We built Kyudo because the dominant model was broken.
Regulated organizations deserve a governance platform that runs inside their boundary, reasons over their data with explainable AI, and maintains readiness as a permanent condition — not a seasonal project.
The way of the bow
Kyudo(弓道) is the Japanese martial art of archery. But unlike Western archery, kyudo is not primarily about hitting the target. It's about the discipline of the archer — the precision, focus, and continuous refinement of form that naturally leads to accuracy.
We chose this name because it reflects our philosophy of compliance. True security posture isn't achieved through checkbox exercises or last-minute audit scrambles. It emerges from disciplined processes, continuous evidence, and a commitment to excellence in the fundamentals.
Like the kyudo archer, organizations that master the discipline of GRC find that the outcomes — audit readiness, customer trust, regulatory compliance — follow naturally.
Our story
Kyudo was born from a simple observation: organizations in regulated industries face an impossible choice. They can use SaaS compliance tools that require sending sensitive data to third parties, or they can build expensive in-house solutions that lack automation.
We believed there had to be a better way.
Our founding team spent years working in Microsoft Security, enterprise GRC, and regulated industries. We saw firsthand how compliance teams struggled with manual evidence collection, spreadsheet tracking, and the constant tension between security requirements and operational efficiency.
We built Kyudo to solve this problem definitively: an AI-native GRC platform that deploys entirely within your Azure tenant, integrates natively with your Microsoft security stack, and automates the compliance workflows that consume your team's time.
Our mission
To make world-class GRC accessible to every organization that handles sensitive data, without compromising on security, sovereignty, or operational efficiency.
Precision over promises
We build products that work as documented. Every feature, integration, and workflow is tested rigorously. We don’t ship vaporware or make claims we can’t back up with evidence.
Sovereignty as standard
Data sovereignty isn’t a premium feature—it’s a fundamental right. We designed Kyudo from day one to deploy within customer environments, not around them.
Transparency in everything
Our AI explains its reasoning. Our architecture is documented. Our pricing is clear. We believe trust is earned through transparency, not demanded through contracts.
Customer success first
We succeed when our customers pass audits, close deals, and reduce compliance burden. Every product decision is evaluated against real customer outcomes.
Engineering excellence
We hire exceptional engineers and give them the autonomy to solve hard problems well. Quality architecture enables quality outcomes.
Continuous improvement
Like the kyudo archer, we refine our craft daily. We listen to customers, measure outcomes, and iterate relentlessly toward better solutions.
Founded by practitioners, not theorists.
John Haifa
15+ years in Microsoft Security, enterprise compliance, and cloud architecture. Built Kyudo after watching regulated organizations choose between SaaS vendors that extract their data and consulting firms that charge by the hour. Neither option was good enough.
Why we built Kyudo differently
Every architectural decision reflects our commitment to customer sovereignty and security.
Customer-hosted by design
While other GRC vendors treat data sovereignty as an afterthought or premium add-on, we built Kyudo from the ground up to deploy within your Azure tenant. Your data never leaves your control. This isn’t a configuration option—it’s our architecture.
Microsoft-native integration
Instead of building shallow API wrappers, we invested deeply in Microsoft Graph, Defender APIs, and Azure services. Kyudo speaks the native language of your Microsoft security stack, enabling evidence collection and control mapping that surface-level integrations can’t match.
Compliance Graph foundation
We chose to build on Compliance Graph technology because compliance relationships are inherently graph-shaped. Controls map to frameworks. Evidence supports controls. Risks relate to assets. This structure enables intelligent querying and explainable AI.
Explainable AI as a requirement
Every AI-generated recommendation in Kyudo includes confidence scoring and source attribution. When an auditor asks “why did you make this decision?”, your team has a defensible answer. Black-box compliance automation isn’t compliance—it’s liability.
Strategic partnerships
Working with industry leaders to deliver enterprise-grade GRC.
Join the team
We're building the future of GRC and looking for exceptional people who share our commitment to precision, transparency, and customer success.
View Open Positions