make cybersecurity a priority in our organization and for the sake of our clients. If you don’t have this at the start, it’s difficult to make progress swiftly.’
   Dave provided some tips on how to gain executive buy-in for your security and compliance program:

• Create a plan and showcase the plan
• Communicate early and often – set a cadence of communication and is better to overcommunicate that to undercommunicate
• Tie the benefits of the program not only to security but to business outcomes and what it means to the future of the business.

2. Continuous control monitoring

• Launched TrustCloud’s continuous auditing to programmatically test and validate controls across Google Workspace and core infrastructure daily
• Built nearly 500 controls in the TrustCenter for real-time compliance instead of quarterly assessments

3. Robust third-party risk management

• Deployed TrustCloud’s Third-Party Risk module to assess security, privacy, and AI posture of every vendor—automating evidence collection and scoring
• Uses it for third-party assessments of all Connectors (APIs) that connect to their Platform.
• Integrated penetration test and AI assessment results directly into Andesite’s risk register

4. Culture of security through partnerships

• Hired an IT manager focused on compliance and empowered him with TrustCloud dashboards to reinforce security by design
• Formed reseller and ATO accelerator partnerships, with TrustCloud at the core, to leverage shared expertise and accelerate maturity

Results

• FedRAMP internal readiness achieved ahead of the February 2025 target
• Built a nearly 500-control compliance framework and SOC 2 Type I auditing in under 12 months with a very small team by partnering closely with TrustCloud experts
• External ISO auditors needed just 3.5 hours to review TrustCloud-driven evidence, down from 30 hours in prior engagements – this was another gamechanger.
• Board and SLT now view security as an enabler, accelerating customer trust and sales cycles not just a cost center to the business.

Looking Ahead

With a solid continuous compliance foundation, Andesite is now:

• Pursuing SOC 2 Type II, ISO 27001/27701/42001, PCI DSS, HITRUST, and Cloud Security Alliance Level 2 certifications by November 2025
• Expanding third-party risk assessments to cover new AI partners and emerging regulations, especially with the emergence of AI

“Continuous auditing and third-party risk management gave us the agility of a startup with the rigor of an enterprise. That’s the competitive edge we didn’t have before TrustCloud.”
– Dave Brown, Head of Security & Compliance, Andesite