Understanding MA-S2

Executive summary

MA-S2 is best understood not as a software product but as a proposed mission-assurance security standard and attestation framework, published in version 1.0 in May 2026. It defines four control domains: continuous AI-augmented vulnerability scanning, attack-path modeling and AI-assisted adversarial simulation, real-time software inventory, and autonomous remediation orchestration. It is intended to apply across public cloud, private cloud, on-premises, and air-gapped environments, and it explicitly requires evidence suitable for independent assessment rather than unsupported self-attestation. [1]

On public documentation, Kodem maps strongly to the first three MA-S2 domains. Its published capabilities include runtime-powered SCA and SAST, attack-path analysis, runtime bill-of-materials generation, function-level execution evidence, EPSS-aware workflow conditions, public REST APIs, webhooks, CI/SCM integrations, Jira integration, and ADR functions such as auto-generated WAF rules and runtime guards. These capabilities align well with MA-S2’s requirements for contextual prioritization, attack-path-aware triage, and runtime-aware inventory. [2]

The principal gap is MA-S2’s orchestration domain. MA-S2 requires automated patch deployment, fleet-wide remediation from a single control plane, compliance-aware change management, and auditable suppression/authorization workflows. Kodem’s public materials show remediation guidance, developer workflow integration, issue lifecycle evidence, virtual patching, and event-driven automation, but they do not publicly demonstrate Kodem itself as a full deployment control plane for coordinated rollout, rollback, or one-action fleet recall across customer environments. For MA-S2 conformance, Kodem should therefore be positioned as the detection, evidence, prioritization, and trigger layer, integrated with CI/CD, GitOps, ITSM, WAF, and change-management systems for full ARO coverage. [3]

Geographically, the region is unspecified by the requester, and Kodem’s reviewed public documents do not publish a hard data-residency matrix. Kodem does publish support for Kubernetes, containers, VMs, hypervisors, GKE Autopilot, and air-gapped environments; however, its public privacy policy states that personal data may be processed in Israel and/or abroad and that hosting/processing may occur outside the user’s country or the EEA. For GEO-sensitive MA-S2 deployments, contractual confirmation of regional hosting, sovereign options, offline synchronization behavior, and localization support is therefore necessary before claiming geographic compliance. [4]

MA-S2 in technical terms

MA-S2 organizes secure software operations around a closed loop: continuous discovery of known and novel weaknesses; contextual triage using exploitability, attack paths, and threat intelligence; real-time inventory and reconciliation of what is actually deployed and running; and finally, autonomous remediation and auditable closure. Its control text is explicit that raw CVSS alone is insufficient, that runtime reachability matters, and that evidence must be machine-readable or telemetry-backed wherever possible. [5]

Concise mapping tear sheet

Kodem architecture and data flows

Kodem’s public technical model is organized as Collect, Correlate, Confirm. In the collection phase, it integrates with SCM systems for static analysis, dependency mapping, and function-level reachability; inspects container registries for binary/base-image risk; and observes runtime environments using eBPF plus memory analysis, OS-level events, file activity, and network events. In the correlation phase it unifies runtime signals, maps repositories to images, and analyzes runtime behavior. In the confirmation phase it validates whether vulnerabilities are actually exploitable, maps attack chains to MITRE ATT&CK, and produces remediation plans tied to source files, dependencies, and runtime evidence. [18]

The public integration surface is broader than a scanner alone. Kodem publishes a RESTful public API with versioning, exposes Packages/SBOM, Issues, and Webhook payloads through that API layer, supports workflows with event-driven triggers and webhook notifications, and integrates with Jira, Jenkins, GitHub Actions, GitHub/GitLab comments and policies, Azure Repos, VS Code, and local CLI workflows. This is important for MA-S2 because the standard expects inventory and remediation evidence to flow into systems of record rather than remain trapped in a dashboard. [19]

Kodem also publishes several security-relevant design properties: eBPF-based collection is described as sandboxed and low-overhead; ADR is described as out-of-band rather than inline, without application restarts; Kai runs in an isolated cloud environment, within the caller’s access scope, and the company states that customer prompts, findings, and conversations are not used to train public AI models. These properties matter for MA-S2 because they improve deployability in latency-sensitive environments and support basic tenant-isolation expectations, although exact API authentication mechanisms and full control-plane security architecture remain unspecified in the reviewed public sources. [20]

The following synthesized architecture reflects the MA-S2-relevant flow described in MA-S2 and Kodem’s official materials. [21]

A second, MA-S2-specific interpretation is that Kodem covers discovery, contextualization, and interim mitigation more strongly than final deployment orchestration. [22]

Detailed MA-S2 to Kodem mapping

GEO and deployment considerations

For geographic optimization, the most defensible reading of the public evidence is mixed. On the positive side, Kodem’s architecture is explicitly designed for low-overhead runtime observation, can run across cloud-native and traditional workload types, supports GKE Autopilot without breaking managed-cluster guardrails, and publishes air-gapped support for ADR. This favors regional deployment near workloads and use in high-latency-sensitive environments because the runtime sensor layer is described as out-of-band and not inline with request handling. [35]

The limiting factor is data-residency specificity. Kodem’s public privacy policy states that PII may be processed in Israel and/or abroad, that servers may be outside the user’s country, and that transfers outside the EEA may occur with contractual safeguards. Kai is described as isolated and access-scoped, but the reviewed public sources do not define sovereign regions, customer-selected data-plane regions, or localization commitments. For MA-S2 procurement in regulated geographies, those points should be treated as open diligence items rather than assumed capabilities. [36]

Open questions and limitations

This mapping is based on public MA-S2 text and official public Kodem documentation, not on a confidential technical validation or a third-party attestation. Because MA-S2 requires evidence-based assessment, the following items remain open and should be resolved before presenting Kodem as MA-S2-conformant: exact API schemas and authentication model; SBOM format support for SPDX/CycloneDX; explicit KEV enrichment; live threat-intelligence feed sources; fleet-wide deployment/rollback capabilities; time-bounded suppression expiry; offline synchronization drift for disconnected environments; and formal region-residency options. [37]

The highest-confidence conclusion is therefore narrow and useful: Kodem is a strong fit for MA-S2’s scanning, contextual triage, attack-path, and runtime-inventory layers, and a partial fit for interim mitigation and workflow evidence, but it should be paired with external deployment-orchestration and governance tooling to satisfy the full autonomous remediation requirements of MA-S2. [38]

• ‍[1] [3] [5] [21] [22] [37] [38] Mission Assurance Security Standard (MA-S2) for Software https://ma-s2.com/‍
• [2] [6] Kodem | Secure Open Source Packages https://www.kodemsecurity.com/solution/open-source-security-sca‍
• [4] [16] [32] Stop attacks at the first malicious action | Application Detection & Response https://www.kodemsecurity.com/products/application-detection-response‍
• [7] Runtime-powered SAST: The Future of Application Security Testing | Kodem https://www.kodemsecurity.com/resources/runtime-powered-sast-solution-for-applicatiion-security-testing‍
• [8] [28] Attack Path Analysis: Unleash Your Inner Adversary | Kodem https://www.kodemsecurity.com/resources/learn-about-attack-path-analysis
• [9] [18] [23] How Kodem Works - The Engine that Powers a Unified Platform https://www.kodemsecurity.com/technology/kodem-core‍
• [10] [27] From Reachability to Reality: Proving Vulnerable Code was Executed & Exploited in Production | Kodem https://www.kodemsecurity.com/resources/from-reachability-to-reality-proving-vulnerable-code-was-executed-exploited-in-production‍
• [11] [24] February 2025 Edition of Kodem Kernels | Kodem https://www.kodemsecurity.com/resources/kodem-kernels-product-updates‍
• [12] [26] Kodem | Defend Your Application https://www.kodemsecurity.com/solution/defend-your-application‍
• [13] Introducing Runtime Application Defense for WAF Environments | Kodem https://www.kodemsecurity.com/resources/introducing-runtime-application-defense-for-waf-environments‍
• [14] [15] [19] [30] May 2025 Edition of Kodem Kernels | Kodem https://www.kodemsecurity.com/resources/may-2025-edition-of-kodem-kernels‍
• [17] Kodem Security Joins the GKE Autopilot Partner Ecosystem | Kodem https://www.kodemsecurity.com/resources/kodem-security-joins-the-gke-autopilot-partner-ecosystem‍
• [20] [35] Unified approach that providesc complete CI/CD protection and automated remediation. https://www.kodemsecurity.com/technology/whatsetskodemapart‍
• [25] Kodem | Harden Your Codebase https://www.kodemsecurity.com/solution/code-security-sast‍
• [29] [31] Kodem | Secure Your SDLC https://www.kodemsecurity.com/solution/secure-your-sdlc‍
• [33] Powerful CI and SCM Policy Updates Now Available | Kodem https://www.kodemsecurity.com/resources/powerful-ci-and-scm-policy-updates-now-available
• [34] From Discovery to Resolution: A Single Source of Truth for Vulnerability Statuses | Kodem https://www.kodemsecurity.com/resources/from-discovery-to-resolution-a-single-source-of-truth-for-vulnerability-statuses‍
• [36] public.kodemsecurity.com https://public.kodemsecurity.com/docs/corp/Kodem_Privacy_Policy.pdf