How does CloudTrust360 pricing work?

CloudTrust360 uses outcome-based pricing called Trust Action Units (TAUs). Every customer-facing outcome — a verified $1 of cloud savings, a finding resolved, an executive AI summary delivered — converts to TAUs at fixed rates. Every plan starts with a six-month savings-share pilot: we earn only from your verified cloud savings during this window, and all other outcomes are free. From month 7 onward, your one shared TAU pool covers any module you use at a single per-TAU rate tied to your tier (Trust Pilot, Trust Growth, Trust Enterprise, or Trust Fabric Suite). The savings share is permanent for the contract lifetime. Per-TAU rates and annual commitments are tailored to engagement shape — talk to sales or your MSP/reseller for the rate that fits.

Why is pricing outcome-based instead of per-seat?

Traditional SaaS pricing charges for access whether the platform delivers value or not. CloudTrust360 charges for verified outcomes — savings persisted in your real cost data, findings resolved, controls maintained, summaries delivered. As the platform produces more verified outcomes for you, your bill grows in step. We only succeed when you succeed.

How are savings verified before billing?

Savings TAUs start as provisional. We don't bill them until the savings actually persist for 30 days with at least 90% of the predicted reduction observed in your real cost data. False positives, transient drops, and unimplemented recommendations don't generate billable TAUs. You also have a 14-day window to dispute any TAU after invoicing.

Is CloudTrust360 safe to connect to my cloud?

Yes. CloudTrust360 uses read-only access exclusively. We never modify your infrastructure. Connections use IAM roles for AWS, service principals for Azure, Workload Identity Federation for GCP, Microsoft Graph application permissions for Microsoft 365, and provider-native RBAC view roles for Kubernetes (EKS, AKS, GKE). No static service account keys are downloaded. Credentials are encrypted with AES-256-GCM and per-tenant Row-Level Security in our Supabase backend.

How does CloudTrust360 use AI, and does my data train AI models?

CloudTrust360 uses AI for executive summaries, finding analysis, and cost recommendations — every claim is source-backed to specific findings or cost rows in your activity log. You bring your own LLM API keys (Anthropic or OpenAI), so prompts and responses flow directly between your account and your chosen provider under their zero-retention terms. Your data never trains anyone's AI model. The platform is read-only — AI assists, humans decide, and no AI ever acts on your cloud without your approval.

Which clouds, platforms, and frameworks are supported?

Cloud platforms: AWS, Azure, and GCP, plus Kubernetes (Amazon EKS, Azure AKS, Google GKE) via provider-native RBAC view roles. SaaS platforms: Microsoft 365 / Entra via Microsoft Graph application permissions. Compliance scoring covers six frameworks: SOC 2, HIPAA, PCI DSS, ISO 27001, NIST CSF, and CIS (with provider-specific CIS scoring for AWS, Azure, and GCP). Alerting integrations include Slack, Microsoft Teams, and generic webhooks. AI features use your own Anthropic or OpenAI LLM keys.

How long does onboarding take?

Connecting a cloud account takes about 5 minutes via our guided wizard. Microsoft 365 connection uses a wizard-generated PowerShell script that creates the Entra app registration, requests the right Graph scopes, and ships a one-click admin consent link — no manual Azure portal clicking. First full analysis completes within hours. Trust Pilot tier can be in production the same day. Trust Enterprise and Suite engagements typically include a design partner phase with custom configuration.

What are the modules in CloudTrust360?

Five modules are shipping today: TrustCloud (multi-cloud security posture, 25+ detectors across AWS/Azure/GCP plus EKS/AKS/GKE workload findings), TrustFinOps (cost ingestion, forecasting, anomaly detection, savings detectors, commitments across AWS/Azure/GCP, department budgets, tag-based cost allocation), TrustIQ (executive AI summaries, Reports, compliance scoring against six frameworks, cross-domain Command Center), TrustM365 (Microsoft 365 secure score posture, License Governance with role-segment E5→E3 right-sizing across 7 segments and 11 SKUs, license utilization, SharePoint/OneDrive exposure, Copilot adoption), and TrustData (metadata-first data security posture across S3, Azure Blob, and GCS plus runtime data flow inference). TrustOps, TrustIdentity, and TrustAI are on the roadmap — they ship into the same TAU pricing model without contract renegotiation.

What is Microsoft 365 License Governance and how does the E5 to E3 right-sizing work?

License Governance is the TrustM365 role-segment posture engine. It maps 11 Microsoft 365 SKUs to a structured capability vocabulary (office apps, baseline DLP, audit premium, eDiscovery premium, insider risk, Purview suite, advanced threat, Copilot, etc.), derives a role segment for each user from job title and department across 7 segments (standard knowledge worker, security admin, legal, executive, compliance officer, contractor, frontline worker), then classifies every user as correctly, over, or under-licensed by comparing assigned capabilities against role policy. Over-licensed users surface as E5 to E3 downgrade savings (billable). Under-licensed users surface as compliance and security risk (never bills). The comparison is policy-vs-assignment, not per-user premium-feature telemetry — Microsoft Graph does not expose Purview, eDiscovery, or Insider-Risk usage per user, so we do not claim it.

The Autonomous Trust Fabric · CloudTrust360 by AIVONS

The Autonomous Trust Fabric for Cloud, Data, and AI.

CloudTrust360 is one trust fabric — cloud security, FinOps, executive reporting, Microsoft 365 governance, and data security on one graph. TrustCloud, TrustFinOps, TrustIQ, TrustM365, and TrustData ship today; TrustOps, TrustIdentity, and TrustAI plug into the same graph and TAU pricing model. AI-Native by design. Outcome-priced. Read-only on day one.

Start with a six-month pilot where CloudTrust360 only earns from verified savings. Then scale with transparent TAU pricing for security, compliance, and executive reporting outcomes.

Start a Trust Pilot See the product

Read-only access · no agents

AWS · Azure · GCP

14-day TAU dispute window

BYO LLM keys · zero AI training on your data

AI-Native, in production Always-on product expertise Get real-time help from an AI assistant that understands CloudTrust360 in depth — setup, sync, permissions, billing, remediation.

See it in action

Why CloudTrust360

Aligned incentives, by design.

Most cloud platforms charge for access. We charge for results. Your bill grows only as we produce more verified outcomes — across cloud security, cost, and compliance.

One platform, three domains

TrustCloud, TrustFinOps, and TrustIQ — security posture, cost intelligence, and executive narrative — in one trust graph. No swivel-chair between Wiz, Cloudability, and Drata for a board-ready story.

Pay-for-outcomes pricing

Trust Action Units convert each finding resolved, dollar saved, and summary delivered into a transparent line item. Every charge traces to a specific event you can audit. We only win when you win.

Read-only, AES-256-GCM encrypted

IAM roles for AWS, service principals for Azure, Workload Identity Federation for GCP — no static service account keys. Credentials encrypted at rest. Per-tenant Row-Level Security. Zero changes to your infrastructure.

The model

One trust graph. Every domain. Every outcome.

Live cloud, cost, compliance, identity, data, and AI signals feed one shared trust graph. AI reasons over it to produce verifiable outcomes — and every outcome is a TAU you can audit.

Solid lines = shipping today (TrustCloud, TrustFinOps, TrustIQ, TrustM365, TrustData). Dashed = arriving into the same platform (TrustOps, TrustIdentity, TrustAI) on the roadmap.

AI-Native operational support

AI-Native support, built into the platform.

CloudTrust360 includes a product-aware Support Expert that understands the platform, your setup flow, sync failures, permissions, billing, RBAC, and remediation workflows.

Teams can ask questions, paste errors, attach files, and get immediate guidance — without waiting for a first-line ticket response.

Resolve common issues instantly. Escalate only when human support is needed.
Product-aware, not generic. Knows your modules, your sync history, your active errors.
Generates verification scripts for permissions, IAM policies, and connection tests — read-only, you run them.
Approval required for any production action. The Support Expert recommends; humans decide.

CloudTrust360 in-product Support Expert: an AI-native assistant helping a user troubleshoot a sync failure with step-by-step guidance, attached file context, and a verification script generated for the customer's specific environment.

Integrations & connectors

Plugs into the stack your team already runs.

Read-only cloud connections, Kubernetes API access, your existing alerting tools, and your own AI provider keys. No new platforms to adopt.

Alerts & notifications

Slack

Microsoft Teams

Generic webhook

Cloud & SaaS providers

AWS

Microsoft Azure

Google Cloud

Microsoft 365 / Entra

Kubernetes

Amazon EKS

Azure AKS

Google GKE

AI providers (BYO keys)

Anthropic Claude

OpenAI

All cloud connections are read-only via IAM roles (AWS), service principals (Azure), Workload Identity Federation (GCP), and Microsoft Graph application permissions (Microsoft 365). Kubernetes access uses provider-native RBAC view roles. Your LLM provider keys stay yours.

Multi-cloud, agentless, ready in minutes

AWS

Microsoft Azure

Google Cloud

The Platform

One trust graph. Multiple modules.

Five modules ship today. More on the roadmap. Every module plugs into the same TAU pricing model — no contract renegotiation when new capabilities arrive.

● Shipping

Cloud Security Posture

TrustCloud

Continuous multi-cloud security posture across AWS, Azure, GCP — plus EKS, AKS, and GKE. 25+ detectors with auto-resolve on re-sync. Blast Radius impact analysis for critical findings. Network flow inference for east-west exposure. CIS framework scoring per provider.

16 AWS · 5 Azure · 4 GCP security detectors + Kubernetes workload findings
Blast Radius — resource impact analysis for triage
Flow inference — network exposure across VPCs & subnets
Slack, Microsoft Teams & webhook alerting with smart dedup

● Shipping

FinOps & Cost Intelligence

TrustFinOps

Cost ingestion, forecasting, and anomaly detection across all three clouds. 28 savings detectors. Commitment management for AWS RIs & Savings Plans, Azure RIs, and GCP CUDs. Per-account and per-department budgets with multi-state pacing alerts.

End-of-month forecast with backtest accuracy
Anomaly detection: sudden-spike & new-service triggers
Commitments — AWS RI+SP, Azure RI, GCP CUD coverage & recs
Department budgets with pacing pills + Teams alerts
Cost allocation by tag with untagged-spend triage

● Shipping

Executive Trust Reporting

TrustIQ

The board-ready narrative your CFO actually reads. Live data becomes the executive summary, the compliance evidence, and the cross-domain story. Monthly Exec Summary, Cost Variance, and Open Findings Aging reports run on demand or save to your history.

Command Center cross-domain executive view
AI executive summaries with source-backed evidence
Reports — Monthly Exec, Cost Variance, Findings Aging
SOC 2 · HIPAA · PCI DSS · ISO 27001 · NIST CSF · CIS
BYO LLM keys (Claude, OpenAI) with smart caching

● Shipping

Microsoft 365 Posture & Savings

TrustM365

Microsoft 365 security posture, License Governance with role-based E5→E3 right-sizing, SharePoint exposure, and Copilot adoption — from one read-only Graph API connection. Five product views with per-tab AI executive summaries.

Secure Score posture: MFA gaps, legacy auth, conditional access
License Governance — role-segment posture surfaces E5→E3 downgrade savings and under-licensed compliance risk
License utilization — inactive seats, recoverable spend with owner & department evidence
SharePoint & OneDrive exposure, ownership gaps, archive savings
Copilot adoption — inactive seats & reclaimable spend

● Shipping

Data Security Posture & Flow

TrustData

Metadata-first data security posture across AWS S3, Azure Blob, and GCP Cloud Storage — encryption, public access, versioning, logging. Per-asset detail with classification & encryption pills. Flow page traces data movement across services.

S3 buckets · Azure Blob containers · GCS buckets in one inventory
12+ posture detectors (public access, encryption, logging, versioning)
Exposure classification per asset (private · restricted · public · critical)
Flow inference — runtime data movement across services
Reuses existing cloud accounts — no new IAM setup

On the roadmap — same trust graph, same TAU pricing, no contract changes

TrustAI Next major direction

AI system inventory, shadow-AI detection, AI-to-data lineage, agent governance, and NIST AI RMF / EU AI Act evidence — the next major direction for CloudTrust360.

TrustOps

Supervised remediation with approvals, simulation, and rollback

TrustIdentity

Identity graph, privilege paths, AI agent identity governance

platform context

Built for the gap between security, cost, and compliance platforms.

Wiz, Orca, Defender, Cloudability, and Drata are strong in their domains. CloudTrust360 connects the context between them — so one finding ties to its cost impact, its failing control, and its board-level narrative without the swivel-chair.

Best-in-class for…

Wiz · Orca · Defender for Cloud

Strength Deepest cloud security detector libraries · runtime CWPP · code-to-cloud coverage

Buyer Enterprise security teams with six-figure budgets and weeks of implementation runway

Gap No FinOps. No executive narrative tying findings to spend and compliance.

CloudTrust360

One trust graph across security, cost, and compliance

Strength Cross-domain context · outcome-based pricing · mid-market accessible

Buyer CISO, CFO, and audit committee — reading the same screen, not three different tools

Time-to-value Hours to first insight · same-day pilot · no professional-services dependency

Best-in-class for…

Cloudability · Flexera · Drata

Strength RI / SP optimization automation · audit-prep workflow · evidence collection at scale

Buyer Dedicated FinOps team or compliance lead with a single-domain mandate

Gap Each lives in its own tool. No cross-domain link to security context or board narrative.

Where customers need depth in any single domain, we integrate, not compete. Where they need cross-domain context — a finding that ties to a cost driver that ties to a failing control that ties to a board narrative — that's our wedge, not theirs.

See it in action

This is what your team actually sees.

Click through the modules. Real product screenshots from the running platform — no mockups, no roadmap-ware on the live tabs.

Module · TrustCloud

One pane of glass across AWS, Azure, and GCP.

The home dashboard rolls up active accounts, monthly spend, open findings by severity, and compliance posture across every connected cloud. The change feed shows what moved in the last 24 hours. Sync failures are flagged with an investigate link. Drill into any cloud, finding, or cost bucket in one click.

CloudTrust360 Multi-Cloud Dashboard showing AWS, Azure, and GCP rollups side by side with monthly spend ($1.2K, $0.0K, $0.0K), findings count (18, 10, 2), and critical-severity counts (8, 0, 2); below that a 'What's new in the last 24h' change feed with 2 new critical findings, 8 findings resolved, cost down 100%; a sync failures alert; total spend $1,209.72, 38 findings, $43 savings, 51% compliance; cost trend line chart, and findings-by-severity donut chart

Built on: Real-time queries against Supabase with per-tenant Row-Level Security · No data leaves your tenant.

Module · TrustCloud + CT360 Copilot

Every finding ships with a structured AI remediation plan.

Open any finding and you get the full AI Analysis: executive summary, why it matters, the attack scenario, and a step-by-step remediation runbook with verify commands you can paste into a terminal. Severity-aware confidence. Model name and version stamped on every output — no anonymous AI.

Security Finding Details modal in CloudTrust360 showing a 5-step GCP firewall remediation runbook, AI Analysis section attributed to claude-haiku-4-5, Fix Immediately priority block, executive summary, why-it-matters narrative, and attack scenario explanation

BYO LLM: Bring your Anthropic or OpenAI key. Your data never trains a model · 7-day cache reduces token spend.

Module · TrustIQ

The board-ready narrative your CFO will actually read.

One click generates an Executive Summary: top risks ranked, blast radius for each, the "do this first" call-out with estimated time-to-fix and risk reduction, plus cost overview and compliance notes. Generated from live data — not a snapshot from last Tuesday.

CloudTrust360 AI Executive Summary panel generated by claude-haiku-4-5, showing top risks for Tara Corp — RDS instance publicly accessible, S3 bucket admin.tara-tok.com publicly accessible, root account access keys — with blast radius for each, a 'Do This First' priority action with ~15 minute fix estimate and ~45% risk reduction, plus cost overview

Earns its TAUs: Each delivered summary = 25 TAUs · Cached 1 hour · Smart-invalidated by the change feed.

Module · TrustFinOps

Cost intelligence with verifiable, ROI-ranked actions.

Spend rollups by cloud. Optimization opportunities ranked by ROI, with effort and confidence on each. The AI Cost Summary opens a panel that grades the account, explains the math behind it, and tells you what to do this week vs this quarter. 28 savings detectors across AWS, Azure, and GCP.

CloudTrust360 Cost Analysis page showing $1,209.72 rolling 30-day total spend across AWS Azure GCP, $43/month in optimization opportunities including bursty EC2 rightsizing and RDS Reserved Instances, plus an AI Cost Summary panel with a B-grade rating, top actions ranked by ROI, and 'do this week' recommendation list

Persistence-validated: Provisional savings only become billable TAUs after 30 days of real cost reduction at ≥ 90% of predicted amount.

Module · TrustM365

Microsoft 365 posture, License Governance, SharePoint exposure, Copilot adoption — one connection.

One read-only Graph API connection unlocks five product views: Secure Score posture (MFA gaps, legacy auth, conditional access), License Governance with role-segment E5→E3 right-sizing, license utilization with per-seat owner & department evidence, SharePoint & OneDrive exposure with ownership coverage, and Copilot adoption tracking. Each tab has its own AI Executive Summary on demand.

CloudTrust360 Microsoft 365 page showing Secure Score posture, License Governance with role-segment analysis surfacing E5 to E3 downgrade savings and under-licensed risk, license utilization with owner and department evidence, SharePoint and OneDrive exposure tracking, and Copilot adoption metrics — five tabs spanning posture and reclaimable license spend, all from one read-only Microsoft Graph API connection

Honest by design: License Governance compares assigned capabilities against role policy — not per-user premium-feature telemetry, which Graph doesn't expose. Under-licensed findings ship as compliance risk; over-licensed as billable savings. No silent overclaiming.

Module · TrustIQ

Compliance scoring auditors recognize, against your real findings.

Real-time scoring against SOC 2, ISO 27001, PCI DSS, HIPAA, NIST 800-53, and CIS benchmarks for each cloud. Every failing control links to the exact open finding causing it, so a failed score isn't a mystery — it's a to-do list. Live data, no periodic snapshots.

CloudTrust360 Compliance Dashboard showing real-time scoring across SOC 2 (0%), ISO 27001 (55%), PCI DSS (50%), HIPAA (25%), CIS AWS (50%), CIS Azure (86%), CIS GCP (71%), and NIST 800-53 (67%) with passing and failing control counts per framework, and a Live data badge at the top right

Auditor-friendly: Activity log captures every control state change with attribution · Exportable on request.

Platform · Trust audit trail

Every sync. Every change. Every TAU. Logged.

The sync history page shows the last 50 sync attempts across every connected cloud account — manual runs and the 6-hourly auto-sync. Per-pipeline status (cost / security / savings), duration, trigger, and outcome on each row. Pair it with the activity log and every TAU on your invoice traces back to a specific event.

CloudTrust360 Sync History page showing the last 50 sync attempts across connected cloud accounts including GCP_TEST, Tara-AWS, Azure-Test, with columns for account name, time, trigger (manual or auto), per-pipeline status icons for cost/security/savings, duration in seconds, and Success/Partial/Failed status badges; filter buttons at top for All, Success, Partial, Failed

Auditor-grade: Per-tenant Row-Level Security · CSV export · Activity-log retention scales with your tier.

AI posture

AI you can actually show your CISO.

We use AI where it helps you decide faster — and nowhere it could decide for you. Every claim here is true today, in shipping code, not on a roadmap.

● Shipping

Source-backed, not hallucinated

Every AI claim links to its evidence. Executive summaries, finding analyses, and recommendation write-ups all cite the specific data they came from — finding IDs, cost rows, compliance gaps. If we can't show the source, the AI doesn't make the claim.

Activity log captures every AI call with inputs & outputs
Strict JSON-mode prompts with data-integrity rules
You can rebuild any AI conclusion in 5 minutes

● Shipping

Bring your own LLM keys

Your data never trains anyone's model. Connect your own Anthropic or OpenAI API key. Prompts and responses flow directly between your account and your chosen provider — under their zero-retention terms, not ours. We store the result; we don't see the round trip.

Anthropic Claude · OpenAI · provider choice is yours
Per-org token budget controls runaway costs
7-day per-row cache · 1-hour summary cache

● Shipping

AI assists, humans decide

The platform never acts on your cloud. CloudTrust360 is read-only by design. AI ranks, drafts, and explains — you approve before anything moves. No autonomous remediation, no agentic loops touching your production. The activity log is your audit trail.

Zero write permissions on AWS · Azure · GCP
AI generates recommendations; you mark them implemented
Role-based controls on who can act on AI output

On the roadmap

TrustAI — governance for the AI systems, copilots, and agents running in your environment. AI inventory, shadow-AI detection, AI-to-data lineage, NIST AI RMF and EU AI Act evidence mapping. Talk to us about the design partner program.

Why it works

Three things this product does that nobody else does in one place.

Cross-domain context. Verified outcomes. AI that's source-backed, not hallucinated.

One trust graph

Security, cost, and compliance — in the same conversation.

Wiz tells you about security findings. Cloudability tells you about cost. Drata tells you about compliance. Every one of those tools lives on a different dashboard with a different mental model. CloudTrust360 puts all three on the same screen — because the decisions your board cares about cross all three.

Severity, spend, and compliance score for every connected cloud, side by side.
Findings link to the resource, the spend, and the failing control — no swivel-chair.
One activity log captures it all — sync runs, AI calls, state changes, team actions.

CloudTrust360 dashboard with cross-domain rollup — AWS, Azure, and GCP each showing monthly spend, findings count, and critical-severity count side by side; below that, total spend ($1,209.72), open findings (38), savings opportunities ($43), and compliance percentage (51%) in a single row of stat tiles

CT360 Copilot

Every AI answer cites its source — and shows the model that wrote it.

When the AI says "this is critical," it shows you the exact rule, resource, attack path, and remediation steps that justify the claim. The model name and version are stamped on every output (you'll see claude-haiku-4-5 in our screenshots — that's BYO LLM in action). No hallucinated severity. No mystery confidence.

Executive summary, attack scenario, why-it-matters — all four sections, always.
5-step remediation runbook with verify commands — copy-paste into your terminal.
Severity-aware confidence + model attribution stamped on every output.
7-day cache — pay for the analysis once, not every time someone opens the modal.

CloudTrust360 Security Finding Details modal showing AI Analysis section attributed to claude-haiku-4-5, structured into a Fix Immediately priority block, Executive Summary, Why This Matters narrative, and a 5-step remediation runbook with verification commands for a GCP firewall rule allowing SSH from 0.0.0.0/0

TrustIQ · Board-ready

The narrative your CISO sends to the audit committee — generated, not written.

One click produces an Executive Summary that ranks your top risks with blast radius for each, surfaces the "do this first" action with estimated risk reduction and time-to-fix, and folds in cost overview and compliance notes. The CISO emails it. The CFO actually reads it. The audit committee sees it instead of a 30-page deck.

Top risks ranked with blast radius (data exfiltration, lateral movement, credential compromise).
"Do this first" callout with estimated time and risk reduction (e.g. ~15 min → ~45% risk reduction).
Cost overview + compliance notes woven in — one document, three perspectives.
1-hour smart cache with change-feed invalidation — fresh when it matters, free when it doesn't.

CloudTrust360 AI Executive Summary panel for Tara Corp generated by claude-haiku-4-5, listing top risks numbered 1-3 (publicly accessible RDS instance, publicly accessible S3 bucket admin.tara-tok.com, root account access keys) each with blast radius, plus a 'Do This First' priority action card with ~15 minutes estimated fix time and ~45% risk reduction, followed by Cost Overview and Compliance Notes sections

How It Works

From connection to verified outcome.

Four steps. Read-only at every stage. You always approve before anything happens.

5 minutes

Connect

Grant read-only access via IAM role (AWS), service principal (Azure), or Workload Identity Federation (GCP). No keys to manage, no agents to install.

Hours

Analyze

CloudTrust360 runs the first sync across security, cost, and compliance. AI analysis surfaces the issues that matter and the savings worth chasing.

Your pace

Act

Implement recommendations on your terms. Each resolution writes to your activity log. Savings start provisional until verified in your real cost data.

Monthly

Settle

Monthly Stripe invoice itemized by TAU category. 14 days to dispute. No long-term lock-in on Pilot or monthly Growth.

Trust Action Units

One TAU pool. Every module. Every outcome.

TAUs are verified outcomes — drawn from one shared pool across every module you use. A resolved finding, a validated saving, a maintained control, an executive summary: each becomes a transparent billable unit at the same TAU rate, whether it came from TrustCloud, TrustFinOps, TrustIQ, or any future module. Nothing is hidden. Nothing is bundled obscurely. No per-module surcharges.

Outcome TAU Module

Each $1 of verified, persisted savings 1 TrustFinOps

Critical-severity finding resolved 75 TrustCloud

High-severity finding resolved 50 TrustCloud

Medium-severity finding resolved 15 TrustCloud

Low-severity finding resolved 5 TrustCloud

Compliance control maintained (per framework, per month) 2 TrustIQ

Executive AI summary delivered 25 TrustIQ

AI-recommended remediation auto-executed 100 TrustOps

Identity privilege path remediated 40 TrustIdentity

How TAU verification works

Not every detected opportunity bills. Outcomes are verified before they're billed, and you have a window to dispute every charge.

30-day savings persistence. Cost savings start provisional. They convert to billable TAUs only after 30 days of real cost reduction with at least 90% of the predicted amount observed.
14-day dispute window. Every TAU on your invoice can be challenged in-app. The dispute UI shows exactly which event generated the charge.
Full audit trail. Every TAU traces back to an entry in your activity log. You can rebuild any invoice line by yourself.
One unified TAU pool. Use any module — TrustCloud, TrustFinOps, TrustIQ, and future modules — from a single TAU pool at your tier rate. No per-feature licensing, no module-by-module billing surprises. Bring-your-own LLM keys mean AI inference cost stays between you and your provider.

Sample pricing

One unified TAU pool. Shaped to your scale.

Every plan starts with a six-month savings-share pilot — we earn only from verified cloud savings during this window. From month 7 onward, your one shared TAU pool covers any module you use at a single per-TAU rate tied to your tier. The savings share is permanent for the contract lifetime. Per-TAU rates and annual commitments are tailored to your engagement shape — talk to sales or work with your MSP/reseller for the rate that fits.

Trust Pilot

Test it on one cloud account. Pay only after results.

For small teams & pilots

6-month savings-share pilot · no minimum to start

Up to 3 cloud accounts
All shipping modules — one TAU pool
Bring your own LLM keys
Email support & Support Expert
Pay-as-you-go after pilot

Start a Trust Pilot

Trust Growth

Mid-market mode. Monthly or annual. Soft ceiling included.

For mid-market organizations

Talk to sales for your TAU rate · annual discount available

Up to 25 cloud accounts
All modules — one TAU pool, lower rate
Soft ceiling protects against runaway bills
Slack & webhook alerting
Priority email support

Talk to Sales

Trust Enterprise

For organizations with serious cloud spend and compliance scope.

For large enterprises

Talk to sales for your TAU rate · multi-year discount available

Unlimited cloud accounts
All modules — one TAU pool, enterprise rate
Custom soft ceiling negotiated
SSO, audit log export, RBAC
Named CSM, quarterly reviews

Talk to Sales

Trust Fabric Suite

Every module, every TAU type, lowest per-TAU rate.

For global & regulated programs

Talk to sales for your TAU rate · annual or multi-year

Unlimited everything
All modules — one TAU pool, lowest rate
Future-module TAUs included as shipped
Custom integrations & SLAs
Design partner advisory access

Talk to Sales

Design partner pricing is available for early customers willing to provide product feedback — talk to sales. All tiers include read-only multi-cloud access, the activity log, the 14-day dispute window, and BYO LLM keys with zero AI training on your data.

Sample monthly invoice ranges

What a typical CloudTrust360 monthly invoice looks like at different scales — after the six-month savings-share pilot completes. Actual TAU rate is set in your contract.

Small Pilot

$0 — $1,500

1–2 cloud accounts
Trust Pilot tier

Growth Customer

$2,500 — $8,000

Mid-market · 5–15 accounts
Trust Growth tier

Enterprise

Custom

25+ accounts · multi-year
Trust Enterprise tier

Verified Savings Share

Permanent

Share % rate-locked for
your contract lifetime

During the six-month savings-share pilot, the only invoice line is your verified-savings share. TAU charges for any module's outcomes begin in month 7 — drawn from one shared pool.

Security & Compliance

Built to be trusted with the most sensitive systems.

CloudTrust360 is read-only by design and helps you measure against the frameworks your auditors care about.

The architecture, in plain terms

Every credential we hold is encrypted at rest with AES-256-GCM. Every database read goes through Postgres Row-Level Security scoped per tenant. Service-role keys never leave our backend.

Read-only at every layer. No write access to your cloud, period. The platform recommends; you execute.
Workload Identity Federation for GCP. No static service account keys. Works in locked-down GCP orgs that prohibit key downloads.
Role-based access control. Owner, Admin, Security Analyst, DevOps Engineer, and Viewer roles. Enforced at UI, backend, and database.
Bring your own LLM keys. Use your Anthropic or OpenAI account for AI features. We never train on your data.

SOC 2

Framework mapping

HIPAA

Healthcare

PCI DSS

Payment Card

ISO 27001

Information Security

NIST CSF

Cybersecurity

CIS Benchmarks

AWS · Azure · GCP

Frequently Asked

Questions, answered.

The questions buyers usually ask in the first call.

What is the "Trust Fabric" — and why call it that?

A trust fabric is one platform that puts cloud security, FinOps, executive reporting, Microsoft 365 governance, and data security on the same graph — so a finding, a cost driver, a license-waste opportunity, and a compliance control all map to the same business risk. Most teams today buy five point tools (Wiz, Cloudability, Varonis, Drata, Microsoft tooling) that don't share context. CloudTrust360 is built for the buyer who's done with that. "Autonomous" is the direction: the roadmap (TrustOps, TrustIdentity, TrustAI) layers supervised remediation, identity context, and AI governance onto the same graph without a new contract.

How exactly does TAU pricing differ from per-seat or per-account SaaS?

Traditional SaaS charges for access — a flat fee per seat or per cloud account, billed whether the platform produced value that month or not. CloudTrust360 charges for outcomes the platform actually produces. Verified savings, resolved findings, controls maintained, license waste recovered, AI summaries delivered: each converts to TAUs at a published rate. Your tier sets the per-TAU price. Your usage sets the volume. Your activity log shows you exactly what drove the bill. One unified TAU pool covers every module — TrustCloud, TrustFinOps, TrustIQ, TrustM365, TrustData — at a single rate. No per-module surcharges.

What stops you from inflating TAU counts to drive up bills?

Three protections. One: every TAU traces to a specific event in your activity log — if it isn't there, it isn't billable. Two: savings TAUs require 30-day persistence at 90%+ of predicted amount, observed in your actual cost data. Three: you have a 14-day dispute window in-app where you can challenge any line. The dispute UI shows the source event for each TAU. We can't fabricate outcomes you didn't agree happened.

Which modules ship today and which are roadmap?

Five modules ship today:

TrustCloud — multi-cloud security posture across AWS, Azure, GCP plus EKS, AKS, and GKE; 25+ detectors with Blast Radius and Flow inference. TrustFinOps — cost intelligence with 28 savings detectors, commitment management (RIs, Savings Plans, CUDs), per-department budgets, and tag-based cost allocation. TrustIQ — executive AI summaries, Reports (Monthly Exec, Cost Variance, Findings Aging), and compliance scoring across six frameworks. TrustM365 — Microsoft 365 posture, License Governance, SharePoint & OneDrive exposure, Copilot adoption. TrustData — metadata-first data security posture across S3, Azure Blob, and GCS plus runtime Flow inference.

On the roadmap: TrustOps (supervised remediation with approvals and rollback), TrustIdentity (privilege graph and AI agent identity), TrustAI (AI system inventory, shadow-AI detection, NIST AI RMF / EU AI Act evidence). They ship into the same TAU pricing model — no contract renegotiation when they arrive.

How do you compare to Wiz, Cloudability, Drata, and Microsoft-native tooling?

Wiz, Cloudability, Drata, and Microsoft Purview / Entra are strong in their domains. Wiz leads on cloud security detection breadth. Cloudability leads on RI/SP automation. Drata leads on audit-packet workflow. Microsoft tooling is deep within the M365 estate. We're built for the gap between them.

CloudTrust360 connects cross-domain context in one product — a single trust graph where a cloud finding, a cost driver, an M365 license-waste opportunity, and a compliance control map to the same business risk. Mid-market pricing. Time-to-value measured in hours. Where customers need depth in any single domain, we integrate with the incumbent rather than compete.

Does CloudTrust360 cover Microsoft 365 — and what is License Governance?

Yes. TrustM365 is a shipping module that connects to your tenant via a read-only Microsoft Graph application registration. Five product views: Secure Score posture (MFA gaps, legacy auth, conditional access), License Governance, license utilization, SharePoint & OneDrive exposure, and Copilot adoption. Each tab has its own AI Executive Summary on demand.

License Governance is our role-segment posture engine. It maps 11 Microsoft 365 SKUs to a structured capability vocabulary (office apps, baseline DLP, audit premium, eDiscovery premium, insider risk, Purview suite, advanced threat, Copilot, etc.), derives a role segment for every user from job title and department across 7 segments (standard knowledge worker, security admin, legal, executive, compliance officer, contractor, frontline worker), then classifies each user as correctly / over / under-licensed by comparing assigned capabilities against role policy. Over-licensed users surface as E5→E3 downgrade savings (billable); under-licensed users surface as compliance / security risk (never bills). Honest by design: the comparison is policy-vs-assignment, not per-user premium-feature telemetry — Microsoft Graph does not expose Purview / eDiscovery / Insider-Risk usage per user, so we don't claim it.

Does CloudTrust360 cover Kubernetes?

Yes. CloudTrust360 discovers and analyses Amazon EKS, Azure AKS, and Google GKE clusters using provider-native RBAC view roles — no agent deployment, no kubectl tokens to manage. Workload-level findings (HPA gaps, VPA opportunities, cost-inefficient workloads, security misconfigurations) flow into the same TrustCloud findings stream as your VPC, IAM, and storage findings. You see your Kubernetes posture alongside the cloud account that runs it, in the same Blast Radius and Flow inference graph as the rest of your infrastructure.

What does the cloud connection actually look like?

All connections are read-only. AWS: you create an IAM role with read-only scopes; we use a stable external ID for assume-role. Azure: a service principal with Reader plus Cost Management Reader. GCP: Workload Identity Federation against our OIDC issuer — no static service account keys downloaded. Microsoft 365: a wizard-generated PowerShell script creates the Entra app registration, requests the right Microsoft Graph application permissions, and ships a one-click admin consent link. Kubernetes: provider-native RBAC view roles bound to the cloud connector identity — no separate cluster credentials. Each connection takes ~5 minutes via the in-app wizard.

What about data residency and procurement requirements?

Data lives in Supabase (Postgres) regions we deploy to; you can request a specific region. AES-256-GCM credential encryption, Row-Level Security per tenant, and a fully audit-ready activity log are in place today. AI features use your own LLM provider keys (Anthropic or OpenAI) under their zero-retention terms — your prompts and responses don't pass through our infrastructure as cleartext. SOC 2 Type II audit and external penetration testing are on our near-term roadmap — happy to share the current security questionnaire on request via support@aivons.com.

Is there a free trial or pilot?

Yes. Trust Pilot gives you a six-month savings-share pilot — we earn only from your verified cloud savings during this window, and everything else (security findings, compliance scoring, executive summaries, License Governance, data posture) is fully free. From month 7 onward, your one shared TAU pool covers any module you use at the Trust Pilot tier's per-TAU rate (pay-as-you-go, no annual minimum). The savings share is permanent for the contract lifetime — it never converts to a different model. Typically the savings-share pilot window is enough to fully evaluate the platform on one or two cloud accounts before any TAU charges begin.

Who owns the data and the analyses CloudTrust360 produces?

You do. We process your cloud metadata to produce findings, recommendations, and summaries. Those outputs belong to your organization. We don't train models on your data, and the AI features use your own LLM provider keys (Anthropic or OpenAI) — so inference cost and data residency stay between you and your provider. The platform is read-only by design: AI ranks, drafts, and explains; humans approve before anything moves. The activity log is your audit trail.

See what your invoice would actually look like.

30-minute pilot conversation. We walk through your environment, connect a single cloud account, and show you the exact TAUs your usage would generate before you commit to anything.

Book a 30-min pilot call Request security questionnaire

First 6 months on savings share · Read-only access · 14-day dispute window · No credit card to start