Concrete CMS

Concrete CMS models content through page attributes (text, textarea, boolean, image/file, address, date, number, URL, email, rating, select, topics, etc.) and the Express system for custom relational data objects. ~12–15 built-in attribute types cover most use cases but there is no repeater/matrix field equivalent for page attributes. No schema-as-code option. Custom attribute types require PHP development.

Express supports associations (one-to-many and many-to-many) between Express objects, with traversal available through the PHP API. Page-to-page relationships exist via the Page Selector attribute and page alias system. Relationships are functional but not graph-native; there is no bidirectional query API or reverse-lookup shorthand comparable to Craft or Hygraph.

Block-based page composition is Concrete CMS's core paradigm — content areas hold multiple block types that can be reordered. Express blocks allow embedding structured data objects inside pages. However, there is no matrix/nested-block field for deeply composing structured components within a single entry; nesting is limited to the page-level block stack.

Each attribute type includes standard validation rules: required, text min/max length, file type and size restrictions for image/file attributes, date range constraints. Unique constraint support for Express attributes was added in 9.1.0. Custom validation is achievable via PHP event hooks pre-save. No cross-field validation GUI or rule-engine builder.

Page versioning is a core Concrete CMS feature: every edit creates a new version, full version history is viewable, rollback is one click. The 9.1.0 release added HTML diff comparison between arbitrary page versions. Scheduled publishing is natively supported. No content branching or diff UI for non-page content (Express objects, files).

In-page visual editing is Concrete CMS's founding differentiator. Editors click any content area on the live page, add blocks, and drag-and-drop to rearrange — no form-based panel required. Non-technical users can reorganize page layouts entirely within the front-end. This is genuine in-page visual editing comparable to best-in-class, making it one of the strongest scorers on this criterion among traditional CMSes.

Concrete CMS 8+ uses CKEditor as the standard rich text editor, providing solid formatting, embedded images/files, and paste handling. Output is HTML blob stored in the database. No portable AST format; custom node types require CKEditor plugin development. Adequate for web-first publishing but not channel-agnostic.

Concrete CMS includes a file manager with folder organization, search, metadata fields (custom attributes on files), and basic in-browser image editing. No documented native image transform system with focal point or WebP/AVIF output. CDN integration is available via external configuration (CloudFront, Azure Blob Storage) but not built in. Below average for modern media handling.

No evidence of real-time co-editing in Concrete CMS. The version/approval workflow model is sequential — editors create a draft that routes through approvers. Last-write-wins behavior applies when multiple users edit concurrently without locking. No presence indicators or conflict resolution documented.

Workflow is a native Concrete CMS feature. Editors can attach multi-stage approval workflows to any page or page type via permissions. Role-based stage transitions, notification emails, and audit trail via version history are supported. Scheduled publishing integrates with workflows. More capable than a basic draft/published toggle and does not require a plugin.

A built-in REST API with OAuth2 and OpenID Connect authentication is available since Concrete 9.2+. Documented endpoints cover pages, files, Express objects, and more. No GraphQL API — the 2022 proposal noted GraphQL work had 'not yet been started' and there is no evidence it has shipped as of 2025/2026. REST API is functional for headless use but not built with headless-first filtering/sorting depth.

Concrete CMS is primarily self-hosted open source with no built-in CDN. CDN integration requires external configuration (CloudFront, Azure CDN) following community tutorials. The official enterprise hosting from the Concrete CMS team includes managed infrastructure but is not a globally distributed CDN with sub-second cache purge. Score reflects the majority self-hosted deployment pattern.

Concrete CMS has an internal PHP application events system (on_page_version_approve, etc.) but no native HTTP webhook delivery layer. Outbound webhooks are not a documented built-in feature; the marketplace may have add-ons. No HMAC payload signing, retry logic, delivery logs, or per-event filtering documented in core.

Concrete CMS is a traditional coupled CMS with a REST API added as a secondary capability. Rich text output is raw HTML, not a channel-agnostic AST. There are no official SDKs for JavaScript, Swift, Kotlin, or other non-PHP runtimes. The platform can serve as a headless backend via REST but was designed for web-first Twig templating and does not match the multi-channel output quality of purpose-built headless platforms.

Concrete CMS has a native user group and user attribute system that drives block-level content visibility rules — basic rule-based segmentation for logged-in users. No CDP integration or real-time behavioral segmentation engine exists. Functional for gated/role-based content but well short of modern marketing segmentation.

Block-level show/hide based on user group membership is the extent of native personalization — no content variant system, no in-editor audience preview, and no external decision engine bridge. Adequate for access-controlled content but not for marketing personalization scenarios.

No native A/B testing exists in Concrete CMS core or as an official first-party marketplace add-on. Any experimentation requires fully external tooling. Score reflects complete absence of built-in experimentation.

No built-in algorithmic recommendation engine exists in Concrete CMS. Content discovery relies entirely on manual editorial curation (related pages blocks, manual linking). No ML-based or collaborative filtering capability found in core or marketplace.

Concrete CMS ships with full-text search backed by MySQL FULLTEXT indexing, covering page name, description, and text content fields. Faceting, typo tolerance, and advanced relevance tuning are absent. Adequate for small-to-mid sites but lacking enterprise search features.

No official Algolia or Elasticsearch marketplace add-on exists for Concrete CMS. Community Packagist packages for Algolia are minimal and unsupported. Custom webhook-based indexing is possible but requires full custom development with no supported patterns.

The Community Store is a widely adopted, actively maintained free add-on providing a full e-commerce stack (product catalog, cart, checkout, shipping modules, payment integrations) within Concrete CMS. It receives active 2025–2026 development. Not as high as true core commerce because it is add-on dependent, but it is the de facto standard.

Two Shopify integration add-ons exist on the marketplace (eCommerce with Shopify, Hutman Shopify Integration), providing product embed and checkout bridging at the product picker / embed level. No deep bidirectional sync or live product federation. No commercetools, BigCommerce, or SFCC connectors found.

Community Store provides product-specific field patterns (name, description, attributes, images, SKUs) within Concrete CMS's content model. Editorial product management is functional but relies on generic content types repurposed with product structure — not as sophisticated as purpose-built PIM tools.

Concrete CMS provides built-in page-view statistics, download statistics, form results tracking, and featured Matomo integration. An Extended GA dashboard add-on surfaces GA data in the CMS UI. Goes beyond operational metrics but lacks deep engagement analytics.

Google Analytics tracking code injection is natively supported via Dashboard → System & Settings → Tracking Codes. Matomo is a featured first-party integration. Extended GA add-on provides OAuth2-based GA data in-CMS. No documented Segment or Amplitude connectors, keeping this below the 65+ tier.

Concrete CMS has a well-established native multi-site architecture where a single installation hosts multiple language/locale site trees with shared components and block types. Dashboard-level management is centralized. Governance tools are basic but multi-site capability is a known platform strength.

Document-level localization via separate page trees per locale with built-in copy-locale functionality and locale associations. RTL language support is native. Field-level localization is not available — content changes require page-level duplication. Solid for mid-market multilingual use cases.

A Translations Manager add-on and translate.concretecms.org exist for UI/interface string translation. No official integrations with enterprise TMS platforms (Phrase, Smartling, Lokalise, Crowdin) were found. Page content translation is primarily manual, placing this at the webhook-only / manual tier.

User group permissions and multi-site trees can approximate brand separation but no dedicated cross-brand governance tools, shared component libraries with policy enforcement, or global style/approval workflow controls exist. Multi-site is present but governance is basic permissions only.

Concrete CMS has a capable file manager with custom metadata attributes (the docs explicitly describe building a DAM system via attributes), folder structure, asset versioning with rollback, usage tracking across pages, per-file permissions, and download statistics. Missing: rights/expiry management, no built-in CDN on self-hosted, and no AI tagging for self-hosted tier. Solid for a traditional CMS but not a purpose-built DAM.

CDN delivery on self-hosted requires third-party add-ons (Use CDN, Amazon S3, Azure Blob + CDN); built-in CDN only on SaaS tiers. Thumbnail generation with configurable dimensions is native but WebP requires a $20 marketplace add-on and AVIF is unsupported. Basic image crop/resize via built-in editor. Not qualifying for 40+ without native CDN and WebP.

No native video hosting, transcoding, or adaptive bitrate delivery in Concrete CMS. Video files can be stored in the file manager as static assets but there is no thumbnail generation, caption management, or streaming capability. Video presentation relies on embedding external services (YouTube, Vimeo).

In-context drag-and-drop editing is the defining identity of Concrete CMS since its concrete5 era. Editors toggle Edit Mode to drag blocks into areas on the live page, seeing exactly what visitors see. Layout blocks support multi-column structures. Component library of 20+ native block types plus marketplace extensions. One of the strongest traditional CMS visual editing experiences.

Two built-in workflow types: Basic (single-step) and Enterprise (multi-step, role-based routing). Enterprise Workflow assigns different decision-makers at each stage, includes email notifications, a full audit trail of approvals/rejections, and a 'Waiting for Me' approval inbox. Approval batches allow bulk section launches. No visual workflow state machine builder — routing follows a sequential model only.

Scheduled publishing with FROM and TO date/time fields is natively supported on pages — content goes live at FROM and auto-unpublishes at TO. Workflows and scheduling can be combined. A Production Mode feature (since 9.2.0) distinguishes dev/staging/live environments. No full editorial content calendar UI; release bundles are not a documented feature.

No real-time simultaneous editing, presence indicators, or inline commenting found in Concrete CMS. Collaboration is entirely workflow-based and asynchronous — editors submit, reviewers approve/comment via the workflow system. Version history with author attribution exists but there is no conflict-free collaborative editing implementation.

Native drag-and-drop form builder supports CAPTCHA (SecurImage + reCAPTCHA), submission storage in DB with CSV export, email notifications, and multiple field types. Conditional field logic is absent natively; multi-step forms require the Form Reform marketplace add-on. Solid basic form builder without progressive profiling.

No native email campaign capability. Only a community Mailchimp add-on (JeRo's) exists, providing a subscribe form block with API v3 integration and Ajax submission — subscriber list sync only, no content push or triggered sends. No HubSpot, Salesforce Marketing Cloud, Brevo, or other ESP connectors found.

No native marketing automation capability exists in Concrete CMS — no behavioral triggers from CMS events, no drip campaign orchestration, no lead scoring. No tight integration with an automation platform found in the marketplace. Concrete CMS is not positioned as a marketing automation platform.

No native CDP capability and no Segment, mParticle, Tealium, or other CDP connectors found in the marketplace. Google Tag Manager can be injected via tracking codes to route events to a CDP indirectly, but this is not a supported integration. CDP integration is fully DIY.

The relaunched market.concretecms.com (2024) offers add-ons across categories (Navigation, Media, SEO, Social, Accessibility, Ecommerce, Storage, Members). Notable integrations include Shopify, Snipcart, Mailchimp, Stripe, Amazon S3, and Azure CDN. The catalog is likely in the low hundreds — substantially smaller than WordPress or Drupal. Quality guidelines added in the 2024 relaunch.

No native outgoing webhook system exists in Concrete CMS — no UI to configure endpoints, event triggers, retry logic, or signed payloads. The PHP application event system fires internal events (on_user_add, page events, file events) that developers can hook into with custom code. Outgoing HTTP webhooks require custom development with no supported patterns.

Concrete CMS is fundamentally a coupled CMS — headless delivery is not a positioning. The REST API (OAuth2, covering Pages, Files, Users, etc.) was designed for management operations, not content delivery. Draft versions are viewable by logged-in users with permissions but there are no shareable external preview links. Production Mode (since 9.2.0) distinguishes dev/staging/live environments at the server level.

Concrete CMS has a notably granular permission architecture: custom role creation, group-based assignments, content-level ACL per page/section, time-based permissions (restrict by timeframe), and permission exclusions for individual users. No field-level attribute permissions documented. SSO/SAML is absent natively; a limited LDAP add-on exists but community forums confirm it requires custom server configuration and lacks true SSO.

Concrete CMS ships a built-in REST API since 9.2+ with OAuth2 and OpenID Connect authentication; a community API Proposal package (9.1.1+) adds more endpoints documented via Swagger UI. No GraphQL API exists — the 2022 proposal explicitly stated 'GraphQL work has not yet been started' and no evidence of delivery by 2026 was found. Filtering and sorting depth is limited compared to headless-first platforms.

Concrete CMS is a self-hosted PHP platform with no built-in CDN or documented API rate limits. CDN integration requires external configuration via CloudFront or Azure CDN tutorials. No published throughput benchmarks or pagination ceiling documentation for the REST API. The official enterprise hosting does not publish CDN-backed API delivery specs.

No official SDKs are published for JavaScript, TypeScript, Python, Ruby, Java, .NET, or mobile. The platform is PHP-native and the PHP application framework is the primary developer surface. Community packages exist on Packagist and the Concrete Marketplace for PHP, but no multi-language official SDK ecosystem has been established.

The Concrete CMS Marketplace lists thousands of add-ons and themes spanning SEO, forms, e-commerce, analytics, translation, and authentication. 2025 updates include Macareux SAML Authentication (SSO), email campaign tools, and gallery/layout add-ons. Breadth is solid for a tier-2 traditional CMS, though the marketplace skews PHP-commercial and many integrations are narrow single-purpose add-ons rather than platform-grade integrations.

Concrete CMS provides a mature PHP extensibility model: custom block types (UI and rendering), custom packages (multi-feature bundles), custom attribute types, custom single pages, custom themes, and a PHP event/hook system throughout the core (on_page_version_approve, etc.). Developers have full server-side access with framework-level hooks. No headless App Framework for cloud-hosted JavaScript extensions exists, but for a self-hosted PHP CMS the extensibility depth is strong.

OAuth2 and OpenID Connect are built into the Concrete CMS REST API core for API token management. SAML 2.0 SSO is available via a marketplace add-on (Macareux SAML Authentication added 2025) rather than in core, creating procurement friction. MFA support exists via PHP-based extensions. SSO requiring a third-party add-on rather than being core functionality scores below the 78+ threshold for mid-tier inclusion.

Concrete CMS has a sophisticated RBAC system: group-based user management, granular page/page-type-level permissions, time-based access control (restrict editing to business hours, grant temporary access), permission exclusions for rule exceptions, and custom single-page permissions. This exceeds predefined-roles-only. No field-level permissions are documented, and content-instance access control (see only your own entries) is not a core GUI feature.

No public documentation of SOC 2 Type 2, ISO 27001, or HIPAA BAA was found for PortlandLabs or the official Concrete CMS hosting product. As an open-source self-hosted platform, compliance posture depends entirely on the customer's infrastructure provider. GDPR-relevant features (data consent, privacy) are available but no formal DPA or certification by the vendor was found.

Concrete CMS operates a responsible disclosure program via HackerOne, with a public CVE tracker and disclosures at concretecms.org/security. Most disclosed CVEs are low-to-medium severity stored XSS vulnerabilities requiring rogue administrator access. January 2025 saw a batch of CVEs upgraded to 'Medium' via CVSS 4.0 recalibration. No evidence of major data breaches, critical RCE, or supply-chain compromise was found. Disclosure quality is good relative to the open-source CMS peer group.

Concrete CMS is available as self-hosted open source (PHP/MySQL on any LAMP/LEMP stack) and via official enterprise hosting from PortlandLabs with GitLab deployment, managed PHP/MySQL, and direct core-team support. The dual model provides flexibility for regulated industries (self-hosted) and managed convenience. No VPC or private cloud option is documented for the managed offering.

The Standard Hosting SLA page states that PortlandLabs 'makes no guarantees on uptime availability' under the standard agreement. Custom SLAs are noted for larger packages but no published uptime percentage was found. Self-hosted installations carry no vendor SLA by definition. No public status page was found for the official Concrete CMS hosted offering. This places Concrete CMS firmly in the no-formal-SLA tier.

Concrete CMS uses a standard PHP/MySQL architecture with no built-in horizontal scaling, auto-scaling, or CDN delivery. Scalability is entirely dependent on the operator's infrastructure choices (load balancers, Redis caching, CDN). No documented enterprise-scale references or published API throughput benchmarks were found. Adequate for mid-market self-hosted deployments but not enterprise-proven at scale.

The official enterprise hosting includes automated backups and managed infrastructure, but no published RTO/RPO documentation, retention policies, or multi-region failover specification was found. For self-hosted deployments, backup and DR responsibility falls entirely to the operator. Content export via database dump is possible but no built-in export tooling comparable to headless platforms was documented.

Concrete CMS is a PHP application that runs fully on a local LAMP/LEMP/MAMP stack, DDEV, Docker Compose, or any PHP 8.x environment. The Virtuozzo platform documents a one-click Concrete CMS deployment. The GitHub repository is Composer-managed, enabling standard PHP local setup. The `concrete/bin/concrete5` CLI handles cache clearing, migrations, and other tasks. No official DDEV quickstart comparable to Craft's, but local development is well-supported.

The official enterprise hosting uses GitLab deployment pipelines. Concrete CMS does not have a schema-as-code system comparable to Craft's Project Config — content model configuration is stored in the database, not version-controlled YAML. Environment management (dev/staging/prod) exists in the hosted offering but no branch-per-PR content environment support was documented. Standard PHP deployment patterns (Deployer, Capistrano) apply for self-hosted.

Official developer documentation at documentation.concretecms.org covers the 9.x REST API, block/package/attribute development, permissions, and the PHP API namespace reference. User guides cover the full editorial experience. Documentation is functional but reflects a PHP-era development style with fewer framework-specific integration guides or interactive playgrounds compared to modern headless CMS documentation. No video learning platform or dedicated tutorial ecosystem was found.

Concrete CMS is a PHP-native platform with no official TypeScript SDK, no type generation from the content model, and no published npm packages. The REST API returns JSON that consumers can type manually, but there is no official @concretecms npm package, no codegen tooling, and no IDE type integration documented. PHP is the primary and nearly exclusive development language for the platform.

Concrete CMS ships roughly monthly patch releases: September, October, November, December 2025, and March 2026 are all confirmed. The 9.5.0 RC cycle (RC1 with Twig support, RC2 with PHP 8.5 readiness) is active. Cadence is consistent but incremental rather than high-velocity feature shipping.

GitHub releases provide per-version notes and the concretecms.org archive lists tagged versions. Monthly blog round-ups supplement the technical changelog. However, breaking change callouts and migration guides are not prominently structured — documentation lags behind the code by the project's own admission.

A public roadmap exists at concretecms.org/roadmap, and the community forum has a dedicated proposals-to-roadmap thread. Monthly town halls communicate near-term direction. The roadmap is public but lacks a voting/prioritization mechanism (no Canny or GitHub Discussions upvotes), making it moderately transparent.

The project uses semver-compatible versioning on the 9.x line and has formally dropped security patches for v8, indicating a structured LTS approach. No automated codemods or formal deprecation-window policy was found in documentation. Transition handling is present but not enterprise-grade.

The main GitHub repository has modest star counts (sub-1K based on search results showing the split repo at 19 stars). LinkedIn shows only 7 active job postings. Wikipedia cites 258+ contributors as of 2023. The platform has an active but small community — larger than a hobby project but well below mainstream open-source CMS platforms.

Monthly town halls, active community forums, and named GitHub contributors (mlocati, hissy, gutig, ahukkanen and others) signal real engagement. The community round-ups highlight individual contributor work publicly. Engagement is genuine but constrained by community size; response times and issue resolution are not enterprise-fast.

Concrete CMS has a formal certified services partner program with a certification test and partner directory. AWS partnership exists. However, the certified partner list is small (regional agencies, no Tier-1 SIs such as Accenture or Deloitte), limiting enterprise delivery capacity. The program is legitimate but thin.

Third-party content exists — agency blog posts, community forum tutorials, and some YouTube content — but there are no notable Udemy or Pluralsight courses found, and conference talk presence is minimal. The content ecosystem supports getting started but does not validate broad market adoption.

Only 7 active LinkedIn job postings in the US for Concrete CMS. Upwork lists freelancers, and the platform maintains a jobs forum, but demand is thin. No certification program tied to major learning platforms, and the platform is absent from Stack Overflow Developer Survey recognition. Talent supply is restricted to a small niche pool.

PortlandLabs won the SourceForge Fall 2025 and Winter 2026 Leader Awards in Web Content Management, indicating an active user base submitting reviews. Monthly releases signal ongoing development. However, no major enterprise logo announcements or notable case study publications were found, and the platform appears stable rather than growing.

PortlandLabs is a small, privately held company with no disclosed funding rounds. The platform has operated continuously since 2008 and shows no signs of distress (no layoffs found, ongoing releases, active AWS partnership). Stability is credible for a self-sustaining bootstrapped open-source company, but the lack of growth capital caps long-term velocity.

Concrete CMS targets SMBs and government/military websites with a focus on inline editing and permissions. The platform has a clear niche but lacks analyst recognition (absent from Gartner MQ and Forrester Wave) and is not well-differentiated against Drupal or WordPress in broader market perception. Government focus is a defensible vertical but limits total addressable market.

G2 rating is 4.5/5 stars — strong quality signal — but with only 66 reviews, volume is well below the 200+ threshold for top-tier scoring. Positive themes: editor ease, extensibility, developer flexibility. Negative themes: documentation gaps, occasional UX complexity. The high rating with thin review volume maps to the 45–60 range per formula, trending toward the top given the rating quality.

Concrete CMS publishes managed hosting tiers openly: Starter at $4.99/mo and Business at $19/mo (both billed annually). Enterprise/custom SLA pricing is sales-gated. The core software is free and open source (MIT), so the most common deployment path has zero licensing cost. Deducted for annual-billing-only managed plans and sales-gated Enterprise.

Self-hosted (the primary deployment path) has zero license cost — completely flat and predictable. Managed hosting uses simple flat-fee tiers with clear page-view and editor-seat limits. No API metering or bandwidth overages in managed tiers. The only friction is the lack of a monthly billing option on managed plans.

All core CMS features are fully available in the free open-source self-hosted version — no functional capability is locked behind a paid tier. Managed hosting tiers gate on operational features (page views, storage, editor seats) rather than CMS functionality. The marketplace has some paid add-ons for extended features, with user reports of arbitrary pricing on a limited add-on selection.

Managed hosting is annual-only with no clearly published monthly option. However, the self-hosted path has no contract or lock-in whatsoever. No evidence of startup discounts, nonprofit pricing, or education programs was found on the pricing page. The annual-only managed billing is a mild friction point for teams evaluating commitment.

The full CMS software is free forever under the MIT license and can be self-hosted on any PHP host. This is a genuine, permanent, commercially permissive free path rather than a trial. However, users still need to provision and pay for their own PHP hosting, so it is not a zero-cost managed free tier. No managed free tier exists.

Concrete CMS runs on standard PHP and can be installed on shared hosting in minutes using standard tooling. The inline page-editing model means content editors can be productive quickly. User reviews note end-users can be trained 'in minutes instead of hours or days.' Setup is slightly more involved than a pure SaaS product but comparable to Craft CMS or Joomla.

Community reviews consistently describe fast deployments for typical marketing sites, with one review noting 'development time and cost is nearly cut in half.' The inline visual editing model reduces back-and-forth with content teams. Complex enterprise builds require more custom theme and add-on work but no evidence of consistently longer-than-expected timelines.

Concrete CMS is PHP-based using mainstream web skills, keeping the specialist premium lower than proprietary Java or .NET DXPs. However, its talent pool is significantly smaller than WordPress, meaning hiring a developer with specific Concrete CMS experience commands a moderate premium. PHP generalists can ramp up reasonably quickly.

Self-hosted deployments run on commodity PHP/MySQL hosting from ~$5–15/month, making it one of the cheapest operational options in this dataset. Official managed hosting starts at $4.99/month (Starter) or $19/month (Business), which is very affordable. Enterprise managed deployments add cost for staging, CDN, and custom infrastructure but still benefit from low base infra overhead.

Self-hosted deployments require routine PHP server maintenance, CMS core updates, and plugin patching — typical of any traditional CMS. Official managed hosting handles upgrades automatically, reducing ops burden significantly for that path. Most production deployments will be self-hosted, meaning moderate ops overhead is the realistic norm.

As MIT-licensed open source software with a standard MySQL/PostgreSQL database, Concrete CMS has low exit cost. Content and data are stored in standard relational DB tables and file system assets — both exportable with standard tooling. Moving from managed hosting to self-hosted or a different provider is straightforward since the platform is portable. Proprietary add-ons from the marketplace could add minor migration complexity.

Concrete CMS introduces a substantial proprietary vocabulary: Pages, Areas, Blocks, Stacks, Themes, Express (a bespoke no-code relational data system), Attributes, Single Pages, Asset Groups, and Packages. The Page/Area/Block hierarchy and the Express data model have no equivalents in mainstream PHP or JavaScript frameworks. Complexity is comparable to Drupal in breadth but without Drupal's industry recognition.

Official docs exist at documentation.concretecms.org with a developer guide, user guide, and API reference, plus a YouTube series and a certification program at training.concretecms.com. However, there is no interactive sandbox, no structured learning path, no headless quick-start guide, and the REST API docs are thin. A 'How to Learn Concrete CMS' document existing as an explicit page signals the onboarding journey is not self-evident.

Concrete CMS uses a custom PHP MVC framework — not Symfony, not Laravel — with server-rendered PHP templates. There are no official npm packages, no React/Vue/Next.js SDK, and no first-class headless frontend integration path. Developers from modern JS ecosystems or mainstream PHP frameworks find almost nothing that transfers directly. The REST API was added in v8.5 but remains nascent.

No official Next.js, Nuxt, Astro, or React starter template exists. No CLI scaffolding tool. The only package boilerplate is a community-maintained third-party repo (MacareuxDigital/v9_package_boilerplate on GitHub). Marketplace themes are paid commercial products, not development starting points. This is a meaningful gap relative to modern headless platforms and even Joomla.

Installation via Composer + interactive CLI or zip upload is straightforward for PHP developers, with standard PHP/MySQL requirements. However there is no config-as-code, no official Docker dev environment, and no environment variable management pattern. REST API must be explicitly enabled via Dashboard UI. Production hardening requires a separate 'Configuration Best Practices' doc, which adds manual steps not needed on modern SaaS platforms.

Content modeling uses Attributes (typed metadata) and Express (a proprietary relational object builder). There is no migration tooling for schema evolution, no TypeScript type generation, and no schema-as-code workflow. Express relationships are managed entirely within Concrete's proprietary system and do not map naturally to REST API output without additional wiring. Structural changes (reorganizing Express associations, changing attribute types) carry risk on live content.

In-context WYSIWYG editing is a core Concrete CMS strength — editors click directly on page elements in Edit Mode with full draft/version management and built-in workflow approvals. For the coupled architecture, preview fidelity is excellent. The significant penalty: for headless/decoupled setups there is no draft preview API, no webhook-based preview trigger, and no Next.js draft mode integration, making this capability entirely server-side only.

Building custom Blocks requires learning Concrete's proprietary controller/view/form structure. Extending the REST API requires platform-specific service provider and routing patterns. The certification program exists but is Concrete-specific and not a portable credential. The developer talent pool is small (GitHub ~2.6k stars), making staffing harder than for Drupal, WordPress, or modern headless platforms. Standard React or Laravel knowledge does not transfer.

A solo PHP developer can build and deploy a traditional Concrete CMS site; a 2-person team (developer + content strategist) is viable for moderate complexity. Self-hosted deployments require ops/sysadmin capability unless using managed hosting. For headless usage the team expands to include a separate frontend developer since the REST API is immature and the skill sets do not overlap. Leaner than DXP platforms, but heavier than SaaS headless CMS for decoupled use cases.

The in-context editing model allows content editors to work directly on live pages without developer involvement for routine content updates. 30+ built-in block types cover common content needs, and the built-in approval workflow reduces governance overhead. Penalties: adding new content types (custom blocks, Express objects) requires PHP development; configuring permissions and ACLs requires developer involvement; the admin dashboard can overwhelm non-technical users. Ongoing ops friction is lower than Drupal but higher than WordPress or modern SaaS CMS.

Concrete CMS upgrades are self-hosted and require database migrations applied on first page visit after file replacement; no downgrade path exists — only backup restore. The v8→v9 migration is documented as 'a large one' with potential browser timeout issues requiring CLI fallback. Biannual minor releases and monthly patches mean reasonably frequent upgrade events.

Concrete maintains an active security program via HackerOne with a 5-day acknowledgment SLA and monthly patch releases. However, patches are only guaranteed in the next release cycle — no immediate out-of-band patches — and the platform had multiple CVEs in early 2026 (XSS, CSRF fixed in 9.4.8). Self-hosted teams must manually apply each release to benefit from fixes.

As an open-source platform, Concrete CMS imposes no vendor-controlled forced migrations; teams upgrade on their own schedule. The ESM (Expanded Security Maintenance) model provides at least 3 years of critical security updates on the last minor of each major version, giving reasonable runway. The v8→v9 shift was significant but voluntary.

Concrete CMS runs on a standard LAMP stack (PHP 8.x, MySQL/MariaDB, Apache or Nginx) with no mandatory external services — a relatively contained dependency graph. PHP version tracking is required as the platform advances (PHP 8.4/8.5 compatibility work noted for 9.5). No complex microservices or managed search/CDN dependencies.

Concrete CMS provides no native APM, usage dashboards, or built-in status observability. Self-hosted teams must set up all web server, PHP-FPM, database, and application-layer monitoring independently. The WebOps tutorial references cron jobs and CLI operations but no monitoring tooling.

Concrete CMS offers a traditional page/block editing model with no documented automated content hygiene tooling — no orphan detection, broken link alerts, or content expiry workflows built in. Content governance relies on manual editorial discipline. The Marketplace has some add-ons but no native automation.

Performance is entirely customer-managed for self-hosted deployments: cache configuration, database query tuning, CDN selection, and PHP memory settings all require explicit setup. Slow admin page rendering on older hardware is noted in reviews. The hosted/cloud offering reduces some burden but is not the default mode.

Formal paid support is available primarily through the managed hosting offering; the open-source community edition relies on forums and community channels. G2 profile noted as inactive for over a year and developer documentation described as lacking, making it harder to self-serve. Reasonable for a tier-2 open-source CMS but not enterprise-grade support.

Concrete CMS has an active and described-as-passionate community, with forums and community channels providing reasonable coverage for common issues. It is smaller than WordPress and Joomla, with documentation gaps that frustrate developers on edge cases. Core team participation exists but the community is niche.

Monthly patch releases with an active HackerOne security program and 5-day acknowledgment SLA demonstrate reasonable velocity for a community-driven platform. Multiple CVEs were identified and patched within the monthly cycle. General bug resolution follows community contribution cadence, which is slower than a fully staffed vendor.

Concrete CMS has a native drag-and-drop block editor where marketers can add layout columns and drop content blocks without writing code. Page types for ad landing pages can be excluded from navigation. Scores 66 rather than higher because the block-area model is less WYSIWYG than modern page builders like Elementor and requires some setup for custom layouts.

Concrete CMS has scheduled publishing and integrations with Mailchimp, Constant Contact, and Mautic via add-ons, but no native campaign management, content calendar, or multi-channel campaign coordination. Marketers must rely entirely on external tools for campaign lifecycle. Score reflects the typical range for traditional CMS platforms without dedicated campaign tooling.

Concrete CMS includes built-in SEO controls: meta title/description/keywords per page, a Bulk SEO Updater for site-wide meta management, custom URL slugs, automatic XML sitemap generation, and redirect management. The official SEO feature page details these capabilities. Missing Schema.org structured data automation keeps it below 75.

A native form builder (drag-and-drop, no code) is included for lead capture. Integration with external marketing automation (Mailchimp, Mautic) is available but no built-in conversion tracking, UTM parameter management, or CTA analytics. Score reflects solid form handling with minimal native conversion tooling.

Concrete CMS supports user-group-based content visibility — pages and blocks can be shown or hidden based on authenticated user groups — providing basic rule-based targeting. However, there is no native behavioral targeting, geo-targeting, or AI-driven personalization engine. The marketplace does not list a dedicated personalization add-on. This places it in the 15–35 range for limited native personalization with third-party dependency.

No native A/B testing or experimentation capability is present in Concrete CMS core or the marketplace. Teams would need to integrate Google Optimize (deprecated), VWO, or Optimizely via external script injection, with no tight CMS-level integration. Scores at the floor of the scale for this item.

Inline editing directly on the front-end is a core differentiator for Concrete CMS — editors click any block to edit in place without navigating to a dashboard. Page types serve as templates for fast new-page creation. Block library enables drag-and-drop reuse without developer involvement. Bulk operations (bulk SEO Updater, bulk attribute editing) reduce cycle time. Scores 62 rather than 70+ because complex multi-region layouts still benefit from developer setup, and there is no AI-assisted content drafting.

Concrete CMS is primarily a web-delivery CMS. A REST API proposal was made for 9.2+ (github.com/concretecms/concrete_api_proposal_2022) but the platform is not headless-native and lacks structured content models designed for multi-channel delivery. No email, push, social, or in-app channel delivery is built in. Score reflects single-channel web delivery with limited API-based headless potential.

Concrete CMS supports Google Analytics and similar tag-based integrations through the dashboard's tracking code injection and via add-ons in the marketplace. There are no native content performance dashboards or engagement metrics within the CMS itself. The official features page mentions 'consolidated reporting' but this refers to form/data reporting rather than marketing analytics. Score reflects standard tag integration with external analytics tools.

Concrete CMS has a Style Editor that allows administrators to define brand-level typography, colors, and layout tokens applied across the site. Page types and block templates enforce structural consistency. However, there is no hard lock-down mechanism preventing editors from overriding brand tokens on individual blocks, and there is no design token system comparable to modern component libraries. Score reflects component-based consistency without enforcement.

The built-in SEO block manages Open Graph and Twitter Card meta tags for social preview cards. Social sharing widgets are available as marketplace add-ons. There is no native push-to-social scheduling or UGC embed tooling. Scores in the 30–50 range for basic OG meta tag management plus marketplace-available sharing widgets.

Concrete CMS has a built-in File Manager that handles image uploads, auto-generates thumbnails at configurable sizes, supports file tagging and folder organization, and provides a usage tracker to see where assets are used. This is functional for moderate marketing volumes but lacks rights management, video hosting, advanced image transforms (beyond thumbnail presets), and DAM-grade search. Scores in the 35–55 range for basic media library with some transforms.

Concrete CMS has built-in multilingual support with separate page trees per language, synchronized content relationships, and a dashboard translation interface. This supports generic localization of marketing content including locale-specific page variants. However, there are no marketing-specific transcreation workflows, locale-level campaign scheduling, or regional compliance tools (cookie consent, legal disclaimers) beyond what can be manually built. Score reflects generic localization applied to marketing content.

Concrete CMS has documented integrations with Mailchimp, Constant Contact, and Mautic (email/MAP category) via marketplace add-ons. The marketplace also lists HubSpot and Salesforce integrations. However, these represent shallow embed or form-sync integrations rather than deep API-level event triggers or CDP connectivity. No pre-built ad platform or bidirectional CRM connectors were found. Score reflects some integrations plus generic webhook/API capability.

The Community Store add-on enables basic product content: images, variants (size/color) with distinct pricing, stock tracking, and product grids. However, it is a community-maintained add-on, not a core feature, and is not purpose-built for rich editorial product content at scale. Community Store remains actively maintained (updated January 2026) but reviews note limited ecommerce maturity versus dedicated platforms.

Community Store includes basic discount codes and automatic discounts but has no cross-sell/upsell content management, category search merchandising, or promotional content scheduling tools. This is typical for CMS-based community add-ons; Concrete CMS is not a commerce-first platform.

A Shopify Integration add-on on the Concrete CMS Marketplace allows Shopify products and checkout to be embedded in pages, and Ecwid also offers a shopping cart add-on. These represent basic embed/product-picker integrations rather than deep API federation or real-time content+product co-authoring. No documented integration with commercetools, SFCC, or BigCommerce.

Concrete CMS pages can embed Community Store product blocks alongside editorial content blocks, enabling basic product-in-context layouts. However, shoppable content, buying guide templates, or lookbook authoring patterns are not first-class features — they require manual assembly from generic blocks. No native inline product reference with purchase CTA tooling. Score reflects product embeds possible but not a purpose-built editorial commerce pattern.

Community Store has a single-page checkout flow (billing, shipping, payment) but this is rendered by the add-on, not the CMS content editor. There is no mechanism to inject CMS-managed trust badges, upsell banners, or post-add modals into the checkout flow without template modification. Scores near the floor as checkout content is fully in the Community Store template.

Community Store supports automatic digital product downloads after purchase, providing a minimal post-purchase CMS content experience. Order confirmation emails are template-based within Community Store, not CMS-managed pages. No delivery tracking pages, loyalty program content, or review solicitation content sequences managed from the CMS. Scores near the floor.

Concrete CMS's granular user-group permissions can gate product documentation or catalog pages to authenticated B2B users, providing basic access-controlled content. However, there are no B2B-specific features: no customer-specific pricing display, no quote-request workflow, no account-based catalog segmentation. Score reflects basic access control applicable to B2B without purpose-built B2B commerce content features.

Concrete CMS has a built-in site search (using PHP/MySQL full-text or Solr integration for larger deployments). Community Store products appear in site search. However, there is no faceted search enrichment, no search landing page tooling, and no blended content-product search result management. Score reflects basic search with minimal content-side enrichment for commerce.

Scheduled publishing in Concrete CMS core allows time-limited promotional banners to be activated and deactivated without developer involvement. Community Store supports discount codes with time limits. However, there are no countdown timers, promo code messaging blocks, or channel-specific promotional targeting natively. Score reflects basic scheduled banners slightly above the floor.

The multi-site architecture can serve multiple storefronts from one installation, each with its own content tree, theme, and user base. Shared block/template components reduce duplication. However, product content between storefronts is not natively federated — each site manages its own product pages via Community Store instances, creating some duplication. Score reflects multi-storefront possible with partial content sharing.

Community Store supports multiple product images with lightbox display. The file manager auto-generates thumbnails. Video embeds via YouTube/Vimeo blocks are possible on product pages. However, there are no 360-degree view capabilities, AR/3D model references, or image hotspot tooling natively. Score reflects basic image galleries and video embeds without advanced visual commerce features.

Community Store is a single-vendor storefront add-on with no multi-vendor marketplace capability. There are no seller profile pages, seller-contributed product descriptions, or content quality moderation at multi-vendor scale in either core Concrete CMS or Community Store. This is beyond the platform's intended scope.

The built-in multilingual system with separate page trees can be applied to product pages managed via Community Store, enabling locale-specific product descriptions. However, there is no currency-aware content block system, no regional regulatory content automation (EU labels, Prop 65), and no market-specific promo calendar. Score reflects generic localization applied to product content without commerce-specific locale tooling.

Google Analytics and GA4 can be integrated via script injection to track commerce events from Community Store checkouts, but this requires manual configuration and analysis happens entirely in GA4. There is no native content-to-revenue attribution within the CMS, no content-assisted conversion tracking dashboard. Score reflects basic analytics integration with conversion data in fully external tools.

Concrete CMS has a well-documented granular permissions system: permissions can be set at page, page type, or area level, inherited by child pages, and scoped to user groups, individual users, or custom roles. SSO integration is supported and used in production (BASF enterprise intranet case study). ISO 27001/SOC 2/HIPAA certification confirms enterprise-grade security posture. Score stops short of 75 because field-level sensitivity is not a native feature.

Concrete CMS supports version history, approval workflows, and content moderation which covers basic knowledge article lifecycle. There is no native knowledge taxonomy, content expiry/review scheduling, or internal search tuning beyond site search defaults. Functional for moderate intranet needs but lacks dedicated knowledge management tooling.

Concrete CMS actively markets HR portal and internal communications solutions with configurable news feeds, team pages, and SSO-backed access — a step above most generic CMS platforms for intranet use. However, it lacks native employee directory integration, social features (likes/comments), or a mobile app, keeping it in the low-50s rather than 60+. The intranet blog and dedicated HR portal application page confirm ongoing investment but stop short of purpose-built employee experience tooling.

Concrete CMS supports targeted news publishing by user group, enabling department-specific announcements. The HR portal and internal communications solution page highlights news feeds and workflow-backed approvals. However, there are no read receipts, acknowledgment tracking, or mandatory-read workflows in core or the marketplace. Score is in the 30–50 range for basic news publishing with audience targeting.

Concrete CMS has no native employee directory or org chart visualization. User profiles exist in the system but are minimal (name, email, groups). A directory could be custom-built using page types and the member list block, but this requires developer effort and is not a configurable out-of-the-box feature. No HR system integration (Workday, BambooHR) is documented. Score reflects basic directory buildable with custom development.

Concrete CMS provides version history (full page version control), multi-level approval workflows, and content expiration — covering the basics of policy document lifecycle. There is no mandatory acknowledgment tracking, no automated review expiry reminders for policy authors, and no audit trail viewer beyond version history. Score reflects basic document publishing with version control above the floor.

The HR portal application page references onboarding workflows and structured content for new hires, enabled by Concrete CMS's page-type system and access control. However, there are no structured onboarding journeys with progressive disclosure over 30/60/90 days, role-specific content paths, or task checklists that activate automatically from an HR event. What exists is the ability to build onboarding pages rather than a purpose-built onboarding delivery system.

Concrete CMS has built-in site search based on MySQL full-text indexing for smaller deployments, with a Solr/Elasticsearch add-on available for larger installations. Search covers pages, files, and user-submitted content. There is no federated search across external systems (SharePoint, Confluence), no AI-powered relevance ranking, and limited faceted filtering. Score reflects adequate internal search with basic faceting capability.

Concrete CMS front-end themes are responsive and render on mobile browsers. The inline editing interface is available on mobile browsers but is not optimized for touchscreen use. There is no native mobile app, no offline support, no push notifications, and no low-bandwidth mode or kiosk/shared-device configuration. Score reflects responsive web access without native mobile app support.

Concrete CMS can host training content as standard web pages or documents accessible to specific user groups. The HR portal page mentions training materials. However, there is no LMS integration (Cornerstone, Workday Learning), no course assignment, completion tracking, or certification management in core or the marketplace. Score reflects basic learning content hosting without any tracking or LMS connectivity.

Concrete CMS HR portal and intranet marketing reference employee recognition tools and engagement surveys, but evidence for native social features is thin. The Conversation block provides threaded discussion on pages. There are no reactions, polls, community spaces by department/interest, or peer recognition workflows in core. The Conversation block and community forum usage suggest limited social capability rather than a full social layer.

No documented integration with Microsoft 365/Teams, Google Workspace, or Slack was found in the Concrete CMS marketplace or official documentation. SSO can authenticate against Azure AD (Microsoft) or Google via third-party add-ons, but that does not constitute embedded content cards or bot-driven notifications in workplace tools. Score reflects no meaningful workplace tool integration.

Concrete CMS has content expiration dates in core — pages can be set to expire automatically on a future date. Version history enables rollback. Approval workflows provide a structured review cycle. However, there is no automated stale content flagging based on age, no ownership assignment for review reminders, and no formal archival workflow. Score reflects basic content expiry and manual review above the floor.

Concrete CMS HR portal marketing references analytics and reporting for employee engagement. However, no native department-level page view analytics, failed search term dashboards, or intranet adoption dashboards exist in the platform. Analytics relies on GA4 or similar external tools injected via script. Score reflects basic page view analytics available externally without intranet-specific engagement measurement.

Concrete CMS supports multi-site architecture from a single installation with separate content trees, separate user bases, and configurable permission isolation per site. The IMCOM case study (hundreds of garrison websites on one install with compliance controls) validates silo-based isolation at scale. This is not a true multi-tenant SaaS architecture with independent environments, but provides meaningful silo-based separation.

Multi-site installs in Concrete CMS share a single codebase, theme, and block library, allowing centrally maintained templates and blocks to be reused across all sites while permitting local overrides. Branding consistency is a stated feature of the multi-site product. Not a federated content API model but provides shared component infrastructure through the install architecture.

The IMCOM deployment demonstrates centralized compliance and security controls across hundreds of sites, with thousands of individual content managers operating within enforced governance. Concrete CMS provides multi-level approval workflows, page-level and block-level access controls, content expiration, and centralized user management across the multi-site network. Cross-brand approval workflows are limited to within-site workflows rather than a true cross-brand governance console.

Concrete CMS is open source (free community edition), so adding sites does not incur per-brand licensing fees — only infrastructure and managed hosting costs scale. The multi-site architecture runs many sites on one install, reducing server overhead versus separate deployments. Commercial support packages exist but are not required per-site.

Each site in a Concrete CMS multi-site installation can have its own theme, color palette, typography, and style settings via the Style Editor. Per-site theme assignment and style customization are straightforward. However, this is CSS/configuration-level theming rather than a design token system with inheritance from a central brand library. Score reflects basic CSS/config theming per brand with shared component structures.

The multilingual system combined with multi-site architecture allows per-brand, per-locale content trees. Each brand/site can have its own translation workflow via the dashboard. However, there is no governance layer for brand-aware translation approvals, no differentiation between shared vs. isolated translation workflows at the brand level, and no regional legal content governance per brand. Score reflects basic per-brand localization with shared workflows.

No cross-brand analytics dashboard exists in Concrete CMS. Each site's analytics relies on separately configured external tools (GA4, etc.), and there is no aggregated portfolio view of content performance across sites. A multi-site admin can navigate between sites but sees no unified metrics. Score reflects no cross-brand analytics with manual aggregation required.

Approval workflows in Concrete CMS can be configured per page type and per site, giving individual brand sites some control over their publishing workflow stages and approvers. The multi-site admin can see and manage all sites but workflow configuration is per-site. There is no central workflow audit console spanning all brands. Score reflects some workflow variants per brand without central audit trail across brands.

In a multi-site Concrete CMS installation, globally shared blocks, templates, and page types cascade to all sites from the central codebase. However, there is no CMS-level mechanism to push a specific piece of content (e.g., a press release or legal disclaimer) from a corporate parent site to child brand sites with controlled override points. Content syndication requires developer-built solutions. Score reflects basic content sharing through architecture with no native push-syndication workflow.

Concrete CMS has ISO 27001/SOC 2/HIPAA certifications and per-site configuration options allowing compliance settings (cookie consent, legal page content) to be managed per brand. Cookie consent add-ons are available in the marketplace. However, there are no automated publishing guardrails preventing non-compliant content, no per-brand accessibility enforcement, and no data residency configuration per tenant. Score reflects basic compliance settings available per brand without automated guardrails.

The shared codebase in a Concrete CMS multi-site installation provides a centrally maintained block and template library that all sites inherit. Individual sites can override theme styles. However, there is no formal design system versioning, no component versioning with update propagation, and no brand-level extension model beyond CSS overrides. Score reflects shared components with some brand override but no formal design system management.

In a Concrete CMS multi-site installation, a super-admin can manage users, groups, and permissions across all sites from the main dashboard. SSO via SAML is supported and can span all sites. Individual brand teams can be granted autonomous admin rights within their site. This provides meaningful central oversight with brand team autonomy, though there is no SCIM provisioning or true cross-brand contributor role that spans sites without super-admin privileges.

All sites in a Concrete CMS multi-site installation share the same block types and page type templates from the central codebase. Per-brand content type extensions require code changes rather than configuration, meaning adding brand-specific fields involves developer work and risks diverging the codebase. There is no interface for per-brand content model extension without forking. Score reflects basic shared types with limited no-code customization per brand.

There is no executive portfolio reporting dashboard across the Concrete CMS multi-site network. A super-admin navigates to individual sites and views their own content/form reports. Content freshness, publishing SLA adherence, and capacity metrics across the portfolio are not aggregated anywhere in the platform. Manual aggregation from external analytics tools would be required. Score reflects no portfolio reporting capability.

The privacy policy references the invalidated EU-US Privacy Shield framework (struck down 2020) with no mention of SCCs or the EU-US Data Privacy Framework. No DPA is listed on the legal pages, no sub-processor list is published, and EU data residency options are not documented. The policy scope explicitly excludes websites built on or hosted by Concrete CMS, directing GDPR questions elsewhere.

PortlandLabs hosting undergoes external HIPAA/HITECH audit validation and the compliance page confirms hosting satisfies HIPAA controls. However, no explicit BAA is published or advertised as available, and there is no healthcare-specific documentation in the open-source project. For managed hosting customers, HIPAA alignment exists but BAA availability is not confirmed publicly.

PortlandLabs hosting meets FedRAMP Moderate (DoD Impact Level 2) with continuous monitoring — a significant differentiator at this tier. HIPAA/HITECH and PCI-DSS are validated through external audits. The privacy policy explicitly states CCPA does not apply to Concrete CMS's own business. UK GDPR, LGPD, PIPEDA, and other regional frameworks are not addressed.

SOC 2 Type 2 is confirmed for both hosting services and open-source development activities, covering Security and Availability Trust Service Criteria. The report is available upon request. Supply chain SOC 2 reports (AWS, Atlassian, Google Cloud, New Relic) are also reviewed. This is managed hosting scope; the open-source software itself does not carry a SOC 2 attestation.

PortlandLabs holds ISO 27001 certification, described as proving 'a robust security and risk management program.' Certificates are available upon request. No ISO 27018 (cloud PII processing) is mentioned. The certification scope appears to cover the hosting and development operations, not the open-source software package independently.

Beyond SOC 2 and ISO 27001, PortlandLabs holds FedRAMP Moderate (DoD IL2) and has PCI-DSS and HIPAA/HITECH external audit validation. The platform participates in HackerOne for vulnerability disclosure with monthly security patches and CVE tracking. AWS CIS benchmark alignment and FIPS 140-2 MFA for infrastructure access add depth. This is an unusually strong certification portfolio for a Tier 2 CMS.

Hosting infrastructure is AWS US-based. The FedRAMP environment is inherently US-only. No EU or APAC data residency options are documented. No contractual data residency guarantees are mentioned outside the FedRAMP-specific context. Self-hosted deployments can choose any region but without vendor contractual guarantees. This is a significant gap for EU-based customers.

A 'Personal Information Deletion' page is listed in the legal index, indicating some process exists for data deletion requests. For the open-source platform, full database export is inherently available. However, no documented self-service data export portal for hosted customers was found, post-termination retention periods are not published, and the page itself returned 404. The hosting privacy policy page also returned 404.

Concrete CMS lists 'audit trails' as a platform feature alongside login history and content approval workflows. The framework documentation references 'auditive logging' for operations like page deletion and email sends. However, no SIEM integration, configurable log retention periods, or log export APIs are documented. The feature is basic — present but not enterprise-grade.

No formal WCAG 2.1 AA conformance documentation for the Concrete CMS authoring interface was found. The platform makes no documented ATAG 2.0 commitment. There is no accessibility conformance page for the CMS editor. The platform is used by US government agencies, which implies some Section 508 attention, but no formal statement or conformance report is published.

No VPAT or ACR (Accessibility Conformance Report) was found on concretecms.com or in the documentation. No Section 508 formal conformance statement is published. Given the platform's use by the U.S. Army and federal agencies, a VPAT likely exists internally or upon request, but it is not publicly accessible for procurement purposes.

The 'AI Integration' marketplace add-on delivers GPT-4 Turbo-powered content drafting and meta description generation within the editor. No native AI writing assistance exists in the core CMS (v9.x). No brand voice controls, custom prompt templates, or bulk generation — functionality is basic and entirely third-party.

The Brand Central DAM add-on uses AI to auto-tag uploaded media files with relevant metadata, improving searchability. No smart focal crop, no native auto alt-text generation, and no AI image generation are documented in core or marketplace. Auto-tagging is the only confirmed AI media feature.

No native machine translation in Concrete CMS core. Linguise (third-party SaaS) can integrate via script injection and API key, using Google Cloud Neural MT and a proprietary LLM model, but this is a fully external cloud service. No core changelog entries reference MT features.

The 'AI Integration' marketplace add-on generates SEO meta titles and descriptions via GPT-4 Turbo without leaving the editor. Additionally, the 'Large Language Models Generator' add-on (De Webmakers, Sept 2025, updated Feb 2026) generates an /llms.txt file — a structured AI-discoverable inventory of site pages. Neither is core functionality.

AI-powered metadata auto-tagging on media upload is the only confirmed AI workflow automation via the Brand Central DAM add-on. Official blog posts describe AI scheduling and content lifecycle automation aspirationally, but no marketplace listing or changelog entry documents these features as shipping.

No agentic products exist in the Concrete CMS ecosystem. The March 2026 community roundup discusses AI solely in the context of helping developers use external coding assistants with Concrete — not autonomous content automation. No named agent suite, no multi-step pipeline products.

No content intelligence features exist. The blog post mentions AI could 'identify stale, duplicated, or outdated pages' but frames this as general guidance for external tools, not as a Concrete CMS feature. No marketplace add-on delivers content gap analysis, topic clustering, or AI editorial recommendations.

No AI auditing tool exists in core or marketplace. The 'Smart Ways to Integrate AI' blog post lists editorial QA and tone checking as recommended external AI use cases, but no Concrete CMS add-on implements these. A third-party accessibility widget (Skynet Technologies) is not AI-driven.

Concrete CMS uses standard full-text search with no vector or semantic search capability. No marketplace add-on or core feature provides AI-enhanced relevance ranking, embedding generation, or RAG-ready content indexing. Custom external integration would require substantial developer work from scratch.

No native ML personalization engine. The 'Poper Widgets Popups Embeds Powered by AI' marketplace add-on is an external SaaS JavaScript embed that adapts CTAs based on visitor context, but it operates outside the CMS layer. No predictive audience segmentation, no behavioral ML, no native A/B testing with AI.

A community-built TypeScript MCP server — concretecms-mcp-server by MacareuxDigital — was published November 2025 and updated February 2026. It supports system info, content read/write, user access, file upload, custom OpenAPI specs, and uses OAuth2 auth. It is published on npm and confirmed compatible with Claude Desktop. However, it is not officially endorsed by Concrete CMS and has minimal adoption (1 star, 2 installs as of research date).

The 'AI Integration' marketplace add-on is consistent with a user-supplied OpenAI API key pattern, which is standard for such marketplace extensions. However, no official Concrete CMS BYOM/BYOK framework is documented. No support for Anthropic, Azure OpenAI, or Google Gemini endpoints, and no model switcher UI in core.

Concrete CMS is open-source (MIT, PHP) with a REST API that is usable for AI consumption, as demonstrated by the community MCP server. No official AI SDK, no LangChain/LlamaIndex connectors, and no LLM-friendly content API exist. The March 2026 community initiative to build 'skills files' for coding LLMs highlights that AI tooling for Concrete is underrepresented and developer-DIY.

Concrete CMS has mature general-purpose governance — content approval workflows requiring human review before publish, comprehensive audit trail, ISO 27001, SOC 2, HIPAA compliance, and role-based permissions. These serve as de facto AI safety layers. However, no AI-specific output logging, no AI decision audit trail, and no prompt template governance exist.

No AI usage dashboards, token consumption tracking, model performance monitoring, or AI observability tooling exists in Concrete CMS core or marketplace. AI usage through third-party add-ons (AI Integration) is entirely opaque to CMS administrators — monitoring would rely on the external provider's dashboard.