← Blog

Engineering

One Connector, One Compliance Test: How We Built 428 Integrations

July 7, 2026 · 5 min read

Most compliance tools treat integrations as a logo wall. We made each connector run a test. Here’s the engineering behind 428 vendor integrations — grounded in exactly what shipped.

Most compliance tools treat “integrations” as a logo wall: connect a vendor, pull some evidence, show a green checkmark. We took a different path. Last week we shipped 428 connectable vendor integrations — and the point of each one isn’t to collect a screenshot. It’s to run a test.

What actually shipped

Over a few days we brought our evidence-vendor catalog to 428 connectable integrations — parity with the 454-integration catalog buyers expect from tools like Vanta — and added first-class connectors across every layer of a modern stack:

  • Identity & access: Auth0 (alongside our existing Okta path)
  • Endpoint / MDM: Jamf Pro, Microsoft Intune, Kandji
  • Cloud & infrastructure: AWS (multi-region), DigitalOcean, Kubernetes, Snowflake
  • Observability & response: Datadog, New Relic, Splunk, Sentry, PagerDuty
  • Security & edge: CrowdStrike Falcon, Cloudflare
  • Dev & change management: Bitbucket, ServiceNow

The engineering idea: a connector lights up a test

In CATAAM, connecting a vendor does one specific thing beyond sync — it activates an automated compliance test against that vendor’s real configuration. A connector isn’t a data pipe; it’s a control check that now runs continuously. A few concrete examples from last week:

  • Snowflake → MFA enforced on database access
  • PagerDuty → on-call / incident-response coverage exists
  • Jamf, Intune, Kandji → disk / device encryption (e.g. FileVault) enforced
  • Kubernetes → RBAC and network-policy isolation
  • CrowdStrike Falcon → endpoint sensor health
  • DigitalOcean → VPC network isolation
  • Datadog, New Relic → monitoring / alert policies configured
  • ServiceNow → change-management process in force

Because the check is tied to the live vendor, this is continuous compliance rather than a point-in-time screenshot: the test re-runs, and if a control drifts the finding surfaces — and via our continuous security testing engine it latches back into the audit as evidence.

Why this is easier for customers

Connect a vendor once and the relevant tests light up automatically — no manual evidence gathering per control. Discovered assets flow into a single source-of-truth inventory, so the same connection feeds both your asset inventory and your control tests.

Honest scope

To be precise: 428 vendors are connectable in the catalog today, and the connectors above ship with live compliance tests now; we’re lighting up tests across the rest of the catalog on a rolling basis. This is an engineering direction we’re proud of, not a finished destination — and we’d rather tell you exactly where the line is.

If you’re evaluating compliance automation, that’s the difference worth testing: not how many logos a tool lists, but how many of them actually check something. See how it maps to a framework in SOC 2 or ISO 27001.

See continuous compliance in action

Explore continuous security testing

Frequently asked questions

How many integrations does CATAAM have?
CATAAM’s evidence-vendor catalog is 428 connectable integrations — parity with the 454-integration catalog buyers expect from tools like Vanta. The difference is what a connection does: each supported connector activates an automated compliance test against the vendor’s live configuration, not just an evidence pull.
What does “a connector lights up a test” mean?
Connecting a vendor activates a specific automated control check tied to that vendor — e.g. Snowflake checks MFA on database access, Jamf/Intune/Kandji check device encryption, Kubernetes checks RBAC and network-policy isolation. The test re-runs continuously, so control drift is caught and latched into the audit as evidence.
Is this continuous compliance or point-in-time?
Continuous. Because each test is tied to the live vendor configuration rather than a one-time screenshot, it re-runs and surfaces findings when a control drifts — turning every connected vendor into an ongoing control check.