15+ frameworks. Mapped automatically.

The de facto trust standard for SaaS. Customers ask for it before they sign, auditors test it annually, and it's the gateway to selling enterprise.

• IAM access reviews and SSO logs
• Vulnerability scanner output (Nessus, Qualys, Tenable)
• Cloud configuration snapshots (AWS Config, GCP, Azure)
• Cross-mapped to ISO 27001, HIPAA, NIST CSF + 1 more

The international standard for information security management systems. Required for many enterprise deals — especially in Europe and APAC — and a strong signal of mature security operations.

• ISMS documentation and policy versions
• Statement of Applicability with control justifications
• Risk treatment plans and residual risk records
• Cross-mapped to SOC 2, HIPAA, GDPR + 1 more

The most widely adopted cybersecurity framework in the United States. Voluntary but increasingly expected by regulators, partners, and insurance carriers.

• Asset inventory with criticality ratings
• Vulnerability scan output and remediation tickets
• Identity and access management logs
• Cross-mapped to CIS Controls, ISO 27001, SOC 2 + 1 more

The federal law governing protected health information in the United States. Covered entities and business associates must implement administrative, physical, and technical safeguards — and can be fined per violation.

• Workforce training completion records
• Access reviews on systems handling PHI
• Encryption status of data at rest and in transit
• Cross-mapped to SOC 2, ISO 27001, NIST 800-66 + 1 more

The mandatory security standard for any organization that stores, processes, or transmits cardholder data. PCI DSS v4 added 64 new requirements that go fully effective in 2025.

• Network segmentation diagrams and validation tests
• Vulnerability scan output (ASV and internal)
• Penetration test reports with remediation status
• Cross-mapped to SOC 2, ISO 27001, NIST CSF

The certification framework defense contractors must meet to bid on DoD contracts. Level 2 requires third-party assessment; Level 3 requires DIBCAC assessment.

• System Security Plan (SSP) with control implementation statements
• Plan of Action and Milestones (POA&M) for any unmet controls
• CUI inventory and handling procedures
• Cross-mapped to NIST 800-171, NIST 800-172, NIST CSF

The federal government's standardized program for cloud security authorization. Required to sell cloud services to most US federal agencies.

• System Security Plan (SSP) sections aligned to NIST 800-53 Rev 5
• Continuous monitoring (ConMon) deliverables
• Vulnerability scan output (DHS-approved scanner outputs)
• Cross-mapped to NIST 800-53 Rev 5, FISMA, NIST CSF + 1 more

The European Union's data-protection regulation. Applies to any organization processing the personal data of EU residents — regardless of where the organization is based. Fines up to 4% of global annual revenue.

• Records of Processing Activities (RoPA) per Article 30
• Data Subject Access Request (DSAR) handling logs
• Lawful basis records and consent capture
• Cross-mapped to ISO 27001, ISO 27701, SOC 2 + 1 more

The IT general controls (ITGC) framework that public companies — and companies preparing to go public — must demonstrate to their external auditors annually under Sarbanes-Oxley.

• Privileged access reviews on financial systems
• Change management approvals for production deployments
• Segregation of duties matrices
• Cross-mapped to COSO, COBIT, NIST 800-53 + 1 more

The Federal Financial Institutions Examination Council's IT examination guidance. Examiners use it as the basis for IT exams of US banks, credit unions, and supervised entities.

• Cybersecurity Assessment Tool (CAT) responses with maturity progression
• Wire and ACH controls and segregation of duties
• Vendor management documentation per FIL-44-2008
• Cross-mapped to FFIEC CAT, NIST CSF, PCI DSS + 1 more

The pragmatic, prioritized cybersecurity controls developed by a global community of practitioners. Implementation Group tiers (IG1, IG2, IG3) let smaller organizations start where they are.

• Asset inventory (hardware and software)
• Vulnerability scan and patching cadence
• Account and access management logs
• Cross-mapped to NIST CSF, ISO 27001, PCI DSS + 1 more

The Cloud Security Alliance's structured controls catalog for AI systems — covering data, model, governance, and deployment dimensions. The most prescriptive AI controls framework available.

• Training data classification and provenance
• Model evaluation and red-team results
• Prompt-injection and jailbreak testing logs
• Cross-mapped to NIST AI RMF, ISO 42001, SOC 2 + 1 more

The voluntary framework for AI risk management — covering governance, risk identification, mitigation, and continuous evaluation. Increasingly cited by regulators and required by enterprise AI buyers.

• Model cards and system cards
• Training data lineage and provenance records
• Bias testing and fairness evaluation results
• Cross-mapped to CSA AI CM, ISO 42001, EU AI Act + 1 more

The NIST guide for conducting risk assessments. The reference methodology for nearly every regulatory and audit context that asks for a 'documented risk assessment.'

• Threat sources catalog with capability ratings
• Vulnerability inventory with severity
• Likelihood × impact assessments per asset
• Cross-mapped to NIST CSF, ISO 27001, HIPAA + 1 more

The SEC's cybersecurity disclosure rule requires public companies to disclose material cybersecurity incidents on Form 8-K within four business days, and to describe their cybersecurity risk management and governance in 10-K filings.

• Materiality assessments for cybersecurity incidents
• Incident timeline reconstruction with forensic linkage
• Form 8-K Item 1.05 disclosure drafts
• Cross-mapped to NIST CSF, ISO 27001, SOX