Honest scoring
Every control, honestly scored
No control turns green on a hunch. Each one carries an evidence type that says exactly how it is backed — so the report reflects what you can actually prove, not what you hope is true.
Automated
The scanner, internal agent or cloud connector produced live evidence. Technical controls are proven from real findings — and a control the scanner is actively failing stays red no matter what else claims otherwise.
Attested
A person answered the control's questions and attached the artifacts an auditor would ask for. An attestation is a signed record — who confirmed it, when, and the evidence behind it.
Undocumented
Neither. The policy-shaped controls a scanner can't see — training records, incident-response plans, governance — start here, flipped from aspirationally passing to a clear action item.
An AI-generated questionnaire for the gaps
For the controls a scan can't reach, the platform generates a targeted questionnaire aimed only at the undocumented gaps — never the ones already proven. Send it as a no-login link to whoever owns the answer; each response writes an attestation back automatically.
Evidence that stays honest
Connected tools — security-awareness training, backup, PSA and HR systems — can post evidence automatically as an integration source. Live findings always take precedence: an outside signal can add a citation but never overturn a control the scanner is failing.