adamant – Efficient IT Security and Compliance

adamant is an open source tool for the management of security requirements. It allows your organization to utilize a continuous approach to ensure compliance with security standards and best practices.

  • enables systematic documentation of security requirements from different sources
  • establishes traceable links between security requirements and the actual IT landscape
  • provides real-time compliance information
  • enhances the automation degree in security requirements surveillance
  • ensures definition of high-quality and non-conflicting security requirements


By using adamant in your organization you can:

  • establish efficient IT security management
  • ensure compliance with high-level business security goals
  • increase the quality and effectiveness of security audits
  • accelerate certification processes
  • benefit from automated security workflows and reporting facilities
  • reduce security risks

security requirements connected with your IT landscape

adamant uses a dedicated model to store security requirements and link them with artifacts of the IT landscape. Thereby each security requirement is put in context of the actual IT landscape of your enterprise.

You can use adamant to easily identify requirements defined to protect certain asset or identify assets that are not considered by your IT security initiative.

systematic documentation of security requirements across their complete lifecycle

adamant distinguishes three lifecycle phases for security requirements – Definition, Monitoring and Disposal. During each phase adamant ensures quality constraints and uses customizable state machines to realize appropriate workflows. adamant stores every alteration made to security requirements and provides full traceability.

You will always know why certain requirements are fulfilled and who confirmed their fulfillment.

intuitive stakeholder-centric visualizations

adamant is designed to foster high participation of diverse stakeholder groups. Interactive and customizable visualizations ensure that the correct mental model is established and stakeholders always receive information in an understandable und intuitive fashion.

support for customizable rule-based workflows

Your enterprise will evolve and thus your security requirements will have to change as well. adamant provides rule-based workflows to automatically react to changes of your IT landscape and ensure compliance even in agile settings. Utilizing rules, adamant will create appropriate security requirements for new elements of your IT landscape (such as IT services, applications or servers) and will ensure that responsible stakeholders take immediate action.

high degree of automation across technical or organizational boundaries

Apart from automated workflows adamant can harness the power of established security tools or external sensory information. Configure adamant to periodically call external tools (e.g., reactive password checker, port scanner) and change requirement states according to their output.

template system for reoccurring requirements and standards

adamant provides a fully customizable template system to define blueprints for security requirements. Stakeholders may use these blueprints to quickly define new requirements in accordance with your enterprise demands.

Templates greatly reduce the effort to define new requirements and help to raise the quality of requirements. adamant’s template system has been tested with the Payment Card Industry Data Security Standard (PCI DSS) and the IT Baseline Protection Catalogues.

automated conflict detection

Enterprises working with security requirements from different sources and operating in different legal settings will highly appreciate the automated conflict detection offered by adamant. Conflicting requirements are safely identified and acted upon resulting in fast resolution of conflicts.

import of landscape models from different sources

adamant fully integrates with existing IT landscape documentation initiatives through customizable import modules. Instead of reproducing relevant parts of your IT landscape documentation in adamant, you let adamant import data from your existing sources.

open source and extensible

We licensed adamant under the Eclipse Public License V1.0. You are free to download the source code and extend adamant according to our needs. The underlying architecture is well documented and offers distinct extension points as well as a plug-in-system to enhance adamant’s feature set.

live demo

We offer a live demo for adamant. Let us know, if you are interested in testing adamant first hand. Fill out the form below and we will send your personal credentials and instructions for the adamant live demo.


adamant has been successfully evaluated by business partners. Here is what they have to say:

  • Security Manager: "Usually, I would send an email to the auditee and they will send me the documents [..] the tool removes this step."
  • Internal Auditor: "This tool makes many manual tasks obsolete"
  • Security Manager: "The template engine saves us a couple of hours [..] when implementing new Security Requirements"
  • Security Manager: "The time to identify conflicting Security Requirements for a new customer could be brought down from several hours to mere minutes"


Ing. Michael Brunner, MSc.
Phone: + 43 512 507-53324
Mag. Christian Sillaber, MSc., MSc.
Phone: + 43 512 507-53296

Research Group Quality Engineering
Institute of Computer Science
Technikerstraße 21a
6020 Innsbruck

source code

You may download the source-code of adamant via this link. Instruction to build, deploy and configure adamant are provided with the source code.

Please contact us if you wish to participate in the development of adamant.


Offenlegung nach § 25 MedienG

Medieninhaber und Herausgeber (inhaltliche und redaktionelle Verantwortung):
Quality Engineering
Institut für Informatik
Universität Innsbruck
Technikerstr. 21 a
A – 6020 Innsbruck

fax: +43 (0) 512 / 507 – 987
mail: ruth.breu(at)

Institut für Informatik:

Die Inhalte dieser Webseiten werden mit Sorgfalt bearbeitet. Dessen ungeachtet kann keine Garantie für die Richtigkeit, Vollständigkeit und Aktualität der Angabn übernommen werden. Eine Haftung des Instituts für Informatik wird daher ausgeschlossen.

Das Copyright für veröffentlichte, vom Herausgeber selbst erstellte Inhalte und Objekte bleibt allein beim Herausgeber der Seiten. Eine Vervielfältigung, Verarbeitung, Einspeicherung oder Verwendung solcher Grafiken, Ton- und Videodokumente sowie Texte in anderen elektronischen oder gedruckten Publikationen ist ohne ausdrückliche Zustimmung des Autors nicht gestattet. Unberührt davon bleibt das Kopieren und Herunterladen für den privaten, wissenschaftlichen und nicht kommerziellen Gebrauch.

Die Links zu anderen Websites wurden sorgfältig ausgewählt. Da Quality Engineering auf deren Inhalte keinen Einfluss hat, übernimmt es dafür keine Verantwortung.

Consulting, Corporate Identity, Design and Logo: Stefan Gerstorfer and Ruth Stubenvoll