EquanimGRC is set up to start without a sales call. You build a plan, create a workspace, turn on the frameworks you need, and bring your team and evidence in. This page is the orientation — each step links to the reference for that part of the product.
1. Build a plan and sign up
Pricing is assembled in the open with the plan builder on the marketing site: you start from a base and add the capabilities you need. There are no tier walls and no quote-gating — the price you build is the price you pay. Signing up creates your account in the control plane; you confirm your email, and the control plane provisions your workspace.
2. Create your workspace
Each customer gets an isolated tenant. The control plane issues a signed token that hands you into the data-plane application, where every record — policies, controls, evidence, vendors — is scoped to your tenant and never visible across tenant boundaries. You can run on a shared database with row-level isolation or, where required, a dedicated database; the application behaves identically either way.
3. Activate your frameworks
A short onboarding wizard asks a few questions about your organization and recommends the frameworks that fit. You activate the ones you need — SOC 2, ISO 27001, HIPAA, GDPR, PCI DSS, or NIST CSF — and EquanimGRC loads their control libraries and seeds the work those controls imply. A control that maps across several frameworks is satisfied once, not once per framework. See Frameworks & controls.
4. Invite your team
Invite the people who own compliance, security, and the systems evidence comes from. Each member gets a role — admin, manager, editor,viewer, or auditor — that determines what they can see and change. The auditor role is read-only and scoped for external assessors, so you can give an auditor direct access without exporting your workspace.
5. Bring in evidence
Evidence is what proves a control is real. You can upload documents and screenshots by hand, push files through the document ingestion pipeline, or let machine agents submit evidence directly. Each item maps to the controls it supports, so coverage builds up as evidence arrives. See Evidence, andEvidence-as-code for the agent path.
6. Connect an agent (optional)
EquanimGRC exposes a first-class agentic interface over the Model Context Protocol. Point Claude or any MCP client at your workspace and it can read your posture and collect evidence on the access rules you define. See Connect via MCP andTools & scopes.
7. Draft your first policies
With frameworks active and evidence mapped, Posturizer drafts policy candidates grounded in your own controls and source material — with citations, and with any claim it cannot support flagged for review. A person reviews, edits, and approves; nothing is published on your behalf. See Policies.
Where to go next
- Frameworks & controls — the control library and cross-framework coverage.
- Policies — authoring, versions, branching, and approval.
- Evidence — collecting and mapping evidence to controls.
- Vendor risk — assessing vendors and answering security questionnaires.
- Audit & reporting — the audit trail and assessment packages.