Roadmap

What's coming, and when?!

Your architecture assessment platform is constantly evolving. Here’s what’s coming next.

What’s Available Today

Cloud Platforms

Azure architecture assessments aligned with Microsoft Well-Architected Framework
Azure resource scanning and compliance monitoring
Drift detection and monitoring

AI-Powered Analysis

34 specialized AI agents (Cloud Architect, Security, Cost Optimization, and more)
Real-time chat-based architecture consultations
Automated finding generation and remediation guidance

WAF Pillar Health Scoring

Per-pillar health scores (0-100) for Reliability, Security, Cost Optimization, Operational Excellence, and Performance Efficiency
Weighted scoring with logarithmic diminishing returns
Overall architecture health score with trend tracking
Drill-down from pillar scores to individual findings

Azure Health Checks & Governance

Resource health monitoring - real-time availability status for every Azure resource
Orphaned resource detection - find unattached disks, unused public IPs, and idle resources costing you money
Tag compliance auditing - ensure every resource has required tags for cost allocation and governance
Encryption & HTTPS enforcement checks - verify storage accounts, disks, App Services, and SQL databases
ARM limits & capacity planning - proactive alerts when approaching subscription limits for role assignments, resource groups, and policies
Storage security analysis - detect anonymous blob access, shared key access, public network exposure, and outdated TLS
Resource locks coverage - find critical resources without CanNotDelete or ReadOnly locks
CAF naming convention validation - check resource names against Cloud Adoption Framework naming patterns
Azure Service Health integration - surface active incidents, planned maintenance, and health advisories per subscription
Management Group hierarchy visualization - interactive tree with policy, RBAC, and subscription counts per node
Diagnostic settings audit - identify resources without logging or metrics across all resource types
Identity & RBAC audit - 18 security checks for over-privileged identities, orphaned roles, SP credential expiry, guest risks, and PIM eligibility
Network security & topology audit - NSG rule analysis, subnet IP capacity monitoring, private endpoint coverage gaps
Azure governance change tracking - policy and RBAC change audit trail with identity resolution and configurable time windows
Policy governance deep dive - orphaned policies, deprecated policy detection, DINE effect tracking, exemption expiry monitoring
Azure Landing Zone validation - compare deployed policies against ALZ archetype definitions with version drift detection
Configuration drift detection - compare deployed resources against IaC definitions (Bicep, Terraform, ARM, Pulumi) with severity classification

Compliance Framework Mapping

Azure Policy-to-framework mapping database linking policies to ISO 27001, NIS2, SOC 2, and GDPR controls
DB-backed control catalog with real control IDs, names, descriptions, and sections from authoritative framework definitions
Per-control and per-policy mapping queries with confidence levels (Verified, Inferred, Partial)
Mapping statistics and admin verification API endpoints
Replaces AI-inferred compliance mappings with deterministic, audit-ready relationships
Foundation for SOC 2, ISO 27001, and regional compliance assessment templates

Professional Reports & Exports

PDF assessment reports with tenant branding, cover pages, WAF scores, compliance mapping, and remediation guidance
PowerPoint exports with executive summary slides, WAF radar charts, top findings, and recommendations
AI-generated executive summaries for C-level stakeholders in any supported language
Secure assessment sharing via time-limited links for external stakeholders

Workflow Integrations

Jira integration - create issues from findings with severity-to-priority mapping and bidirectional status sync
ServiceNow integration - generate incidents and change requests from findings with custom field mapping
Webhook events for assessment completion, finding creation/resolution, and document generation with delivery log and retry

Collaboration

Comments and annotations on findings and assessments with threaded replies and @mention notifications
Finding assignment and ownership with due dates, bulk assignment, and “my assignments” view

Assessment Quality & Trust

High-confidence findings you can act on — every recommendation comes with evidence of why it matters and rigorous internal challenge before it reaches you.

Devil’s Advocate Reasoning — Before surfacing any High or Critical finding, agents must argue “why might this NOT be a genuine gap?” Findings that survive scrutiny are marked Confirmed; those that don’t are downgraded
Confidence Levels — Every finding carries a Confirmed / Likely / Possible confidence badge based on the quality of evidence (direct observation, strong inference, or hypothetical)
Source Attribution — Each finding identifies which agent detected it and which resources or documents it was derived from
3-Pass Adversarial Review — After an assessment completes, three independent challenger passes (Security, Cost, Resilience) re-examine all findings in parallel. You see the challenge results and acknowledge them before the assessment is finalized
AI Output Quality Monitoring — Thumbs-up/down feedback on every AI response drives continuous quality tracking and improvement

Architecture Decision Records (ADRs)

Automatically generate MADR-format ADRs from High and Critical assessment findings via the ADR agent
Export individual ADRs as Markdown or download all as a ZIP bundle
ADRs stored alongside the assessment and linked to the originating finding

Tenant Shared Memory

The platform learns from every assessment you run.

Persistent Architecture Memory — Key patterns, recurring issues, and successful remediations are remembered across sessions and automatically injected as context into future assessments
Recurrence Tracking — When the same finding appears across multiple assessments, its recurrence count and confidence score increase automatically, surfacing your most persistent risks
Memory Dashboard — Browse, search, and manage your tenant’s architecture memory, with “Most Recurring” sorting to prioritize what needs attention

Resilient AI Workflows

Never lose progress on complex assessments.

Three-Level Failure Recovery — Automatic retries with accumulated context (inner loop), LLM-powered workflow adaptation (middle loop), and structural replanning (outer loop). Assessments always produce output, even when parts encounter errors
Transparent Gap Tracking — When an assessment can’t fully evaluate something (missing permissions, timeout, scope reduction), the gap is explicitly documented — not hidden. You’ll know exactly what was and wasn’t assessed
Resume from Checkpoint — Long-running assessments checkpoint progress. If something fails mid-assessment, resume from where you left off instead of starting over
Parallel Assessment Phases — Independent analysis phases (identity, network, compute, storage) run in parallel using a dependency graph, completing faster without sacrificing coverage

Multi-Language Support

Generate documents and executive summaries in English, German, French, and Dutch
Per-tenant language preference with per-document language override

Microsoft 365 Assessments

M365 Architect agent evaluating security, compliance, identity, and collaboration configurations
M365 Security Baseline questionnaire (26 questions across 6 categories)
M365 Governance questionnaire (15 questions across 6 categories)
4-agent assessment pipeline: M365 Architect → Security & Compliance → Identity Governance → Remediation
Works independently of Azure subscriptions
Microsoft Graph data collector — connect your customer’s M365 tenant via Service Principal to collect Entra ID, Intune, Defender, and M365 service configuration data for AI-powered assessments
Credential validation with granted/missing permission detection
Snapshot-based collection history with 90-day retention

M365 Automated Security Scanning

Move beyond questionnaire-based assessments to automated, evidence-based validation against industry benchmarks.

CIS M365 Benchmark Compliance - 93 automated checks against CIS Microsoft 365 Foundations Benchmark v6.0.0 covering identity, data management, email security, applications, auditing, storage, and devices
CISA SCuBA Baseline Validation - 77 checks validating M365 configuration against CISA’s Secure Cloud Business Applications baseline across Entra ID, Exchange Online, Defender for Office 365, SharePoint, Teams, and Power Platform
Entra ID Security Config Analysis (EIDSCA) - 44 automated checks on Entra ID configuration covering authorization policies, conditional access, authentication methods, and admin consent
Community Security Checks - 71 community-driven checks across Conditional Access, Identity, Privileged Access, and Applications
M365 Security Trend Dashboard - Track your M365 security posture over time with per-framework compliance scores, trend charts, scan comparisons, and time-to-remediate metrics

Cloud Sovereignty & Digital Independence

Sovereignty assessment agent scoring workloads against EUCS, BSI C5, and SecNumCloud frameworks
Sovereignty readiness questionnaire capturing drivers, constraints, and three sovereignty dimensions
Cloud exit strategy planner with portability scoring, lock-in identification, and phased migration timelines
European provider knowledge base mapping Azure/AWS services to OVHcloud, Hetzner, IONOS, Scaleway, and more
Sovereignty compliance dashboard with jurisdiction risk indicators and trend tracking
Migration playbook generator for VMs, Kubernetes, databases, storage, identity, and monitoring workloads
Data flow and jurisdiction mapping with cross-border transfer discovery and Schrems II risk flagging
European compliance framework controls: EUCS, BSI C5, SecNumCloud, Gaia-X, TISAX, ENS

Zero Trust Assessment

Zero Trust Check Engine with 14 deterministic checks across Identity, Devices, Data, and Security Operations pillars
Per-pillar and overall Zero Trust posture score (0-100) with configurable pillar weights
Severity-weighted scoring with logarithmic diminishing returns
YAML-based check definitions for extensibility
Checks evaluate Microsoft Graph data snapshots collected via the M365 data collector
Zero Trust assessment workflow with dedicated agent pipeline
3 AI agent tools for running checks, retrieving results, and listing definitions
Automatic conversion of ZT findings to tracked findings with WAF and compliance mapping
Zero Trust Dashboard with score cards, trend charts, and pillar drill-downs
Scheduled recurring assessments with trend analysis over time
AI-generated remediation playbooks with PowerShell scripts and rollback procedures
PDF/PPTX export with ZT-specific layouts and radar charts
Hybrid assessment combining Azure infrastructure + Zero Trust tenant checks

Identity & Security Scanning

Go beyond resource configuration — scan the identity plane where the most dangerous attacks originate. Informed by real-world offensive security techniques used by red teams.

Service Principal Credential Audit - Detect expired credentials, approaching expiry, and credential sprawl across Entra ID
Privileged Service Principal Detection - Identify SPs with dangerous Graph API permissions using 4-tier criticality classification
Federated Identity Credential Audit - Detect unauthorized trust relationships on managed identities including GitHub Actions federation
Application Registration Security - Find rogue app registrations, credential injection patterns, external owners, and multi-tenant exposure
Managed Identity Permission Audit - Check MIs for over-privileged RBAC roles and unusual Graph API permissions
Key Vault Security Posture - 8 hardening checks: soft-delete, purge protection, RBAC mode, network access, private endpoints
Public Resource Exposure - Audit 12+ Azure resource types for public endpoint exposure
Diagnostic Settings Integrity - Detect stealth log tampering (logs disabled but metrics enabled)
Guest User Risk Detection - Privileged guest accounts and stale guest users
SP Credential Expiry Tracking - Service principal credential lifecycle monitoring

Collaboration & Security

Multi-tenant workspaces with role-based access
GitHub document synchronization
Audit logging and GDPR compliance
SSO via Microsoft Entra ID

Visual Architecture Design

Design your architecture visually and let AI validate and generate code from your diagrams.

Interactive Diagram Editor - Drag-and-drop Azure services onto a Cytoscape-powered canvas to design your architecture visually. Create nodes, connect them with labeled edges, and organize resources into clusters (VNets, subnets, resource groups). Features grid snapping, auto-layout, zoom/pan, and real-time spec synchronization
AI Architecture Critic - Get a second opinion on your visual designs with adversarial AI validation. The Design Critic agent analyzes diagrams for security gaps, reliability concerns, cost inefficiencies, and WAF alignment issues with actionable recommendations
One-Click Auto-Fix - Automatically remediate identified issues with a single click. The Auto-Fix agent proposes spec changes that resolve findings, explaining each modification before you apply it
Diagram Export - Export your visual architectures to PNG or SVG format for documentation and presentations
Available on Team plans (€499/month) and above

AVM-First Infrastructure as Code

Generated Bicep and Terraform always starts with official, community-backed modules.

Azure Verified Modules (AVM) — All IaC generation prioritizes AVM registry modules (br/public:avm/res/...) before falling back to raw resource definitions. 45 modules catalogued across Compute, Storage, Networking, Database, Identity, Security, and more
AI Provenance in Exports — Every generated IaC file, PDF, ADR, SVG, and ZIP export carries machine-readable AI provenance metadata (header comments, XMP, frontmatter), satisfying EU AI Act Art. 50 transparency requirements for automated artifact traceability

Governance Constraint Discovery

Understand the guardrails in place before generating or deploying any code.

Azure Policy Constraint Analysis — Discover active governance constraints (allowed locations, allowed SKUs, required tags, naming patterns, network isolation, encryption requirements, deny policies) directly from your Azure Policy configuration
Constraint-Aware Generation — IaC Engineer and Architecture Review agents check discovered constraints before generating recommendations, ensuring output complies with your organizational guardrails out of the box

AI Transparency & EU AI Act Compliance

PAA is fully compliant with EU AI Act transparency obligations. Every interaction with AI is clearly identified, every AI-generated output is labeled, and customers have formal channels to report concerns.

AI Interaction Disclosure — Clear banners on all AI-powered screens inform users they are interacting with an AI system, before the first interaction
AI-Generated Content Labels — Visual badges on every chat message, assessment finding, generated IaC file, and exported document clearly mark AI-generated content
Machine-Readable AI Provenance — Exported artifacts (IaC, PDF, ADR, SVG, ZIP) carry machine-readable provenance metadata parseable by standard tools — satisfying Art. 50 beyond visual-only labeling
Customer AI Incident Reporting — In-app “Report AI Issue” button with structured intake, severity classification (Critical → 24h response, High → 72h), and full audit trail
AI Help Documentation — Dedicated help resources explaining AI capabilities, limitations, and appropriate use for every agent in the platform
AI Literacy Program — Formal literacy materials for internal staff and customers (EU AI Act Art. 4 + Art. 25)

Subscription Tiers

Free, Team, Business, and Enterprise plans
MSP Partner program for managed service providers
Fractional Architect tier with human expert consultations
Token overage pricing - Never be cut off; pay €0.024/1K tokens for usage beyond your monthly limit

Usage Dashboard

AI token usage tracking - See your current token consumption, % of monthly limit, and input/output breakdown in real time
Daily usage trend charts - Visualise token consumption and estimated cost over 7, 30, or 90-day windows
80% usage warnings - In-app alerts when approaching your monthly token allocation
Budget visibility - Projected end-of-period spend and budget status at a glance
Available from Settings → Usage (Team plan and above)

Specialized Architects

Purpose-built AI agents for deep technical domains beyond general cloud architecture.

Security Architect - Deep-dive security assessments with OWASP, NIST, and CIS benchmark analysis, threat modeling, and security posture scoring
Kubernetes Architect - AKS/EKS/GKE architecture reviews, pod security policies, service mesh assessment, and container hardening guidance
Data Platform Architect - Data lakehouse, ETL/ELT pipelines, governance frameworks, and ML platform architecture assessment
Disaster Recovery Planner - DR/BC strategy development, RTO/RPO analysis, failover architecture design, and recovery playbook generation

Guided Onboarding

Get up and running quickly with a personalized onboarding experience tailored to your role and subscription tier.

Multi-step wizard - Step-by-step guidance through workspace setup, Azure connection, team invitations, and feature discovery
Role-based paths - Owners get workspace configuration, admins get team management, members get feature tours
Tier-aware features - See features relevant to your subscription tier (Business+ sees Azure integration, MSP sees client management)
Progress tracking - Resume where you left off, skip optional steps, and see your completion percentage
Dashboard integration - Continue onboarding from the dashboard or dismiss and explore on your own

Now Building

Billing & Usage Transparency

Feature	Description
Overage Billing	Automatic invoicing for token usage beyond your monthly limit at €0.024/1K tokens
80% Usage Alerts	Email notifications when you reach 80% of your monthly token allocation
Budget Controls	Optional hard cap setting to prevent overage charges

On the Horizon

AWS & Multi-Cloud Support

Extend your architecture governance across all your clouds.

Feature	Description
AWS Cloud Architect	Assessments aligned with AWS Well-Architected Framework
AWS Resource Scanning	Automated discovery and analysis of your AWS infrastructure
AWS Assessment Templates	Pre-built questionnaires for common AWS architectures

Smart Automation

Let the platform do the heavy lifting with intelligent automation features.

Feature	Description
Requirements Autopilot	Describe what you need in plain language and get a structured architecture proposal to review
Compliance Auto-Detection	Automatically detect which compliance frameworks apply based on your resources and regions
IaC Validation	Generated code is validated against live provider schemas before you deploy

Zero Trust Assessment — Expanding

The Phase 1 Zero Trust Check Engine is live with scheduling, trend analysis, AI remediation, and hybrid assessments. We’re now expanding the check library.

Feature	Description
415+ Deterministic Security Checks	Expanding from 14 Phase 1 checks to 415+ across all 7 Zero Trust pillars (adding Network, Infrastructure, and DevSecOps) queried directly from Microsoft Graph API
Radar Chart Visualization	Interactive in-app radar chart showing per-pillar Zero Trust scores with drill-down to individual findings

M365 Automated Scanning — Coming Soon

CIS, SCuBA, EIDSCA, and Community security checks (285 total) are live. The following are coming next:

Feature	Description
Automated Scheduled Scans	Run M365 security scans on a schedule (daily, weekly, monthly) with alerts on new failures or score regression
Unified Compliance View	M365 security findings mapped to ISO 27001, NIS2, GDPR, and SOC 2 alongside your Azure infrastructure compliance

GRC Module (Governance, Risk & Compliance)

Transform PAA from a technical assessment platform into a complete GRC solution. Bridge the gap between automated security scanning and organizational governance, inspired by open-source GRC leaders like Eramba and CISO Assistant.

Feature	Description
Risk Register	Document, assess, and track organizational risks with configurable 5×5 risk matrices, likelihood/impact scoring, and treatment workflows (Accept, Mitigate, Transfer, Avoid)
AI-Powered Risk Identification	Automatically identify and categorize risks from assessment findings using AI agents, with suggested risk ratings and treatment recommendations
Policy Lifecycle Management	Create, version, approve, and publish policies with full audit trail. Track employee acknowledgments and schedule automated review reminders
Control Testing & Evidence	Schedule control testing cycles, record effectiveness scores, and collect evidence attachments for audit readiness
Internal Audit Management	Plan audit programs, execute fieldwork, track findings with CAPA workflows, and monitor remediation to closure
Vendor Risk Management (TPRM)	Maintain a vendor registry with risk tiering, conduct security assessments using standardized questionnaires, track contract renewals and compliance certifications
Incident Tracking	Document security incidents with structured timelines, root cause analysis, lessons learned, and link to failed controls for continuous improvement
Exception Management	Formal exception request and approval workflows with expiry dates, compensating control documentation, and renewal tracking
GRC Executive Dashboard	Unified view across all GRC modules: risk heatmap, policy compliance, control effectiveness, open audit findings, and exception status

Combines process-oriented GRC (like Eramba) with automated technical compliance (PAA’s unique strength) — no other platform offers both.

Additional Workflow Integrations

Bring findings into even more tools and processes.

Feature	Description
Terraform Cloud	Analyze your IaC state for drift and architecture compliance

Enterprise AI Options

Choose the AI provider that meets your security and compliance requirements.

Feature	Description
Azure OpenAI Service	Use your own Azure OpenAI deployment for data sovereignty
Additional Providers	Support for Mistral AI and other leading models
Local AI Option	Run assessments with self-hosted models for maximum privacy

Future Plans

Expanded Cloud Coverage

Feature	Description
Google Cloud Platform	GCP Architecture Framework assessments
Vendor Dependency Analysis	Deep supply chain analysis mapping sub-processors and CLOUD Act exposure across your cloud stack
Sovereign Architecture Templates	Pre-built reference architectures for European providers and hybrid on-premises configurations

Enterprise Features

Feature	Description
Universal SSO	SAML and OIDC support for any identity provider
White-Label	Custom branding for MSP partners
Public API	Build custom integrations with our documented API
Compliance Templates	SOC 2, ISO 27001, and regional framework assessment templates (built on the policy-to-framework mapping database)

Global Platform

Feature	Description
Localized Interface	Platform UI in multiple languages
Regional Compliance	Templates for GDPR, NIS2, BSI C5, and more
Data Residency	Choose where your data is stored

How We Prioritize

Our roadmap is driven by customer feedback. We prioritize features based on:

Customer demand - What you tell us you need most
Market reach - Features that benefit the most users
Strategic value - Capabilities that differentiate PAA
Technical foundation - Building blocks for future innovation

Your input shapes our roadmap. Tell us what features matter most to you:

Email: [email protected]
In-app feedback: Use the feedback button in the platform
Customer success: Talk to your account manager

Feature Requests

Have an idea that’s not on our roadmap? We’d love to hear it. Submit feature requests through our feedback portal and vote on ideas from other customers.

Roadmap Updates

This roadmap is updated quarterly. Last update: March, 2026

Note: This roadmap represents our current plans and is subject to change. Features and timelines may be adjusted based on customer feedback, technical considerations, and market conditions. Items listed do not represent commitments or guarantees.

Building the future of architecture assessment, together.