The PlatformOrbisGraph

The knowledge graph
that makes IT-Grundschutz auditable.

OrbisGraph turns your IT security concept into a structured knowledge graph. Every claim is traceable to source. Every key decision needs human sign-off. Every AI inference is measured against a benchmark.

Book a demo Grundschutz++ ready

orbisgraph.de / ingest → graph

02 / The thesis

A security concept is a structure, not a stack of templates.

For thirty years, IT-Grundschutz has lived in Word and Excel. OrbisGraph moves it into a structure a machine can read.

Processes, applications, systems, networks, rooms, and buildings become nodes on a graph. BSI Bausteine attach to the nodes they apply to. Evidence attaches to the Bausteine.

Specialised AI models build the graph and query it. Your team signs off on key decisions. The auditor reads the trail back.

Book a demo

orbisgraph.de / graph / trace

One highlighted trace from a business process to the building it ultimately depends on. When the graph exists, “which controls are affected if Building A loses power” is a query, not a workshop.

03 / In production

Live for IT-Grundschutz. Ready for Grundschutz++. Deployed on German infrastructure.

Modules

Frameworks on the graph.

Live

IT-Grundschutz

In production today. Full BSI methodology: Strukturanalyse, Schutzbedarfsfeststellung, Modellierung, Grundschutz-Check, Risikoanalyse.

See the workflow Prepared

Grundschutz++

The platform is graph-native, so the step to the BSI's machine-readable format is a serialisation exercise, not a rewrite.

See the readiness brief

ISO 27001

Same graph, same evidence model, same approval contract. Adding a framework is a mapping exercise, not a new product.

Deployment

Four ways to run OrbisGraph.

SaaS on Deutsche Telekom CloudDefault

Where most customers start. Sovereign German infrastructure, German data residency, no transatlantic path for the graph or for inference.

Hybrid

SaaS orchestration on Deutsche Telekom Cloud. Inference endpoints inside your perimeter. Your documents never leave your network; only graph operations cross the boundary.

On-Prem

Graph, weights, and inference on your infrastructure. Terraform-based redeployment, air-gap capable, BYOK. Designed for KRITIS, telecom under §109 TKG, and public-sector clients.

White-Label

Operated under a large consultancy's brand. Separate namespace, same graph engine, same approval contract.

Who uses it

Consultants and security teams who answer to auditors.

Consultancies
SME
Enterprise
KRITIS
Telecom · §109 TKG
Public sector

04 / The workflow

Five BSI phases, one Sicherheitskonzept.

OrbisGraph follows BSI 200-2 and 200-3. Each phase is handled by specialised AI agents, then approved by your team before it lands in the graph. The numbers below are measured against the manual baseline on the same project.

A1 · BSI 200-2

Strukturanalyse.

Ingests your documentation: organisational descriptions, network diagrams, asset inventories. Builds the graph. Every extracted entity links back to the sentence that produced it.

Measured on the same project

Manual4–6 weeks

OrbisGraphhours

OrbisGraph: Strukturanalyse view showing entities, types, and links back to source sentences. — Extracted entities with typed relationships. Each node links back to the source document that produced it.

05 / Quality assurance

Conservative on principle. Every output measured.

The failure mode of AI in compliance is not that it can't write a control text. It's that it writes one that reads plausible but is wrong. We built the system against exactly that.

Evidence-linked.

Every Umsetzungstext links to its source passage with a SHA-256 hash. If the source changes, the hash breaks and the linked text gets flagged for review. Provenance is the default state.

Human in the loop.

Every AI output carries a confidence score. Low-confidence outputs are flagged, not silently accepted. Approval is required at every phase boundary. Nothing advances on inference alone.

Externally benchmarked.

Extraction quality is independently validated by cybersecurity researchers at Freie Universität Berlin, measured on real Grundschutz corpora.

97.68%Entity extraction F1

83.46%Relationship mapping F1

Benchmarked on real Grundschutz corpora by cybersecurity researchers at Freie Universität Berlin

Where the model is uncertain, it flags; it does not guess. Both numbers improve with every model iteration.

06 / AI architecture

An orchestrator, two knowledge experts, an ensemble of agents per phase.

An IT security concept pulls from two kinds of knowledge. The BSI side: Bausteine, requirements, the 200-2 / 200-3 methodology. Your side: processes, applications, systems, policies, people.

OrbisGraph keeps each side in its own AI expert. The orchestrator routes work to the BSI phase that owns it; inside each phase, a specialised ensemble classifies, parses, extracts, and validates. Every agent sees only what it needs, and nothing commits without human approval.

The architecture is HybridRAG: retrieval-augmented generation runs against a structured knowledge graph for deterministic data representation.

orbis-graph / architecture

Three tiers, three roles. Nothing lands without approval..

Tier 1 · Orchestration

Orchestrator.

Takes a request, breaks it into sub-tasks, routes each one to the right experts and agents. Tracks approval across phases. Handles concurrent writes.

It does not draft, score, or decide. It coordinates.

Tier 2 · Knowledge

Two knowledge experts.

The IT-Grundschutz Expert holds the BSI Compendium, Bausteine, requirements, and the 200-2 / 200-3 methodology. The Enterprise Expert models your organisation: documents, entities, approved policies. Every agent in every phase consults both before writing.

Tier 3 · Execution

Five phases, one ensemble each.

A1 to A5: Strukturanalyse, Schutzbedarfsfeststellung, Modellierung, Grundschutz-Check, Risikoanalyse. Each phase runs its own ensemble of specialised agents — classifiers, extractors, validators — sized to the phase. Strukturanalyse and Grundschutz-Check, the most demanding, run the deepest ensembles.

Nothing lands in the graph without Approval.

See the architecture run on your own Sicherheitskonzept.

Book a demo

07 / Grundschutz++-readiness

The BSI is moving the IT-Grundschutz to a machine-readable format. Your Sicherheitskonzept should be ready for it.

Grundschutz++ replaces document-centric compliance with machine-readable, structured data. OrbisGraph is architecturally native to this direction. Concepts built today convert when the new format ships, no restart required. The same graph-native structure makes ISO 27001 a serialisation exercise, not a rebuild.

Read the briefing

08 / Credibility

Built and operated in Germany.

Made in Germany

Sovereignty

Deutsche Telekom Cloud

Sovereign German hosting. Your data stays in Germany, on Deutsche Telekom Cloud.

Platform details

Calibrated

Quality assuranceBenchmark

Quality assurance

FU Berlin

Extraction quality is independently validated by cybersecurity researchers at Freie Universität Berlin.

Platform details

Pinnipedia

Expertise

Built by cybersecurity experts

Founded by cryptography, AI, and cybersecurity researchers. German GmbH, headquartered in Berlin.

Meet the team

09 / Funded by

Funded by the German federal government.

A funding line for innovation with national economic relevance.

The OrbisGraph IT-Grundschutz module is built with support from the Innovation Programme for Business Models and Pioneering Solutions (IGP) of the German Federal Ministry for Economic Affairs and Energy, a funding line for innovation with national economic relevance.

Supported by the German Federal Ministry for Economic Affairs and Energy on the basis of a decision by the German Bundestag

Project reference available on request · Contact →

Show us your use case. We'll show you the knowledge graph.

Schedule a call to explore how OrbisGraph can accelerate your compliance efforts.

The knowledge graphthat makes IT-Grundschutz auditable.