01
Model your program
Define the objects and relationships that reflect how your organisation actually operates. Extend the schema with custom fields; add the labels and taxonomies you need. You own the model.
GRC engineering treats compliance as a system to design, test, and iterate on — not paperwork to maintain. Kordon gives you the primitives: addressable objects, a model you control, and integration surfaces that connect to the tools you already use.
You decide what to automate, what to keep manual, and how the pieces fit. Kordon is the substrate — the shape of the system is up to you.
Define the objects and relationships that reflect how your organisation actually operates. Extend the schema with custom fields; add the labels and taxonomies you need. You own the model.
Sync assets from cloud providers. Feed findings from scanners. Pull evidence from ticket systems. Kordon's API and n8n node make it straightforward to connect the tools already in your environment.
Recurring tasks with automatic evidence collection. Findings that open Jira tickets and close them when resolved. Vendor reviews that trigger off contract expiry. Build the pipelines; Kordon runs the state.
Ship changes to your control set, measure what works, refactor what doesn't. Your compliance program becomes a codebase your team maintains — not a binder you dust off before audits.
Every GRC program is different. Engineers who take compliance seriously don't want another tool dictating how they work — they want primitives they can compose into exactly the system their organisation needs.
Every object, every field, every connection, every state transition is available over REST. What you can do in the UI, you can do in code. Nothing is locked behind a premium tier or a vendor ticket.
Extend any object with typed custom fields that behave exactly like built-ins. Add labels, your own taxonomies, and metadata your program actually needs — no waiting on a vendor to ship it for you.
Use the official n8n node when you want a wired-up workflow you can see. Drop into the raw API when you want full control. Both paths expose the same complete object model.
Risks, controls, requirements, assets, vendors, business processes, findings — all connected, all traversable. Write queries that follow the mesh: 'show me every risk affecting this business process through this vendor.'
Pull asset data from your cloud accounts. Pipe scanner findings in as Kordon findings. Push overdue tasks to Jira or Slack. Kordon sits in the middle of your stack, not at the edge.
Every automated action leaves the same attributable, timestamped trail as manual work. Your automation is auditable because the platform underneath it is — not because you built a second system to track what your first system did.