Fortreum acquires Reston-based cybersecurity firm

Lansdowne-based cybersecurity assessment firm Fortreum last week announced it had acquired Reston-based AI compliance startup Kovr.ai, less than a year after the company emerged from stealth.

The deal brings together Kovri’s artificial intelligence-driven compliance platform with Fortreum’s role as an independent cybersecurity assessor, expanding its ability to support organizations from compliance preparation to formal certification.

Terms of the transaction were not disclosed.

Tackling a costly compliance bottleneck

Kovr launched publicly in May 2025 with $3.6 million in seed funding. At the time, it positioned itself as an “AI-native” platform designed to automate cybersecurity compliance processes for government contractors and highly regulated industries. Many of those compliance requirements, including the Federal Risk and Authorization Management Program (FedRAMP) and the Cybersecurity Maturity Model Certification (CMMC), are needed to win certain federal contracts or work with defense contractors.

The compliance processes, however, are notoriously burdensome.

“If you’re going to go for like a FedRAMP type of standard, the general rule of thumb is two years and $2 million,” Kovr CEO and co-founder Andrew Black said in an interview. “It’s a lot of time, it’s a lot of work, and it’s typically 2,000-3000 hours of work for that process to be accomplished. It is an enormous burden.”

Traditionally, companies must document hundreds of security controls, often manually in spreadsheets, while reviewing thousands of pages of technical evidence, pulling engineers away from actually securing systems.

Kovr’s platform aims to automate much of that effort by connecting to a company’s cloud systems, internal documents and security tools, then using AI to analyze the data against compliance requirements.

“We provide an assistant, basically, to people to do that [work] faster and better,” Black said.

According to Black, the platform gives companies real-time feedback on whether they meet compliance standards.

“We’ve never had this before,” he said. “So, imagine taking a test for which there is no rubric on whether or not you ever pass. Now you have the ability to know in real time whether or not you are passing that test.”

Kovr was co-founded in October 2024 by Black and Sri Iyer, both former Amazon Web Services executives, and grew quickly after its public launch, reaching seven-figure revenue and doubling quarterly, according to Black. Its customers ranged from startups to large enterprises and federal users, including deployments with the U.S. Air Force and Space Force and partnerships with companies such as Accenture Federal Services.

Why Fortreum?

Black said the company was not initially seeking a sale.

“We were not planning on selling the business,” he said. “That was absolutely not in the cards. But it’s always nice to be wanted, right?”

Nevertheless, Black said the company drew strong interest from investors and industry players as it demonstrated it could automate compliance work without lowering the standards required by auditors. He said Fortreum stood out for its reputation and deep bench of compliance expertise.

Fortreum, backed by Gryphon Investors, is known for conducting independent cybersecurity assessments, including for certification programs like FedRAMP and CMMC.

The acquisition allows the combined company to offer both compliance readiness and automation through Kovr and an independent audit through Fortreum. However, Black said the two companies plan to maintain strict separation between those functions to avoid conflicts of interest, even as they operate under the same umbrella.

“You can’t be on both sides,” Black said. “You can’t do the readiness side of helping someone get ready for an audit and then audit them, right? You can’t grade your own homework, basically.”

Kovr will continue as a distinct brand within Fortreum, and all employees are being retained, with some receiving promotions, he said.

Black declined to reveal the headcount of Kovr, the customer count and the exact acquisition timeline.

Modernizing compliance

A central component of the Kovr platform is “Agent Artemis,” an AI system that provides a unified interface for compliance data across cloud environments, security tools and documentation.

Fortreum emphasized that the system operates within a FedRAMP-authorized environment and includes a governance framework to ensure that AI-generated outputs are auditable and reviewed by human experts.

“This acquisition is about doing AI right — making our assessments better, not just faster,” Fortreum CEO James Leach said in a statement.

Launched in 2021, Fortreum announced in 2023 it would establish its headquarters in Loudoun County, moving from a co-working space in Ashburn.