FAQS

Frequently Asked Questions

Everything customers ask us about the TigerGate platform — from deployment and data handling to compliance, integrations, and pricing. Can't find your answer? Contact us.

Platform & Products

TigerGate is a code-to-cloud security platform (CNAPP) that combines application security testing — SAST, SCA, secrets, IaC, DAST, API and AI security — with cloud posture management and eBPF-powered runtime protection, all in a single dashboard.
Most customers consolidate 4-8 point tools: a SAST scanner, an SCA/dependency scanner, a secrets scanner, a CSPM tool, a container image scanner, a DAST tool, and a runtime security agent. Because all findings share one data model, you also get correlation and prioritization that separate tools cannot provide.
Runtime context from eBPF. Most platforms scan configurations and code; TigerGate also watches what actually executes in production — process activity, file access, and network connections at the kernel level. This lets us confirm which vulnerabilities are actually reachable and enforce policy in real time, not just report findings.
No. Every capability works standalone — you can start with just CSPM or just code scanning and enable more modules when ready. Pricing is modular, and there is no penalty for starting small.
Yes. TigerGate scans AI agent workflows (OpenAI Agents, LangChain, CrewAI, LangGraph, n8n, Autogen) for prompt injection, PII leakage, and OWASP LLM Top 10 risks, discovers shadow AI usage, and can enforce policy on LLM API traffic at runtime through the eBPF agent.
Yes — TigerGate MDR adds a 24/7 SOC team that monitors your environment, hunts threats, triages alerts, and responds to incidents on your behalf, with sub-15-minute response times for critical threats.

Deployment & the eBPF Agent

Only the lightweight eBPF agent — and only if you use runtime monitoring. All scanners (code, cloud, container, DAST, API, AI) run in TigerGate's cloud and connect outward to your repositories and cloud accounts with credentials you provide. No scanner code executes in your infrastructure.
Linux kernel 4.15+ for monitoring and 5.7+ for active enforcement (LSM BPF). The agent runs on Kubernetes, Docker, AWS ECS, and bare metal/VMs, requires no kernel modules, and typically consumes under 3% CPU.
Cloud scanning starts within minutes of connecting a cloud account (read-only role). Code scanning starts as soon as you authorize your GitHub, GitLab, or Bitbucket organization. The eBPF agent deploys via Helm chart, kubectl manifest, ECS task definition, or systemd service — most teams are fully onboarded in under a day.
Both. Each policy runs in audit mode (log only) or enforce mode (block). In enforce mode the agent uses LSM BPF to stop violations in real time — unauthorized binary execution, critical file tampering, or unexpected network egress — before they complete.
eBPF programs run in a kernel sandbox with strict limits, so overhead stays under 3% CPU in typical workloads. There are no sidecars, no traffic proxying, and no code instrumentation — your application is never modified.
The standard offering is SaaS. For regulated environments with strict data residency or air-gap requirements, contact us about enterprise deployment options.

Scanning & Coverage

AWS (576+ checks), Azure (162+ checks), GCP (79+ checks), Oracle Cloud (51+ checks), and Kubernetes (83+ checks) — all mapped to CIS Benchmarks and 38+ compliance frameworks. Multi-account scanning via AWS Organizations, Azure Management Groups, and GCP Organizations is supported, including cross-account role assumption.
SAST covers all major languages including JavaScript/TypeScript, Python, Go, Java, C#, Ruby, PHP, and more. SCA covers every major package ecosystem (npm, PyPI, Go modules, Maven, NuGet, RubyGems, Composer). IaC scanning covers Terraform, CloudFormation, Kubernetes manifests, Helm, and Dockerfiles.
On every push and pull request for code, on your schedule for cloud and DAST scans (with continuous monitoring every 15 minutes available), and in real time for runtime events. Asset discovery runs every 6 hours.
Three ways: runtime reachability analysis suppresses vulnerabilities in code that never executes; AI-assisted triage learns from your dismissals; and suppressions sync everywhere — dismiss a finding once and it stays dismissed across IDE, CI/CD, and dashboard.
Yes. Custom SAST rules (Semgrep-compatible), custom cloud compliance rules, custom runtime policies, and custom admission control policies are all supported in YAML. You can also tune severity and scope per organization or per project.
Yes — images are scanned for CVEs, malware, embedded secrets, and misconfigurations, with SBOM generation in SPDX and CycloneDX formats. A Kubernetes admission controller can block non-compliant images before they deploy.

Data Security & Privacy

No. Repositories are cloned into ephemeral, isolated scan workspaces, analyzed, and deleted immediately after the scan completes. Only findings metadata (file path, line number, snippet of the affected line) is retained.
Credentials are encrypted at rest with AES-256 using per-organization keys and never logged. For AWS we strongly recommend cross-account IAM roles with external IDs instead of static keys, so no long-lived secret ever leaves your account.
Security event metadata only: process names and arguments, file paths, network destinations, and privilege changes — enriched with platform metadata (pod, namespace, cluster). It does not capture packet payloads, application data, or file contents.
Data is stored in encrypted PostgreSQL and ClickHouse clusters. Enterprise plans support region selection for data residency requirements. All data is encrypted in transit (TLS 1.2+) and at rest.
Yes — we maintain SOC 2 Type II, run continuous penetration testing, and operate a responsible disclosure program. Details and reports are available on our security page.

Compliance

38+ frameworks including SOC 2, ISO 27001, PCI-DSS, HIPAA, GDPR, NIST 800-53, NIST CSF, FedRAMP, CIS Benchmarks for every major cloud, AWS Well-Architected, FFIEC, GLBA, ENS, RBI, and APRA. Every finding maps to the controls it affects.
The eBPF agent collects evidence directly from the kernel — actual process executions, file integrity events, and access patterns — rather than screenshots or config snapshots. Each control gets continuous pass/fail status with raw event evidence attached, which auditors can verify.
Yes — evidence flows to Vanta and Drata automatically, so runtime controls that normally require manual evidence collection stay continuously satisfied.
TigerGate covers the technical controls: change management evidence, vulnerability management, access monitoring, file integrity, and incident detection. Combined with a compliance automation platform for policy and HR controls, most customers reach audit-readiness significantly faster.

Integrations & CI/CD

GitHub, GitLab, Bitbucket, Azure DevOps, and Team Foundation Server (TFS) — including PR/MR comments with inline findings, status checks that can block merges, and automatic scanning on push.
Yes — native integrations for GitHub Actions, GitLab CI, Jenkins, CircleCI, Azure Pipelines, and a CLI that runs anywhere. Pipelines can fail builds on policy violations (e.g., critical CVEs or leaked secrets) with configurable thresholds.
Yes — extensions for VS Code and JetBrains IDEs (IntelliJ, WebStorm, PyCharm, GoLand, Rider) provide real-time SAST, SCA, and secrets scanning with inline highlights, quick fixes, and scan-on-save.
Slack, Microsoft Teams, email, PagerDuty, Jira (with two-way sync), ServiceNow, and generic webhooks. Events can also stream to your SIEM. Routing rules let you send the right findings to the right team automatically.
Yes — a full REST API covers everything the dashboard does: triggering scans, retrieving findings, managing policies, and exporting reports. All scanner services expose consistent, documented endpoints.

Pricing, Trials & Support

Pricing is modular and scales with usage — typically by repositories, cloud accounts, and monitored workloads. You only pay for the modules you enable. Contact us for a quote tailored to your environment.
Yes — a 14-day free trial with full platform access, no credit card required. Most teams see their first real findings within the first hour of connecting a repository or cloud account.
Yes. For enterprise evaluations we run structured PoCs with your own repositories and cloud accounts, success criteria agreed up front, and a dedicated engineer throughout.
All plans include documentation, email support, and community access. Paid plans add Slack Connect channels and guaranteed response SLAs. Enterprise and MDR plans include a dedicated technical account manager and 24/7 support.
Yes — we regularly migrate teams from Snyk, Wiz, Prisma Cloud, SonarQube, and others. Existing suppressions and policies can usually be imported, and our comparison pages detail feature-by-feature differences.
Monthly and annual billing are both available; annual plans are discounted. MDR engagements have no long-term lock-in requirement.

Still have questions?

Talk to our team about your environment, or start a free trial and see the platform for yourself.