Wardengate
Audit & Evidence

Evidence auditors can sign off on in one pass

Wardengate produces the artifacts security and compliance teams already need: immutable logs, attributable sessions, approval chains, and framework-ready exports—generated at the point of action, not reconstructed the week before an audit.

Talk to salesSee a sample export
Structured, not scraped

Evidence is produced at the point of action—approvals, sessions, commands—not reconstructed from log fragments after the fact.

Immutable by design

Records are hash-chained and optionally mirrored to WORM storage. Integrity is verifiable on read, not taken on faith.

Framework-ready

Mappings for SOC 2, ISO 27001, PCI DSS, and HIPAA generate the artifacts auditors ask for instead of ad hoc spreadsheets.

Evidence pipeline

One evidence pipeline, every framework

Every brokered session funnels into the gateway, is transformed once into structured, hash-chained evidence, and fans back out mapped to the control catalogs your auditors already read.

Evidence sources

Brokered sessions

ssh · rdp · sql

SSH, RDP, and database sessions arrive identity-attributed with policy version

Approval chains

CC6 · A.9

JIT requests, break-glass, and exceptions with requester, approver, and scope

Policy history

CC8 · A.12

Rule diffs, authors, effective timestamps — diffable at any point in time

Admin events

AU-2 · AU-3

Wardengate admin actions logged to the same stream — no separate blind spot

Produced at the point of action

Evidence is emitted inline with the session or approval — not reconstructed from log fragments the week before an audit.

Framework fan-out

Export ready
Session · ssh-23a…Session · rdp-88b…Session · psql-4f…WARDENGATEevidence planeStructured evidenceSOC 2ISO 27001PCI-DSS 4.0HIPAA
Session records

Each brokered SSH, RDP, or database session arrives identity-attributed.

Evidence plane

Hash-chained, structured records produced at the point of action.

Framework artifacts

Exports shaped to SOC 2, ISO 27001, PCI-DSS, and HIPAA workpapers.

Hash-chained

Per-record integrity with periodic root anchors and continuous verification

Framework exports

SOC 2, ISO 27001, PCI-DSS, HIPAA, and NIST artifacts from one pipeline

GRC-ready APIs

Stable, versioned event stream for your existing compliance tooling

Signed manifests

Export bundles include artifact hashes and build provenance

What gets recorded

Six streams that make a privileged estate reviewable

Auditors rarely ask for more data. They ask for data that ties together. Wardengate writes every record with the same identity, session, and policy anchors so the joins are already done.

01

Approval chains

Every JIT request, break-glass use, and policy exception is recorded with requester, approver, reason, target, and time-to-expiry. The chain reads as a narrative, not a join across five tables.

02

Session artifacts

Each privileged session emits a metadata record: identity, target, protocol, start and end, policy version applied, and a pointer to the recording. That record is the anchor auditors follow.

03

Command and statement logs

Interactive commands and SQL statements are captured at the gateway with arguments. Searchable, exportable, and tied to the session record that authorized them.

04

Policy change history

Who changed what rule, when, with whose approval, and what the rule looked like before. Reviewers can diff policy state at any point in time.

05

Administrative events

Admin actions against Wardengate itself—user provisioning, connector changes, role grants—are logged to the same stream as operator activity. No separate admin blind spot.

06

Access review exports

Periodic review packets list entitlements per user, per target group, with last-used timestamps. Reviewers attest in-product; the attestation is evidence.

Framework mappings

Speak each framework without a translation layer

Wardengate ships with mappings from product evidence to the controls your auditors already care about. You hand over artifacts named the way their workpapers are organized.

SOC 2

CC6, CC7 controls

Logical access, privileged identity, change management, and monitoring. Export artifacts map to common control descriptions used by auditors.

ISO 27001

Annex A.5, A.8, A.9

Access control, operations security, and user access management. Covers policy, enforcement, and review evidence in one export.

PCI DSS

Requirements 7, 8, 10

Restrict access by business need, identify and authenticate users, and log and monitor all access to cardholder data.

HIPAA

Security Rule 164.308 / 164.312

Workforce access authorization, audit controls, and information system activity review. Evidence is attributable to named users.

NIST 800-53

AC, AU, IA families

Access control, audit and accountability, and identification and authentication. Useful for federal and FedRAMP-adjacent programs.

Immutable logs

Integrity that is provable, not promised

Records are hash-chained at write time. Verification can run continuously or on demand, and any break in the chain surfaces as an alert—not as a surprise during an investigation.

Optional mirroring to WORM-compliant object storage keeps a second, write-once copy out of reach of operators—even privileged Wardengate administrators.

Integrity controls in the box

  • Per-record hash chain with periodic root anchors
  • Continuous verification with alerting on divergence
  • WORM-compliant storage targets for regulated estates
  • Role-scoped reviewer access, itself logged
  • Legal-hold markers that override retention sweeps

Chain of custody

Approvals that are themselves part of the audit trail

Every approval—JIT elevation, break-glass, policy exception—is captured with requester, approver, reason, scope, and duration. Auditors trace an action back through the gate that let it happen, not a Slack screenshot.

Step 01

Captured at source

Events are emitted by the gateway in line with the action they describe—not reconstructed by a log shipper later.

Step 02

Signed and chained

Each record is hashed; each hash chains to the previous one. Tampering anywhere in the chain is detectable on verification.

Step 03

Replicated immediately

Records are written to your SIEM and to durable storage as they happen. The gateway is not a single point of evidence failure.

Step 04

Retained and reviewable

Retention is set per record type. Reviewers query with role-scoped access; every view is itself logged to complete the chain.

Structured exports

Evidence packets auditors can open without a walkthrough

Scope an export by framework, period, population, or target. Wardengate assembles the artifacts—entitlement listings, access reviews, session summaries, approval chains, integrity proofs—into a packet that reads cleanly against the control catalog you were asked to evidence.

Prefer to pull raw data into your GRC platform? Every record is available via stable, versioned APIs and a structured event stream.

audit-packet-soc2-q1-2026.zipSigned

  • entitlements-q1-2026.json

    Entitlements

    248 KB

  • access-reviews-attestations.pdf

    Attestations

    1.2 MB

  • session-summaries-mar.zip

    Sessions

    4.8 MB

  • approval-chains-elevations.json

    Approvals

    892 KB

  • integrity-proof-root-anchor.sig

    Integrity

    12 KB

Walk into your next audit

Evidence, collected as the work happens

We will show you a framework-scoped export, verify integrity on the fly, and map every record back to the action that produced it.

Book a walkthroughTalk to sales