Free CLI · No signup · AWS + GCP

Know exactly where your
PCI evidence stands.

Three weeks before a QSA assessment, most teams can't say if they're 60% done or 95%. Ankos is a free CLI — scan your AWS or GCP account and map real evidence to 60+ PCI DSS requirements in 5 minutes. No demo call. No signup.

$ curl -sSL https://get.ankos.dev | sh

See sample output View documentation

AWS + GCP

Cloud providers

Full

Category Coverage

v4.0.1

PCI DSS Coverage

< 5m

To First Evidence

What you get

One command. Real evidence, in your terminal.

Here's an actual scan against an AWS account. 50+ collectors run in parallel, each pulling structured evidence mapped to specific PCI DSS requirements. Output is signed with a SHA-256 integrity manifest you can verify offline.

~/pci-prep

$ ankos scan

✓ AWS credentials verified
  Account:  123456789012
  Identity: arn:aws:iam::123456789012:user/devops-lead

Starting PCI evidence collection...
Scan ID:     a3f8e2c4-7b91-4d15-8e2a-f0c9b3d56e8a
Region:      us-east-1
Collectors:  iam, vpc, kms, s3, cloudtrail, guardduty, +47 more

  [iam] OK
  [vpc] OK
  [kms] OK
  [s3] OK
  [cloudtrail] OK
  [guardduty] OK
  [securityhub] OK
  [inspector] OK
  [rds] OK
  [config] OK
  ... 43 more

✓ Evidence collection complete in 7.229s
  Successful: 53/53 collector runs
  Output:     ankos-evidence-20260526-174646/
  Manifest:   ankos-evidence-20260526-174646/manifest.json
  SHA-256:    4e8c1a9f73d2b5e6...

Roughly half of PCI's requirements have automatable evidence — the CLI handles those. The other half are manual: narratives, sign-offs, policy documents, training records. That's what the Ankos Ledger handles →

And what your QSA opens

A self-contained HTML report. No install required.

One more command turns the scan into a branded report your QSA can open in any browser — PCI score, severity-graded findings, the actual AWS CLI command to fix each one. Same data also available as JSON for pipelines or CSV for non-engineering stakeholders.

file:///pci-report.html

Ankos

PCI DSS 4.0.1 Evidence Readiness Report

PCI Score

Total Checks

Ready

Action Needed

Review

Account: 123456789012 Region: us-east-1 Collected: 2026-05-26 20:21 UTC

✗ Requirement 3: Protect stored account data

ACTION NEEDED CRITICAL S3 public access blocked 4 bucket(s) without public access block 1.3.2, 7.2.1

ACTION NEEDED HIGH KMS key rotation enabled 1 customer-managed key(s) without rotation 3.7.4

READY HIGH S3 buckets encrypted at rest 3.4.1

REVIEW MEDIUM S3 versioning enabled 1/19 bucket(s) have versioning enabled 3.4.1

View the full sample report ↗ Real ankos report output, sanitized — opens in a new tab

Sound familiar?

You've been in this room before.

Team turnover

The person who managed last year's PCI evidence just gave notice. Their Drive folder is shared with four people; nobody's sure which version of the DRL spreadsheet is current; the sign-offs they wrote are buried in a Slack DM no one can find.

Annual rebuild

It's PCI season again. The same Document Request List spreadsheet goes out. Engineering looks at row 47 — "didn't we do this last cycle?" — and nobody can answer.

Three weeks out

Your QSA assessment starts in 21 days. You have a Drive folder, a Jira board, and a half-filled spreadsheet. You don't know if you're 60% done or 95%. There's no way to tell.

This is the moment Ankos was built to make impossible.

After the scan

The CLI is half the battle. What about the other half?

The scan covers IAM, encryption, logging, networking — roughly half of PCI's requirements. The other half is manual: policy documents, training records, incident-response runbooks, sign-offs from the people who own the work. Without a system for that half, it lives in spreadsheets, shared drives, and Jira tickets — and your QSA waits.

Manual evidence today

Document Request List spreadsheet as the index
Evidence files scattered across Drive or SharePoint
Task tracking in Jira or email threads
Screenshots pasted into Google Docs
Weeks of "did we upload that?" before each cycle
No audit trail when team members change

Manual evidence in the Ankos Ledger

One ledger — every requirement pre-populated by category
CLI scan results land here automatically with --upload
Plain-English guidance per entry — what to upload, why
Sign-offs anchored to immutable user IDs (survives turnover)
Carry-forward when nothing changed, with a verifiable citation
One-click export or hosted QSA portal share

First Time Through PCI?

No prior PCI experience? No problem.

Ankos is built for teams going through PCI DSS for the first time. It walks you from "what is PCI?" to "here's my evidence package" — so your QSA can spend their time assessing, not chasing down missing artifacts.

Scoped to your situation

Answer 6 quick questions about your company — entity type, how customers pay you, where your infrastructure runs, when your assessment is. Ankos configures your ledger for your specific situation.

Plain English, no jargon

Every entry leads with a plain-English title and a one-line summary of what it actually means — "who can touch the firewall configs", "the coffee-shop laptop problem". The PCI requirement number sits in a small footnote where it belongs. Items that don't apply to your business can be marked N/A with the right justification.

A personalized roadmap

Based on your answers, Ankos surfaces your top 3 priorities, suggested owners across your team, and a realistic timeline for your target assessment date.

Want to see how it works? Try the onboarding walkthrough →

The Full Stack

One CLI. One ledger. One package.

The CLI scans your cloud and pulls real evidence. The ledger holds everything — automated scans, manual uploads, narratives, sign-offs. Together: a complete PCI assessment package, signed off by your team, ready for your QSA.

Compliance Ledger

Every PCI DSS requirement pre-populated and organized by category.

Automated Collection

One CLI command to scan your AWS infrastructure. IAM, S3, KMS, VPC, CloudTrail, GuardDuty.

Evidence Guidance

Every entry tells you exactly what the QSA expects. No guessing, no spec hunting.

Readiness Dashboard

Track progress by category, owner, and status. See what's ready for QSA review at a glance.

Quarterly Carry-Forward

Stable controls — policies, training, infrastructure baselines — carry forward with one-click attestation citing the prior cycle. Each year's ledger compounds on the last.

QSA Evidence Export

Export organized by category with consistent file naming. Ready for assessor review.

Team Collaboration

Invite your team. Assign ownership by category. DevOps, Security, HR — everyone in sync.

Human-Readable Evidence

Scan results processed into clear summaries with findings and guidance, not raw JSON.

Pre-flight Check

Before you send to your QSA, Ankos reviews the package and flags weak narratives, placeholder-looking filenames, and entries that look unfinished. Catch issues before your assessor does.

Built to last

A ledger that compounds.

Each cycle's evidence, sign-offs, and narratives stay in the ledger. Year 2 is easier than year 1; year 5, you can show your QSA five cycles of unbroken history without opening any old folder.

Three years of PCI history in one place is insurance against the rebuild.

Multi-year history, in one place

Every cycle's evidence stays in the ledger, fully searchable. Open a 2024 cycle next to a 2026 one and see exactly what changed — and what stayed exactly the same.

Audit trail survives team changes

Sign-offs are anchored to immutable user IDs, not display names. People come and go; the chain of custody doesn't. A 2024 attestation by someone who's since left the company stays valid.

Carry-forward as proof, not shortcut

When a control genuinely hasn't changed, one click attests it — citing the exact prior cycle and entry. Not a free pass; a verifiable continuity claim your QSA can trace back.

The Workflow

From one command to QSA-ready

Start with the CLI. Sign up when you need more than a scan.

Install and scan — no signup

Install the CLI with one command. Run ankos scan against your AWS or GCP account using your local read-only credentials. In about 5 minutes you have structured evidence for ~50 PCI requirement areas plus an integrity-verifiable manifest. The output is yours, locally; nothing is transmitted to Ankos.

$ curl -sSL https://get.ankos.dev | sh
$ ankos scan

Sign up — Ankos scopes the ledger to you

When you're ready for the rest of the assessment, sign up. A 6-question wizard configures your ledger for your specific situation — entity type, payment flow, infrastructure, team — scoping out what doesn't apply and pre-assigning owners. First-time teams get a "start here" roadmap with top priorities. Re-run the scan with --upload and the automated evidence lands in the right entries.

Fill the gaps with your team

The ledger has the manual entries the CLI can't reach — policy documents, training records, runbooks, sign-offs. Each entry has plain-English guidance on exactly what to upload. Assign owners by category; track readiness on the dashboard; carry forward unchanged controls with a verifiable citation to the prior cycle.

Hand it to your QSA

Pre-flight check catches weak narratives and placeholder filenames before you ship. Export a complete package — by-category folders, summary PDF, integrity manifest — or share a hosted read-only portal link (optionally email-gated) so your QSA browses in-browser. Ankos prepares the case; your QSA is the judge.

Pricing

Simple, predictable pricing

Start free with Ankos CLI. Upgrade to Ankos Ledger when you're ready for the rest of the assessment.

Free CLI

Scanning and local reporting

forever

Unlimited AWS scans
Terminal & JSON output
Remediation guidance
No signup required
CI/CD pipeline friendly

Install CLI

Team

Teams going through PCI

$299/mo

60-day free trial · Think of it as PCI insurance

Compliance Ledger with every PCI DSS requirement
Auto-populated scan evidence
Manual evidence upload with sign-off
Quarterly carry-forward
Pre-flight check before export
Evidence readiness dashboard
QSA evidence package export
Team collaboration with roles
12-month rolling history

Start Free Trial

Enterprise

Level 1 merchants & multi-entity orgs

Custom

annual contract

Everything in Team
White-label QSA share on your subdomain
SSO / SAML
Multi-entity org & consolidated dashboards
Audit log export to your SIEM
Unlimited team members
Dedicated CSM, SLA-backed support

Talk to sales

FAQ

Frequently asked questions

What is Ankos?

Ankos is two things. Ankos CLI, a free binary that runs locally against your AWS or GCP account and pulls real evidence for ~50 PCI requirement areas — IAM, encryption, logging, networking, segmentation, more. Ankos Ledger, the paid SaaS that holds everything in one place — automated scan results, manual evidence uploads, narratives, sign-offs — ready to hand to your QSA. The CLI works standalone, no signup required. The ledger is what you upgrade to when you're ready to manage the full assessment lifecycle with your team.

Ankos is not a QSA. We help your team gather, organize, and present evidence — we never declare that evidence "passes" or "fails" any requirement. That determination is made by a Qualified Security Assessor at the end of your assessment. Ankos prepares the case; your QSA is the judge.

What does the free CLI actually do?

The CLI runs locally with your AWS or GCP credentials (read-only IAM). It collects evidence for around 50 PCI requirement areas — IAM users + MFA, KMS keys + rotation, S3 encryption + public-access, VPC + security groups, CloudTrail + log validation, GuardDuty + Inspector findings, RDS encryption, ELB TLS policies, ECR scan findings, EKS cluster config, and dozens more. Output is structured JSON per collector plus a SHA-256 manifest you can verify offline. No data leaves your machine. No account. Use it standalone for a quick PCI gap-check, or run --upload to push results into your Ankos Ledger.

Can I use the CLI in CI/CD?

Yes — the CLI is designed for it. --format json emits structured output for piping into other tools; --dry-run validates configuration without making API calls; --fail-on exit-codes let you fail a build when something drifts. Common pattern: a scheduled GitHub Actions or GitLab CI job that scans your AWS environment weekly and alerts when a public S3 bucket or missing CloudTrail appears between assessments. Catch drift before your next QSA visit, not during it.

Is this our first PCI assessment — can Ankos help?

Yes — first-time PCI teams are who benefit most from Ankos. When you sign up, a 6-question onboarding wizard configures your ledger for your specific company: it scopes out items that don't apply to you, suggests ownership across your team, and gives you a personalized "start here" roadmap. Every entry includes plain-English guidance explaining what the QSA expects. The CLI automates a significant share of evidence collection from AWS. For manual items, the guidance tells you exactly what to screenshot or upload. You can go from "what is PCI?" to "here's my evidence package" without prior assessment experience.

Does Ankos replace my QSA?

No — and it's not trying to. Your team uses Ankos between cycles to gather and organize evidence. Your QSA performs the formal assessment, reviews the package you export, and makes the final compliance determination. The stronger your case, the faster the assessment — that's what Ankos optimizes for.

Which cloud providers are supported?

The CLI supports AWS (53 collectors: IAM, S3, KMS, VPC, CloudTrail, GuardDuty, Inspector, SecurityHub, RDS, EKS, ECS, Lambda, WAF, Shield, Config, Macie, and more) and GCP (14 collectors: IAM, KMS, GCS, Cloud SQL, GKE, Cloud Run, Cloud Functions, Cloud Armor, Compute, Logging, Security Command Center, and more). Use --provider gcp --gcp-project <id> for GCP scans. The compliance ledger works with any cloud provider — you can always upload evidence manually for things the CLI doesn't reach.

How does the evidence export work?

When your evidence is ready, click "Export Evidence Package" and Ankos generates a ZIP file containing a summary PDF, evidence files organized by category with standard naming conventions, and an integrity manifest. Your QSA can cross-reference the export directly against their Document Request List.

What happens to my compliance data over the years?

Your ledger persists across cycles indefinitely on the Team and Enterprise plans. Every entry, every piece of evidence, every sign-off, and every carry-forward attestation stays as a permanent record of how you achieved compliance in each cycle. You can open a 2024 cycle alongside a 2026 cycle to compare exactly what changed, and export individual cycles or your full history as portable packages anytime. The chain of custody survives team turnover — sign-offs are anchored to immutable user IDs, so a 2024 attestation by someone who's since left the company remains a valid audit-trail entry your QSA can verify.

That's why teams describe Ankos as "PCI insurance" — the monthly cost is small; the cost of not having it the day your compliance lead resigns is a quarter of someone's life.

How does Ankos help me catch issues before my QSA does?

Ankos runs a pre-flight check across your cycle before you export — flagging narratives that are too short to defend, evidence with placeholder-looking filenames, N/A entries without proper justification, sign-offs over open findings without context, and other issues a QSA would call out. You see them first; you fix them first. Pre-flight is advisory rather than blocking — you can still export with open warnings, but most teams clear the flags first.

How is Ankos different from broad GRC platforms?

Most compliance platforms cover 20+ frameworks at $10,000–35,000/year. PCI is one checkbox on their feature list. Ankos is PCI-only at $3,588/year — with deeper PCI-specific features: category-organized evidence, plain-English evidence guidance, PCI requirement mapping, and structured evidence export. If you need many frameworks, use a broad platform. If you need PCI done right, use Ankos.

Your next QSA assessment starts here.

Install the CLI, scan your cloud, see what's there. No account required.