The AI agent that runs your audit.
Tessero tests every control against your evidence and cites the exact proof behind every finding. You review results, not chase documents.
› scanning 41 evidence files…
AM-03 testing “MFA enforced for remote & admin access”
exception
Policy states MFA is optional — not enforced.
↳ Access_Control_Policy.pdf · “authentication is left to user discretion”
OR-11 backups run nightly, restore tested 2026-03-15
pass
↳ Backup_Log.xlsx · row 3 “full · success · restore passed”
› 258 controls · 21 pass · 27 exception · queued for review
An auditor that works at the speed of software
Tessero runs the engagement end to end — scope, test, cite — and hands you a reviewable result.
Scope the engagement
Walk Tess through your environment in plain language. It reads the framework taxonomy and builds the in-scope control set — no spreadsheets.
Tess tests every control
For each control, the agent finds the right evidence in your documents, reads it in full, and concludes pass, exception, or open — at the pace of software, not staffing.
Every conclusion is cited
Nothing passes on faith. Each verdict links to the exact file and passage it rests on, queued for your review. Audit you can defend, line by line.
No conclusion without evidence.
Every pass and every exception cites the precise document and passage it rests on. Open the original from any finding. It's an audit trail your reviewers — and your regulators — can follow line by line.
- ✓ File + exact excerpt on every verdict
- ✓ Originals retained and re-openable
- ✓ A senior-reviewer pass flags anything not yet defensible
Multi-factor authentication (MFA)
Access Management · operating effectiveness
Tess concluded
The access policy states multi-factor authentication is optional and left to user discretion — it does not enforce MFA for remote or administrative access.
One agent, every framework
ITGC and Cloud Security are live today — more are on the way. Frameworks are data, not code, so each new one ships fast.
ITGC
IT General Controls · SOX
Access, change, IT operations & resilience, incident & security monitoring, data protection, third-party.
Cloud Security
AWS · Azure · OCI
IAM, logging, networking, data protection, key management — with a read-only command per test.
SOC 2
Trust Services Criteria
Security, availability, processing integrity, confidentiality, privacy.
ISO 27001
Annex A controls
Information-security management system controls and evidence.
PCI DSS
Cardholder data
Payment-card security requirements.
NIST CSF
Govern · Identify · Protect
The cybersecurity framework core functions.
Built for the people who get audited — and the ones who do the auditing.
Cloud-first, on-prem optional
Hosted in our managed cloud and isolated per tenant. Need data residency or air-gap? Deploy on-prem or in your private cloud and bring your own model.
Strict workspace isolation
Object-level authorization on every request — engagements are sealed from one another, by design.
Evidence stays the source of truth
Originals are retained and re-openable from any citation. Every conclusion traces to a real document.
Reviewer in the loop
The agent proposes; the auditor disposes. Accept, override, or send back — with a full audit trail.
Tess
Your Audit Agent
Meet Tess
Tess is the agent that does the work — gathers evidence, tests each control, and lays every verified tile in place. Ask it what's still missing, point it at new evidence, or have it re-test a control. It never puts a tile down without the proof to back it.
“Tess found 4 deficiencies and cited every one.”
See Tessero run a real audit.
Bring a framework and a folder of evidence. We'll show you the cited findings in minutes.
Cloud-hosted by default · on-prem available · every tenant isolated.