Citadel

Live host-state evidence for regulated fleets.

Citadel is an osquery fleet manager purpose-built for regulated environments. It deploys, configures, and manages osquery agents across a host fleet and turns their results into a signed, queryable evidence stream — so "what is actually running on every host" becomes a SQL question with a timestamped answer.

Request early access See integrations

The problem

Compliance evidence is a snapshot of a thing that moves.

Traditional endpoint evidence is batch: quarterly scans, occasional CMDB reconciliation, screenshots dropped into a SharePoint folder. Between collections, the boundary drifts — a package gets patched, a config gets tuned, a process starts running — and no one finds out until the next scan or the next audit.

osquery solves the telemetry side of that problem: every host becomes a SQL-queryable surface exposing hundreds of tables of live state. What osquery does not solve is fleet-scale operation — agent deployment, configuration management, query distribution, result aggregation, evidence retention, and the compliance mapping that makes the data useful to an assessor.

Citadel is that layer.

How it works

Four pillars of fleet-scale osquery.

Each pillar produces a concrete artifact the platform generates and retains — not a policy statement, not a workflow diagram.

Fleet-scale osquery orchestration

Enroll, version, and configure osquery agents across thousands of hosts — Linux, macOS, Windows, and containers. Configuration is policy-driven, not hand-tuned per host.

Compliance-aligned query packs

Curated query packs map to NIST 800-53 control families — CM-6 (config settings), CM-8 (component inventory), SI-4 (system monitoring), SI-7 (software integrity), AU-2 (auditing). Evidence is produced as a byproduct of operation.

Signed, queryable evidence

Every result is timestamped and signed at the agent. Historical state is retained in an append-only store — so assessors can answer "what did host X look like on date Y" with a SQL query, not a hunt through backups.

Air-gap and FIPS-capable

Deploys in air-gapped environments with no outbound dependencies. FIPS 140-3 agent builds are available for regulated workloads.

At a glance

Every host, live.

The fleet overview is the day-to-day operational surface — enrolled hosts, agent version, last check-in, and any current drift state.

citadel / fleet · 247 enrolled 246 healthy · 1 drift · 0 offline

Enrolled

247

Healthy

246

Drift

Offline

Hostname	Platform	Agent	Labels	Check-in	Status
app-01.prod	Rocky 9.3	5.12.4	prod · app · fips	12s ago	● healthy
app-02.prod	Rocky 9.3	5.12.4	prod · app · fips	9s ago	● healthy
app-03.prod	Rocky 9.3	5.12.4	prod · app · fips	4s ago	● drift · PM-2026-0151
db-01.prod	Rocky 9.3	5.12.4	prod · db · fips	18s ago	● healthy
edge-01.prod	Ubuntu 24.04	5.12.4	prod · edge	7s ago	● healthy
ci-runner-04	Ubuntu 24.04	5.12.4	ci · runner	21s ago	● healthy

filters: env: prod check-in: < 60s 6 of 247 shown

Integrations

Feeds your SIEM, your SSP, and your ticket queue.

Citadel is built around the assumption that the data it produces is only useful if it lands in the systems your team already uses for evidence, detection, and remediation.

Query packs & scheduling

Query packs are authored as YAML, reviewed as pull requests, and promoted through environments. Each pack is mapped to the 800-53 controls it produces evidence for — so nothing is orphaned.

—Git-backed pack repository with signed releases.
—Ad-hoc queries scoped by host label or policy group.
—Scheduled packs with per-platform overrides (Linux, macOS, Windows).
—Curated baselines aligned to CIS, NIST 800-53, and FedRAMP ConMon.

packs/cm8-inventory.yaml

# CM-8 · System Component Inventory
pack: cm8-inventory
controls: [CM-8, CM-8(1), CM-8(3)]
schedule: hourly
queries:
  rpm_packages:
    query: SELECT name, version, release, arch, source FROM rpm_packages;
    platform: linux
  listening_ports:
    query: SELECT pid, port, protocol, family, path FROM listening_ports;
  os_version:
    query: SELECT name, version, build, platform FROM os_version;

✓ signed pack v1.4.2 · deployed to 247 hosts · last refresh 09:14:22Z

Result stream

Results land in an append-only store and forward to the customer SIEM in real time. Every row is signed by the agent that produced it and linked to the pack, query, and host that produced it.

—SIEM targets — Splunk, Elastic, Chronicle, Sentinel, QRadar.
—Historical SQL interface over the evidence store.
—Anomaly detection on result deltas with optional ticketing hooks.
—Native export to the FedRAMP Management Engine as OSCAL origin references.

citadel → siem · pack=cm8-inventory · live

Host	Query	Rows	Δ
app-01.prod	rpm_packages	412	0
app-02.prod	rpm_packages	412	0
app-03.prod	rpm_packages	413	+1
db-01.prod	listening_ports	6	0
edge-01.prod	os_version	1	0

● 1 drift detected · app-03.prod · new rpm · opened PM-2026-0151

Ad-hoc query console

Every osquery table is a live SQL endpoint across the fleet. The console distributes the query to every matching host, aggregates results, and signs the output as an investigative artifact.

—Scope queries by host label, platform, or policy group.
—Results retained in the append-only store with the query text.
—Historical time-travel — rerun the same query against a past snapshot.

citadel / query

sql> SELECT host, name, version
     FROM   rpm_packages
     WHERE  name LIKE 'openssl%'
     AND    host IN (labels = 'prod');

→ fan-out 247 hosts · 1.8s · signed

Host	Name	Version
app-01.prod	openssl	3.0.7-18.el9_3
app-02.prod	openssl	3.0.7-18.el9_3
app-03.prod	openssl	3.0.7-19.el9_3
db-01.prod	openssl	3.0.7-18.el9_3

✓ 247 rows · signed · retained 90d · app-03 version drift flagged

Paired with the platform

Host truth feeds the SSP — and verifies AI work.

Citadel gives the FedRAMP Management Engine a live, signed answer to the question every CM-family control asks: "what is actually on these hosts right now?" And it closes the loop on NAICOM-generated changes by verifying that a commit's intended effect actually landed on every target host.

Queries become evidence

Each Citadel query pack is mapped to the 800-53 controls it produces evidence for. The Engine imports those mappings and writes per-control origin references into the OSCAL SSP — pointing at specific signed results from specific hosts on specific timestamps.

—Query packs carry their target control IDs as metadata.
—Results retain host-level attribution in the OSCAL record.
—Deploy-verification packs re-run after NAICOM-tracked changes land.
—Drift events open POA&M candidates automatically.

citadel → engine / origin-ref

{
  "source":    "citadel",
  "kind":      "osquery-result",
  "pack":      "cm8-inventory",
  "query":     "rpm_packages",
  "controls":  ["CM-8", "CM-8(1)", "CM-8(3)"],
  "hosts":     247,
  "rows":      101924,
  "drift":     1,
  "collected": "2026-04-21T09:14:22Z",
  "sig":       "ed25519:4b01…"
}

✓ signed · imported to ssp.json §cm-8 · drift opened PM-2026-0151

Inventory from ground truth

CM-8 evidence comes from live osquery results, not a CMDB that drifts. The SSP cites the query, the host set, and the timestamp.

Change verification

After a NAICOM-tracked change lands, a deploy-verification pack re-runs against the target hosts to confirm the expected state.

Drift becomes POA&M

Unexpected deltas in a scheduled pack auto-open POA&M candidates in the Engine — with the host, query, and delta pre-filled.

Continuous ConMon

Replaces quarterly screenshots with a signed event stream that satisfies FedRAMP continuous-monitoring expectations.

Compliance alignment

Control-family evidence produced as a byproduct of operation.

Citadel query packs are authored to produce evidence mapped to specific 800-53 controls. No separate evidence-gathering pass at assessment time.

NIST 800-53 — CM family

Produces CM-2 (baseline configuration), CM-6 (configuration settings), CM-7 (least functionality), and CM-8 (component inventory) evidence on a schedule, live from every enrolled host.

NIST 800-53 — SI family

SI-4 (system monitoring) and SI-7 (software integrity) evidence produced continuously. File-integrity queries, process monitoring, and package-hash verification run as scheduled query packs.

FedRAMP ConMon

Replaces quarterly scan screenshots with a live, queryable evidence stream. Satisfies the continuous-monitoring requirements FedRAMP 20x emphasizes.

Architecture

Control plane inside your boundary. Agents everywhere.

Citadel runs as a self-hosted control plane — agent registry, query distributor, result collector, and evidence store — inside the customer's authorization boundary. Agents are standard osquery builds with a thin Citadel extension for policy-controlled scheduling and signed result emission.

Results land in a customer-owned append-only store (Postgres or ClickHouse) and forward to the customer's SIEM over mutually authenticated TLS. The Engine reads from the same store for OSCAL origin references.

Air-gapped deployments are supported natively — the control plane, agents, and evidence store run without any outbound dependency.

Elsewhere in the platform

AI OPERATIONS

NAICOM →

AI-assisted changes land in production; Citadel verifies they arrived.

SYSTEM OF RECORD

FedRAMP Management Engine →

The OSCAL record where Citadel's signed osquery results become origin references.

Know what's on every host.

Early-access pilots are open to organizations running regulated fleets under FedRAMP, DoD IL, or equivalent continuous-monitoring regimes.

Get in touch