How long does it take to set up Sightline?

Sightline is fully managed, so there's nothing to install or host. Most teams go from sign-in to a meaningful posture dashboard in under 10 minutes — connect an identity source first, since it covers the broadest set of controls.

Which compliance frameworks does Sightline support?

Sightline assesses against the NIST CSF 2.0 spine and crosswalks to HIPAA, SOC 2, FERPA, PCI DSS 4.0, ISO/IEC 27001:2022, CMMC 2.0, plus international frameworks including Cyber Essentials (UK), Essential Eight (Australia), NIS2 (EU), NZISM, ITSG-33, DPDP (India), and PDPA (Malaysia).

A connector shows an error — how do I fix it?

The token likely expired or lost a scope. Re-generate it per the in-app steps and reconnect; integrations use read-only access and the Integrations tab flags any connector that needs re-authorization.

Why does my coverage look low?

Connect more sources. Many controls — especially governance and policy controls — need an evidence source like Confluence or Notion, or a manual attestation, before they can be evaluated.

Why does a framework say “indicative”?

That's by design. Overlay-framework coverage is crosswalk-derived from the NIST CSF spine and stays marked indicative until a compliance professional signs it off in GRC Review.

Documentation | Set Up the Sightline GRC Platform

Overview

Sightline is a fully hosted, professionally managed compliance platform — we run the infrastructure, you prove your posture. It connects the tools you already run, maps the evidence to the frameworks you carry (NIST CSF, HIPAA, SOC 2, FERPA, PCI DSS, ISO/IEC 27001, CMMC, and international frameworks like Cyber Essentials, Essential Eight, NIS2, and more), translates the result into plain English, and keeps your posture current.

To get started, jump to Getting started below, or contact us for a guided onboarding — see pricing. Use the menu on the left to jump to a topic.

Getting started

Sightline is fully managed — there's nothing to install or host. The steps below take you from first contact to a live dashboard.

Get access. Contact us for hosted access; we provision your organization and send a sign-in link at your subdomain (e.g. your-org.sightline.app) or your custom domain.
Sign in. Use a passkey or your existing identity provider (Google, Microsoft, Okta). Admin accounts must have MFA enabled.
Connect your first source. Start with identity (Microsoft 365 / Entra, Google Workspace, or Okta) — it covers the broadest set of controls.
Wait for the first sync. Within a few minutes you'll have a posture verdict, coverage, and your top actions on the Overview.
Invite your team. Add users and assign roles (see Users & roles).

Time to first value: usually under 10 minutes from sign-in to a meaningful dashboard.

Using the dashboard

The dashboard opens on the Overview and drills down from there:

Overview — your posture band (On Track / Needs Attention / At Risk), coverage, gaps, vulnerabilities, and the top three actions. Click Expand full summary for the complete prioritized gap list.
Findings — every observation, filterable by severity. Each has a detail page: what we checked, why it matters to you, what to do, the evidence, and the frameworks it maps to.
Vulnerabilities — the high/critical security weaknesses to fix first.
Frameworks — per-framework control detail and crosswalk-derived coverage across every supported framework. Click a framework for control-level breakdown and its GRC review status.
Integrations — connect and manage your sources; each shows last-sync time.
GRC Review — track licensed-professional sign-off; the "indicative" caveat clears per framework as it's reviewed.

Reading your posture: the score is computed only over controls actually evaluated, and coverage is always shown — a thin scan never masquerades as "half compliant."

Framework coverage

One assessment maps to every framework you carry. Coverage for overlay frameworks is crosswalk-derived from the NIST CSF spine using published mappings, and is marked indicative until a compliance professional signs off (see GRC review).

Supported: NIST CSF 2.0 (spine), HIPAA, SOC 2, FERPA, PCI DSS 4.0, ISO/IEC 27001:2022, CMMC 2.0, plus international: Cyber Essentials (UK), Essential Eight (Australia), NIS2 (EU), NZISM (NZ), ITSG-33 (Canada), DPDP (India), and PDPA (Malaysia). New frameworks are added regularly.

Setting up integrations

Every connector uses read-only access and syncs on a schedule. Recommended order: identity → cloud → devices → vertical (e.g. EMR/EHR for healthcare).

By category:

Identity & SSO: Microsoft 365 / Entra ID, Google Workspace, Okta, JumpCloud, Duo, 1Password.
Cloud: AWS, Azure, Google Cloud, Cloudflare, Snowflake, Vercel.
Devices (MDM): JAMF Pro, Microsoft Intune.
EMR/EHR (healthcare): OpenEMR, athenahealth, DrChrono, Epic (FHIR), Oracle Health (Cerner), eClinicalWorks, NextGen.
Education: Canvas LMS, PowerSchool, Clever.
Source & supply chain: GitHub, GitLab, Chainguard.
Work & docs: ServiceNow, Jira, Asana, Trello, Confluence, Notion, Salesforce, Box, Dropbox, pCloud, Zoom.
HR / AI / monitoring: Workday, OpenRouter, Datadog, Slack.

To connect a tool: open Integrations, pick the tool, and follow the in-app steps — it lists the exact read-only scopes and where to generate the credential. Paste it, click Test connection, then Enable. Credentials are encrypted and never stored in plaintext.

Maintaining your environment

Keep connectors healthy. The Integrations tab shows last-sync time and flags any connector that needs re-authorization (e.g. a rotated token).
Work the gaps. The Overview's top actions are prioritized; close them and watch coverage rise.
Run the GRC review. Have your compliance professional sign off per framework; the "indicative" caveat clears as they do.
Review users quarterly. Remove stale accounts and re-check role assignments.

Monitoring & alerting

Sightline re-syncs on a schedule so your posture stays current without manual work. When a control drifts out of compliance or a new critical gap appears, route an alert to Slack (or your channel of choice) via the Slack integration. Monitoring tools like Datadog feed detection coverage back into the dashboard, so "are we watching?" is itself a tracked control. (Continuous monitoring and scheduled executive digests are part of the roadmap.)

Users, roles & permissions

User management is granular: capability-based permissions grouped into roles, assigned via groups, optionally scoped to specific frameworks or integrations.

Default roles: Owner (everything incl. billing/domain), Admin, Compliance Manager, GRC Reviewer, IT Operator, Auditor (read-only), Viewer. Roles are customizable, and every privileged action is recorded in an immutable audit log.

Scoping example: "IT Operator, but only the AWS integration" or "Compliance Manager for HIPAA and FERPA only." Enforced on every request (deny by default).

Custom domains

On paid tiers you can serve the dashboard at your own domain (e.g. compliance.your-org.com) with automatically issued and renewed TLS. Add a CNAME to our SaaS origin, register the hostname in the admin portal under Domain settings, and you're live.

Security & data handling

We sell to security buyers, so we hold ourselves to the standards we measure:

All integration credentials are encrypted and never stored in plaintext; least-privilege read-only scopes only.
Per-tenant isolation; full audit logging; MFA required for admins.
Regional data residency is available for international customers (EU/AU/etc.).
We run Sightline on Sightline and intend to publish our own posture.

Troubleshooting

A connector shows an error. The token likely expired or lost a scope — re-generate it per the in-app steps and reconnect.
Coverage looks low. Connect more sources. Many controls (e.g. governance/policy) need an evidence source like Confluence or Notion, or a manual attestation.
A framework says "indicative." That's by design until a compliance professional signs it off in GRC Review.
Still stuck? Contact us — we respond fast.

Reports & deliverables

Sightline turns your live posture into the artifacts auditors, boards, and customers ask for — generated and kept current for you in the hosted dashboard:

Posture dashboard — your verdict, coverage, findings, and top actions, refreshed on every sync.
Audit-ready evidence binder — the mapped evidence for each framework, ready to hand to an auditor.
Risk in dollars — open gaps quantified so you can prioritize and justify spend.
Board-ready executive summary — a plain-English digest for leadership.
Framework-aligned policy drafts — starting policies generated from your actual posture.
Trust Center — a public, shareable posture page on your own domain.
GRC sign-off records — track licensed-professional review per framework.

By industry

How Sightline fits your sector — the gaps that matter, the frameworks you carry, and the fastest path to a green dashboard:

Small businesses — real posture without a security team.
K-12 schools — protect student data and your funding (FERPA).
Universities — many departments, many frameworks, one posture.
Medical clinics — HIPAA you can actually keep up with.
Hospitals — continuous assurance across a sprawling estate.
Banks & credit unions — examiner-ready, all the time.
Retail — protect payments and your brand across locations.

Support

Stuck, or want to talk through your setup? Here's how to reach us:

Support requests. Open a request through our contact form and a human comes back fast. All customers get email support (and, on higher tiers, chat).
Bugs & feature requests. Send them through the contact form and we'll log it with our team.
Consultants & MSPs. Ask about multi-organization management and partner pricing when you reach out.

Set up, use, maintain, and monitor Sightline.