JupiterOne is a graph-native security platform that gives organizations a single, continuously updated view of every asset in their environment - cloud, code, identity, SaaS, and now AI - and automates the evidence-gathering work that compliance teams used to do by hand. Instead of stitching together spreadsheets, scanners, and screenshots, security teams query one connected graph to see what exists, how it's exposed, and whether their controls are actually working.
✓Key Takeaways
Founded in 2018 by former LifeOmic CISO Erkang Zheng, JupiterOne set out to solve a problem every security leader recognizes: infrastructure changes faster than anyone can track it by hand, and "we don't fully know what we have" is a dangerous place to run a business from. That premise has only gotten more urgent as AI agents, SaaS sprawl, and multicloud footprints have made enterprise environments harder to see all at once, according to JupiterOne's own platform overview.
What JupiterOne Actually Does
At the core of the platform is a graph-based configuration management database (CMDB). Rather than storing assets as flat lists, JupiterOne maps every asset - servers, code repositories, cloud resources, identities, SaaS apps, and AI agents - as nodes connected by their real relationships. That structure lets security teams ask questions in plain English or JupiterOne's own query language (J1QL) and get answers that reflect the full picture, not just one tool's slice of it.
Three capabilities drive most of the automation, as detailed on JupiterOne's Cyber Asset Attack Surface Management page:
- Automated discovery. JupiterOne connects to 200+ existing tools across IT, DevOps, security, and HR to continuously pull in asset data, so nothing has to be manually inventoried or kept up to date by a person.
- Relationship mapping. Because assets are graphed rather than listed, teams can trace blast radius - for example, which S3 buckets are public, which identities can reach a critical database, or how a vulnerability chains into a business-critical system.
- Continuous compliance evidence. Controls are mapped once and evaluated against live technical data, automatically generating audit-ready evidence for frameworks like SOC 2, ISO 27001, HIPAA, PCI-DSS, NIST, and DORA - instead of teams manually assembling proof once a year.
For growing product teams considering how their own offshore or distributed engineering setup holds up to the same compliance frameworks, InApps has covered why ISO 27001 and CMMI Level 3 certifications matter for offshore development centers.
Customers including Reddit, Databricks, HashiCorp, and Robinhood have used the platform to answer the kind of questions auditors and security teams ask daily without spending hours pulling data from disconnected dashboards.
The 2026 Platform: Built for the AI Agent Era
JupiterOne has evolved significantly since its early CAASM (Cyber Asset Attack Surface Management) roots. In May 2026, the company rebranded around a broader mission, the AI Risk Management Platform, and launched two new products directly addressing a problem most security teams are only starting to grapple with: AI agents and copilots now touch nearly every system in the enterprise, often invisibly.
- AI Attack Surface Management (AI ASM) - Maps every AI tool, agent, and copilot in the environment, showing what they can read, write, or touch - including attack paths that weren't previously visible
- Unified Vulnerability Management (UVM) - Prioritizes vulnerabilities by actual attack-chain context and business impact, not raw CVSS scores, and routes fixes to the right owner
- Continuous Controls Monitoring (CCM), launched June 2026 - Tests whether security and compliance controls are actually enforced against live asset data - not just documented on paper - flagging control drift the moment it happens
JupiterOne's Chief Product Officer, Kevin Tonkin, has described the core problem the newer tools solve as security teams being overwhelmed by the volume of vulnerabilities and a lack of context to prioritize them effectively. The company has raised $119 million across four funding rounds, with backing from Bain Capital Ventures, Cisco Investments, and Splunk Ventures - signaling real enterprise demand for this shift toward relationship-aware, AI-inclusive asset management.
Why This Matters Beyond the Security Team
The pattern behind JupiterOne's growth is one that shows up across every fast-moving software organization, not just security departments: visibility problems compound as systems scale faster than anyone can manually track. That's true for cyber assets, and it's equally true for the codebases, cloud infrastructure, and AI agents that engineering teams ship every sprint.
As more companies move from experimenting with AI to deploying AI agents in production, agents that read data, call APIs, and take actions on their own, the attack surface and technical debt grow together. Teams that scale their AI and cloud footprint without also scaling visibility into what they've built tend to pay for it later, in security incidents, failed audits, or code nobody fully understands anymore. We've written before about how AI agents are transforming offshore development centers, the same sprawl JupiterOne's AI ASM is built to map is already showing up inside engineering teams, not just security teams.
This is where engineering partners matter as much as security tooling. At InApps Technology, this is the exact gap we help clients close on the build side:
- AI Agent Development: we build production AI agents with clear data boundaries and access scoping from day one, so the "what can this agent actually touch" question JupiterOne's AI ASM answers has a clean answer to begin with.
- Managed Services: for teams whose infrastructure has outgrown their internal bandwidth, our managed engineering support keeps systems documented, maintained, and audit-ready instead of accumulating silent technical debt.
- Offshore Development Center / Custom App Development: when we architect a product or extend a team through an ODC, we build with compliance-friendly, well-documented infrastructure in mind, so tools like JupiterOne have something clean to map in the first place.
- Tech Audit & Remediation: if visibility gaps and undocumented infrastructure are already a problem, this is the service that maps and cleans it up before a compliance tool like JupiterOne ever gets connected.
Good asset visibility tools can't fix a codebase or cloud environment that was never built to be legible. That part is an engineering problem - and it's the one InApps solves for growing product and platform teams.
Building the AI agents, cloud infrastructure, or product foundation that tools like JupiterOne need to secure? Talk to InApps Technology about AI Agent development, Managed Services, or ODC partnerships.
Frequently Asked Questions
Related Articles

Best Countries to Outsource Software Development (2026 Guide)
Software development outsourcing means hiring an external engineering team - usually based in another country- to design, build, or maintain software on your behalf, instead of hiring in-house. Most US, UK, and Australian companies do this to access skilled engineers faster and at a lower fully-loaded cost than domestic hiring allows.
.jpg)
ISO 27001 & CMMI Level 3: Why Security Certifications Matter for Your ODC
Enterprise clients increasingly require ISO 27001:2022 and CMMI Level 3 certification from their offshore partners. This article explains what these certifications mean for your data security, IP protection, and delivery quality, and how to verify them before signing.

Vietnam vs India Software Development: A 2026 CTO Comparison Guide
Side-by-side comparison of Vietnam and India for enterprise offshore software development. We cover hourly rates, talent pool quality, English proficiency, engineer retention, timezone fit for US/EU/AU clients, and IP protection — with a clear verdict on which market wins for each use case.
