Two products. One discipline.
We build software that reads the cloud's authorization surface at the source. Our current portfolio: one product in private beta with first pilot operators, one in early design partnership.
→ whocan — prag-01, private beta
→ preview program — prag-02, 2026
→ roadmap — next 18 months
→ pricing & deployment
Ingested from cloud provider updates.
We track each cloud's authoritative source — service models, action catalogs, IAM releases — and re-evaluate the same day they ship. Not benchmarks. Not community wikis. New actions surface before attackers can use them, not weeks after.
All six decision layers, weighted together.
SCPs, RCPs, identity, permission boundaries, resource policies, and 50+ condition keys — evaluated the way AWS itself computes access.
A query language written for this problem.
Not YAML, not dashboards. A small, focused language that reads like who-can(action, resource) and returns reality.
Counterfactual analysis, not just current state.
"What would happen if this role was compromised?" Simulated principals walk the chain and surface blast radius before the attacker exists.
Changes, not scans. Diffs, not snapshots.
Continuous re-evaluation: when a policy edits, a role is added, or AWS ships a new action — the answer updates. No "quarterly review."
SaaS, customer-managed, or on-prem.
Hosting follows the workload — EU or US residency, self-hosted in your own VPC, or fully on-prem and air-gapped. SecNumCloud-ready packaging for institutions that can't put IAM data in any cloud.
A second authorization product.
In closed preview.
Same discipline, orthogonal surface. We're working with a small group of design partners through 2026. Public disclosure planned for Q4. If you operate a regulated cloud environment and want to shape what we build next — join the preview list.
Join the design-partner list.
Tell us, in one paragraph, the regulated cloud environment you operate and the authorization problem you'd want to shape with us. We read every email.
sales[at]pragmable[dot]comWhere we're heading.
Whocan beta — depth on AWS
- Full six-layer chain coverage
- Condition-key surface expansion
- RQL stabilization
- SSO with OIDC connectors
Multi-cloud & PRAG-02
- GCP IAM full-chain evaluation
- Azure RBAC + ABAC ingest
- RQL cross-cloud queries
- PRAG-02 closed preview opens
Sovereign & on-prem
- Air-gapped deployment
- SecNumCloud-ready packaging
- HDS-compatible hosting
- PRAG-02 public disclosure
Research → product
- Agent behavioral profiles
- Kubernetes authorization graph
- Supply-chain IAM analysis
- Formal verification for policy
Deployment & commercial.
Pragmable sells to regulated operators through direct contract. No self-serve enterprise. Pilots start with a 30-day scoped engagement; pricing is flat by account-count, not per-seat.
Community
Single account, capped history, no SLA. For learning RQL and small environments.
Professional
Multi-account, longer history, email support. For security teams running real environments.
Enterprise
Unlimited accounts, self-hosted or on-prem, DPA, audit paperwork.