We build software that reads the cloud's authorization surface at the source. Our current portfolio: one product in private beta with first pilot operators, one in early design partnership.
We track each cloud's authoritative source — service models, action catalogs, IAM releases — and re-evaluate the same day they ship. Not benchmarks. Not community wikis. New actions surface before attackers can use them, not weeks after.
SCPs, RCPs, identity, permission boundaries, resource policies, and 50+ condition keys — evaluated deterministically, the way AWS itself computes access.
Not YAML, not dashboards. A small, focused language that reads like who-can(action, resource) and returns reality.
"What would happen if this role was compromised?" Simulated principals walk the chain and surface blast radius before the attacker exists.
Continuous re-evaluation: when a policy edits, a role is added, or AWS ships a new action — the answer updates. No "quarterly review."
Hosting follows the workload — EU or US residency, self-hosted in your own VPC, or fully on-prem and air-gapped. SecNumCloud-ready packaging for institutions that can't put IAM data in any cloud.
Same discipline, orthogonal surface. We're working with a small group of design partners through 2026. Public disclosure planned for Q4. If you operate a regulated cloud environment and want to shape what we build next — join the preview list.
Tell us, in one paragraph, the regulated cloud environment you operate and the authorization problem you'd want to shape with us. We read every email.
sales>pragmable.comwhocan is a product, open to any team running on AWS — it's in private beta today. Start with a 30-day scoped pilot; pricing is flat by account count, not per-seat, so cost tracks the size of your cloud, not your headcount.
Single account, capped history, no SLA. The way to learn RQL and try whocan on a real environment.
request access →Multiple accounts, extended history, email support. For security teams running whocan across a live AWS estate.
request pricing →Unlimited accounts, self-hosted or on-prem. DPA, audit support, and a direct line to the team.
talk to us →