Fig maps those solutions to 65+ compliance frameworks across Discover, Protect, Respond, Prove, and Insure. From asset discovery to insurance-ready reporting, the platform helps teams work from the same current picture.
The lifecycle
Five connected phases. Evidence captured in one feeds the next, so teams work from a single current picture rather than five disconnected tools.
Phase 01
Identify your assets, data, and configurations.
Phase 02
Manage vulnerabilities and threats.
Phase 03
Handle incidents with structure and confidence.
Phase 04
Demonstrate compliance and control effectiveness.
Phase 05
Turn data into better insurance outcomes.
Catalogue
Every Fig solution, grouped by lifecycle phase. Each one is part of the same governance-first platform - evidence and workflows connect across phases.
Phase
Build a governed asset register with automated discovery, ownership tracking, and audit-ready evidence.
Locate, classify, and monitor sensitive data across endpoints, cloud, and storage.
Track configuration baselines, detect drift, and maintain audit-ready documentation.
Phase
Consolidate scanner output, prioritise by exploit likelihood, and track remediation.
Contextual threat feeds mapped to your asset inventory and risk register.
Continuous third-party monitoring with control assessments and risk scoring.
Model aggregate risk exposure and scenario impact across your portfolio.
7-state change workflow with AI-assisted risk scoring, approval gates, and policy compliance checks.
Business impact analysis, service dependency mapping, and DR exercise management.
Joiner-mover-leaver automation with HRIS sync, access provisioning, and secure offboarding.
Phase
Structured incident workflows with evidence capture and regulatory notification tracking.
Policy-governed remediation that closes the gap between detection and resolution automatically.
Public intake, safe harbour enforcement, and 9-state governance for responsible disclosure.
Phase
Map controls to 65+ frameworks. Collect evidence automatically. Stay audit-ready.
Automate policy lifecycle from drafting through approval, distribution, and attestation.
Plan, execute, and report on audits with structured evidence packs and findings tracking.
Assign, track, and evidence compliance training across your workforce.
ROPA, DPIA, DSAR, consent management, breach notification, and Privacy by Design.
ISO 9001 QMS with CAPA, process mapping, internal audits, and management review.
Built for both
Fig scales with MSPs, corporates, and teams of every size - same operating model, audience-tuned packaging.
For MSPs
Add resilience reviews, evidence collection, vulnerability management, and client reporting to your managed services. Deliver more value to SMB clients without replacing the tools your engineers already use.
For corporates
Get a clearer view of security posture, supplier risk, resilience work, and assurance evidence. Reduce tool sprawl, improve visibility, and show auditors, customers, and boards what has actually been done.
Common questions
Fig replaces fragmented combinations of evidence folders, spreadsheet trackers, point compliance tools, vulnerability scanners, policy libraries, risk registers, and board reporting packs. It connects those workflows in one operating model rather than forcing teams to stitch outputs together manually.
Asset discovery feeds risk scoring, security telemetry feeds resilience work, policy controls drive remediation workflows, and the same operational data supports insurance and board reporting. That means evidence collected once can support multiple use cases.
No. Fig connects to the systems you already use across cloud, security, IT operations, identity, and service management so you can keep your current stack while adding clearer workflows and consolidated evidence.
MSPs use Fig to deliver security, resilience, and assurance services across client portfolios, while corporate teams use it for direct governance, third-party oversight, and audit readiness. The platform supports both independent and shared-control operating models.
Most customers are operational within 48 hours. Once integrations are connected, Fig begins collecting evidence, evaluating controls, and surfacing governance tasks immediately, so the platform becomes useful long before a traditional GRC rollout would finish.
Next step
MSPs and corporate risk teams are consolidating their tools with Fig.
We only load non-essential analytics and advertising tags after explicit consent. You can review our cookie register in the cookie policy section and update your choice at any time via “Cookie settings” in the footer.