Pinnipedia
IT-GrundschutzNIS2Knowledge Graph

Grundschutz compliance
in weeks, not months.

Drop in the documentation you already have. OrbisGraph reads Visio diagrams, CMDB exports and policies, resolves the inconsistencies, and turns months of manual work into a security concept an auditor can walk through.

Book a demo
orbis.pinnipedia.de / ingest · 42 docs · Strukturanalyse live
From scattered documentation to a live knowledge graphOn the left, a loose stack of five tilted document shapes representing the documentation a customer already has (CMDB exports, Visio diagrams, policies, network maps); the topmost document is highlighted in citron to signal 'just ingested'. In the middle, three curving flow lines run from the documents into the right zone; one flow line is active and highlighted in citron. On the right, a live knowledge graph of roughly eighteen nodes arranged in loose domain clusters; the node where the active flow arrives is highlighted in citron with a soft halo, showing the ingested document materialising into a new graph fact.UNSTRUCTURED SOURCESLIVE KNOWLEDGE GRAPHCMDB.xlsxVisio.vsdxpolicy.docx

02 / The new reality

NIS2 changed the scope. Audit expectations changed with it.

Three shifts are landing at once, on teams that were never staffed for an ISMS build this size.

01 · Newly in scope

You may never have needed an ISMS before. You need one now.

NIS2 pulled roughly 29,500 German organisations into scope, up from 4,500. Manufacturers, utilities, healthcare, logistics, critical suppliers. Most have no in-house ISMS team, and the clock is already running.

02 · Supply chain cascade

Your customers' auditors are now your auditors.

Enterprise and public-sector customers pass NIS2 obligations down the chain. Supplier questionnaires, contract clauses, renewed framework agreements. A missing Nachweis now costs tenders, not only audit findings.

03 · Enforcement is next

Grace periods end. Fines and personal liability begin.

Management liability under NIS2 is personal. Fines scale to group turnover. The companies still treating this as a 2027 problem are the ones that will meet their auditor first.

03 / The platform

OrbisGraph. A security concept that keeps up with your IT, not one that ages between audits.

OrbisGraph follows BSI 200-2 and 200-3. Specialised AI agents handle each phase, then your team approves before it lands in the graph. The timings below are measured against the manual baseline on the same project.

A1 · A1 · BSI 200-2

Strukturanalyse.

Ingests your documentation: organisational descriptions, network diagrams, asset inventories. Builds the graph. Every extracted entity links back to the sentence that produced it.

Measured on the same project

Manual4–6 weeks
OrbisGraphhours
orbisgraph.de / strukturanalyse
OrbisGraph: Strukturanalyse view showing entities, types, and links back to source sentences.
Extracted entities with typed relationships. Each node links back to the source document that produced it.
Quality

Every AI output carries a confidence score and requires sign-off before it lands in the graph. Nothing enters the graph without human approval.

See the quality methodology →
Security baseline
  • Single-tenant isolation of your Workspace data
  • SSO and SAML for identity federation
  • Encryption at rest and in transit
  • Full audit log of every user action

04 / Deployment

Where OrbisGraph runs is your decision. Three ways to deploy.

Same graph engine, same approval contract, deployed to match your risk posture.

SaaS on Deutsche Telekom CloudDefault

Where most organisations start. Sovereign German infrastructure, German data residency, no transatlantic path for the graph or for inference.

Hybrid

SaaS orchestration on Deutsche Telekom Cloud, inference endpoints inside your perimeter. Your documents never leave your network; only graph operations cross the boundary.

On-Prem

Graph, weights, and inference on your infrastructure. Terraform-based redeployment, air-gap capable, BYOK. For KRITIS operators and security-sensitive enterprise.

05 / Frameworks

One graph. Every framework.

Most organisations don't stay single-framework for long. OrbisGraph is live on BSI IT-Grundschutz today, built for what comes next.

IT-Grundschutz

Live · GS++ ready

The current BSI Kompendium, end to end. Modellierung, Anforderungen, Umsetzungstexte, Grundschutz-Check export.

ISO 27001

On the roadmap

ISO 27001 and 27002 on the same graph. Controls, Statement of Applicability, evidence mapping. For organisations whose primary path is ISO.

Existing GrundschutzNIS2 newcomer

Both paths end in the same place. Your Sicherheitskonzept should be ready for it.

Whether you're carrying an existing Grundschutz footprint forward or building your first ISMS under NIS2, OrbisGraph holds your security concept as structured data. When the BSI switches the underlying format, there is no rewrite.

Full Grundschutz++ briefing

07 / Credibility

Built and operated in Germany.

Made in Germany
Sovereignty

Deutsche Telekom Cloud

Our infrastructure partner for the default SaaS deployment. BSI C5-certified, DSGVO-compliant, the credentials your procurement team already accepts.

Platform detailsQuality control

FU Berlin

Extraction quality is independently validated by cybersecurity researchers at Freie Universität Berlin.

Platform details
Pinnipedia
Expertise

Built by cybersecurity experts

German GmbH. German data residency. Founded by leading cryptographers and researchers in AI and cybersecurity.

Meet the team

08 / From the field

What early testers noticed first.

Voices from live engagements: consultants running BSI IT-Grundschutz implementations for company clients, and a defence-IT provider piloting OrbisGraph in production.

This is the first time I see somebody turning this honestly big piece of gold that's just so overwhelming that nobody can practically use it into something that actually does make sense.
Managing Director · Boutique Cybersecurity ConsultancyFortune-500 clients
A major unlock, freeing up capacity for the things people actually enjoy and where they're adding real value, versus just feeding some compliance machine.
Partner · DACH Cybersecurity ConsultancyMittelstand NIS2 engagements
Using the graph for establishing the ground truth, getting out of the tacit knowledge trap, and then scaling it. Once you have this, you can really increase speed. And you keep it consistent.
Defence IT Provider7,000+ employees
If you're able to do that at that quality level, the extractions, and being able to say this is not just what you have but the preparation of what's missing, that has massive value.
CEO · DACH Cybersecurity Consultancy100 + Employees
For regulated organisations

KRITIS, telecom, public sector, insurance. OrbisGraph on your own infrastructure, when the data cannot leave it.

Get in touch →

Show us your use case. We'll show you the knowledge graph.

Schedule a call and we'll walk through OrbisGraph on a realistic sample dossier. We answer the integration and data-residency questions your IT and legal teams will ask, and talk through onboarding routes, consultant-led or direct.