Most of marfi.io is deliberately jargon-free, because most people don't want to think about NIST control families or FIPS modules, they want to win the contract, pass the audit, and sleep at night. This page is the exception. It's for the people who do want the details: the CISO doing diligence, the security team reviewing a vendor, the defense contractor checking whether our enclave is real. Here's exactly what's under the hood, the frameworks we operate against, the architecture behind each product, and the proof points, stated plainly and without hand-waving. If you'd rather skip all this and just talk to a human, that's completely fine: book a call and we'll walk you through whatever matters to you.
A quick orientation before you dive in. We split our attestation language carefully, and we'd rather you hold us to the precise version than an inflated one. Three tiers of compliance language appear below, and they mean different things: - Attested / certified, independently examined and held today (e.g. SOC 2 Type II). - In progress, actively being pursued, not yet awarded (e.g. ISO 27001). - Aligned / operated against, we configure, enforce, document, and evidence the controls of a framework, and keep that evidence current, but the formal certificate is issued by a third party, not by us (e.g. CMMC, which only a C3PAO can certify). We will never blur those lines to sound more certified than we are. Where a number could read two ways, we keep it in its correct context.
Launchpad is our managed IT, security, and compliance platform, one US-based team running your entire environment, with AI-native monitoring 24/7 and all stack licensing included. It's AI-native: 80%+ of issues are resolved automatically before you ever notice them, and a US-based analyst owns whatever's left. It's SOC 2 and HIPAA aligned out of the box, because our delivery platform itself is SOC 2-certified, so onboarding clients inherit a baseline of controls and begin continuous evidence collection from day one rather than starting from zero. The whole point is replacing a stack of finger-pointing vendors with one accountable team, one bill, and a result somebody actually owns.
This is the layer most breaches actually start at, a stolen password, an unmanaged laptop, a user with more access than they need. We close those doors by default rather than as an upsell. Identity is built on phishing-resistant MFA (FIDO2 security keys, not just SMS codes that can be phished out of a user), single sign-on so there aren't dozens of passwords to leak, conditional access that only admits trusted devices and locations, and least privilege so a single compromised account can't reach everything. Endpoints run managed EDR, with data encrypted in transit and at rest and DLP guardrails so sensitive data doesn't walk out the door.
Protection is layered on purpose, defense in depth, so that when any one control is bypassed, the next one still stops the threat. Our model runs five layers deep, monitored around the clock by AI, with US-based analysts on escalations during business hours. The last layer matters most when everything else fails: immutable backups that an attacker can't erase or tamper with, plus a tested disaster-recovery path. That's the line that turns a ransomware event from a catastrophe into an afternoon.
Launchpad DIB is Launchpad, rebuilt to the standard defense contractors are actually held to. If you handle CUI (Controlled Unclassified Information), usually because a prime flowed CMMC down to you, commercial Microsoft 365 isn't authorized for it. Launchpad DIB stands up a real, sovereign CUI enclave on GCC High and AWS GovCloud, so your controlled data never mingles with commercial cloud. ITAR/EAR-controlled data stays on US soil, in US hands. The architecture is four concentric layers wrapped around your CUI core, and we operate, monitor, and evidence all of it. Importantly: MARFI is not your assessor. Your formal certification is performed by an independent, government-authorized C3PAO. We get you ready and stand beside you through it, in partnership with Secureframe, a CMMC RPO (Registered Provider Organization). Note that here 'RPO' means Registered Provider Organization, the CMMC readiness role, not Recovery Point Objective.
Raptor is our AI-native penetration-testing platform: a 24-agent pipeline that moves the way a real adversary would, across five phases. The difference from a scanner is the whole point, a scanner flags possible issues and leaves your team triaging false positives for days. Raptor proves each finding by safely, non-destructively validating it into a confirmed, reproducible exploit, then chains individual bugs into real vertical-escalation breach paths (the kind that turn two 'low-severity' bugs into a full account takeover). Every finding ships with proof, an instant replay, CVE mapping, and automatic framework mapping. It runs strictly within the rules of engagement you authorize, only against assets you own, and it's AI-native but expert-reviewed, with a human in the loop before any report reaches you. Built by two Doctors of Engineering in Cybersecurity Analytics from George Washington University.
Sometimes what you need isn't another tool, it's a seasoned operator in the room when the stakes outgrow the org chart: a fundraise, an enterprise security review, entering a regulated market. Advisory gives you that leadership part-time, all senior people who've actually held the title, 100% US-based. Engagements run on a retainer, project, fractional, or outcome-driven basis, and pair naturally with Launchpad and Launchpad DIB. A typical engagement: discovery call, scope, a 90-day prioritized roadmap with owners and milestones, then execute and report to your board or customers.
Network-as-a-utility: your entire network designed, installed, and run by MARFI for one monthly fee, powered by Meter, managed by us. Flip the switch and it just works, like the lights. The hardware (enterprise access points, switches, firewalls/gateways) is specified per space and fully included, with zero capex, no big upfront equipment purchase, just a predictable monthly fee and one consolidated bill across every site. We handle the full lifecycle: site survey and design for coverage, capacity, and redundancy; procurement; cabling, mounting, and configuration; then 24/7 monitoring, patching, upgrades, and hardware replacement when anything fails.
Most companies experience compliance as an annual fire drill, scramble for evidence, scrape through the audit, exhale, repeat. We invert that. We engineered our control library around NIST 800-53, NIST 800-171, and SOC 2 back in 2022 and have collected control evidence continuously ever since, so compliance becomes something our clients simply have rather than something they chase. That means audit-ready, every day, an assessment becomes a quick confirmation instead of a months-long ordeal. The written practices an auditor looks for, data classification, a tested incident response plan, vendor risk assessments, change management, input validation, data subject access / consent / retention, are set up and kept current as part of the operating model, not bolted on at audit time. A note on SOC 2 for buyers doing diligence: SOC 2 is an AICPA framework built on five Trust Service Criteria (Security is always required; Availability, Processing Integrity, Confidentiality, and Privacy are chosen per customer requirement). Type I is a point-in-time snapshot; Type II observes controls operating over a 3-12 month period, which is what enterprises typically require. Realistic Type II readiness runs 3-6 months depending on your starting maturity. Our SOC 2 Type II covers Security, Availability, and Confidentiality; the report is available under NDA.
The differentiators that don't fit neatly in any one product, but underpin all of them. We're 100% US-based with zero offshore personnel, a line drawn on day one (Aug 20, 2020) and never moved. The people who touch your environment are on-shore, accountable, and reachable. For verification, our Trust Center is live and public.
That's the depth. If you're the kind of person who wanted to see the control families, the enclave architecture, and which clouds the CUI actually lives on, now you have it, and we're happy to go deeper on any of it. And if you're everyone else, the part that matters is simpler: this is all handled, by one accountable US-based team, so you don't have to think about it. Either way, the next step is the same. Book a call and we'll scope it to your environment, no acronyms required.