What Vigilia is
Vigilia analyses your own security control stack to find structural coverage gaps — the gaps that exist between controls, not within any single control, and that single-point audit tools cannot detect. The engine examines how your rules compose as a system, and surfaces combinations where the rule set does not collectively prevent an outcome you would want it to prevent.
Concretely: Vigilia analyses your security control stack (for example, your NIST 800-53, ISO 27001, or CIS Controls implementation) and identifies coverage gaps that emerge from how controls interact. It is a defender-side structural audit tool for internal security teams. Every finding is paired with a remediation — the purpose is to close the gap, not to take advantage of it.
What Vigilia is not
To prevent misunderstanding:
- Vigilia is not a penetration testing tool. It does not probe running systems, execute against live infrastructure, or conduct adversarial testing of third-party services.
- It is not an attack-planning tool. Findings are coverage-gap reports framed for remediation, not action sequences framed for execution against a target.
- It is not a due-diligence tool for external parties. It is not designed for, and must not be used for, analysing the security posture of entities the user does not own, operate, or have express written authorisation to assess.
- It is not a substitute for legal, regulatory, or compliance advice. Findings are structural observations about the rule set as submitted. Decisions about remediation, disclosure, and regulatory engagement remain the responsibility of the customer and the customer's qualified advisors.
Who is authorised to use Vigilia
Vigilia is licensed for use by the internal security, compliance, or GRC team of the Customer organisation (as defined in the Terms of Service), and by authorised individuals (employees, contractors, secondees, agency workers) acting on the Customer's behalf.
Vigilia is not authorised for use by:
- External parties analysing third-party systems without express written authorisation from the system owner (for example: penetration-testing firms acting on a client engagement, external auditors analysing an audit target, due-diligence providers analysing targets, consultancies analysing entities outside a written mandate);
- Parties conducting competitive intelligence against entities they do not own or operate;
- Parties conducting analysis of rule sets, controls, or frameworks the Customer does not own or have express authorisation to assess.
Customers acting as consultancies or advisors may use Vigilia on behalf of their own clients only where they have express written authorisation from the client to perform structural analysis of the client's own rule set, and that authorisation is available on request.
Prohibited uses
Use of Vigilia for any of the following is prohibited and constitutes a material breach of the Terms of Service:
- Unauthorised third-party analysis. Submitting, for structural analysis, rule sets, controls, or frameworks that the Customer does not own, operate, or have express written authorisation to assess.
- Facilitation of regulatory offences. Using Findings to plan, prepare, or facilitate any act that would constitute an offence under applicable law — including, without limitation: breach of sanctions administered by OFSI or equivalent authorities, export control offences, money laundering, terrorist financing, tax offences, market abuse, or any breach of a regulatory regime applicable to the Customer.
- Competitive intelligence. Using Vigilia to derive structural understanding of a competitor's, supplier's, or counterparty's security posture for commercial advantage, except where the Customer owns or operates the relevant rule set or has express authorisation to assess it.
- Preparation of third-party system circumvention. Using Vigilia, or information derived from Vigilia, to identify coverage gaps in third-party systems with the intent of exploiting, circumventing, or otherwise taking advantage of those gaps.
- Circumventing Vigilia's authorisation controls. Sharing credentials, bypassing the authorisation attestation at rule-set ingestion, creating accounts under false organisational identity, or otherwise defeating the product's identity and scope controls.
- Resale or sublicensing. Making Vigilia, its Findings, or information derived from Vigilia available to any third party outside the terms of the Customer's licence.
Alignment with established norms
This policy is drafted to align with widely recognised norms for responsible use of security-research tooling. Readers are referred to the following for the underlying principles:
These references are not incorporated into this policy by reference — this policy stands on its own terms — but they inform the frame within which Vigilia is intended to be used. Where this policy is silent on a specific situation, customers should err on the side of consistency with the principles above, and should contact Ianura at legal@ianura.com where uncertainty persists.
Misuse reporting
If you believe that a Vigilia user is using the product in breach of this policy or the Terms of Service, or if you are a third party affected by such use, please report the concern to:
security@ianura.com
Please include, so far as you are able:
- a description of the conduct you believe to be in breach;
- any evidence available (screenshots, timestamps, account identifiers);
- the context in which you became aware of the conduct (for example, as a party affected by it, as an observer of public information, or through another route);
- your identity and contact details (where you are content to provide them), or an indication that you wish to report anonymously.
Response timeline
Ianura commits to the following response timeline for misuse reports:
- Within five (5) business days of receipt: acknowledge the report, confirm the channel of further correspondence, and indicate whether further information is required to proceed.
- Investigation: Ianura will investigate the report in good faith, proportionate to the seriousness of the allegation. The investigation may involve account review, usage-log inspection, and direct correspondence with the reported party.
- Within thirty (30) business days of receipt: respond to the reporter with the outcome of the investigation, including (to the extent consistent with law and with the privacy of the reported party) what action has been taken.
Where the report concerns conduct that may constitute a criminal offence or a serious regulatory breach, Ianura may extend the investigation timeline where necessary, and may notify the relevant competent authority, in each case consistent with the reporting-rights provisions of the Terms of Service.
Consequences of confirmed misuse
Where Ianura confirms that a customer has used Vigilia in breach of this policy or the Terms of Service, Ianura may, depending on the seriousness of the breach:
- issue a written warning requiring remediation within a specified period;
- suspend the customer's access pending remediation;
- revoke the customer's licence and terminate the subscription (in accordance with the Terms of Service); and
- where the breach involves unlawful activity, notify the relevant competent authority in accordance with the Terms of Service.
Repeat or serious breaches result in immediate licence revocation without refund.
Updates to this policy
This policy may be updated from time to time. The version published on this site at any given time is the operative version. Material updates will be notified to customers by email, in accordance with the variation procedure in the Terms of Service.
A version history of material changes to this policy is maintained at /acceptable-use/history. Previous versions are archived and accessible.
Contact