All features Compliance

Ten frameworks, mapped from a single scan

SOC 2, HIPAA, PCI DSS v4, NIST CSF 2.0, CMMC, ISO 27001, CIS v8, FTC Safeguards, Cyber Essentials and CIS Controls — control coverage updated on every scan.

Get started Run a free scan
10frameworks
Automapped
2-yearretention
10-framework-compliance 10
AUTOAuto-mappedPASS
LIVELive coverageCHECK
EVIDEvidence vaultFAIL
WHITWhite-label PDFPASS
One evidence base

Ten frameworks, one evidence base

Evidence you scan or enter once is scored against every framework you pursue. Each maps to its own control catalog, versioned to the authority that publishes it.

SOC 2

AICPA Trust Services Criteria.

HIPAA Security Rule

45 CFR Part 164, Subpart C.

PCI DSS v4.0

Payment Card Industry Data Security Standard.

NIST CSF 2.0

Cybersecurity Framework, February 2024.

NIST CSF 1.1

Cybersecurity Framework, April 2018.

CMMC 2.0

Built on NIST SP 800-171 Rev 2.

CIS Controls v8

Center for Internet Security.

ISO/IEC 27001:2022

Annex A controls.

FTC Safeguards Rule

16 CFR Part 314 (2023).

Cyber Essentials

UK NCSC certification scheme.

Honest scoring

Every control, honestly scored

No control turns green on a hunch. Each one carries an evidence type that says exactly how it is backed — so the report reflects what you can actually prove, not what you hope is true.

Automated

The scanner, internal agent or cloud connector produced live evidence. Technical controls are proven from real findings — and a control the scanner is actively failing stays red no matter what else claims otherwise.

Attested

A person answered the control's questions and attached the artifacts an auditor would ask for. An attestation is a signed record — who confirmed it, when, and the evidence behind it.

Undocumented

Neither. The policy-shaped controls a scanner can't see — training records, incident-response plans, governance — start here, flipped from aspirationally passing to a clear action item.

An AI-generated questionnaire for the gaps

For the controls a scan can't reach, the platform generates a targeted questionnaire aimed only at the undocumented gaps — never the ones already proven. Send it as a no-login link to whoever owns the answer; each response writes an attestation back automatically.

Evidence that stays honest

Connected tools — security-awareness training, backup, PSA and HR systems — can post evidence automatically as an integration source. Live findings always take precedence: an outside signal can add a citation but never overturn a control the scanner is failing.

Answer once

Enter evidence once, cover many frameworks

Most controls are the same control wearing ten different names. Prove it in one framework and that work reaches the others — so a second or third framework is mostly already done.

One concept, many controls

Curated concept families link the controls that mean the same thing across frameworks. Evidence attached to one propagates to its empty siblings — encryption-at-rest proven for SOC 2 also answers ISO 27001, PCI DSS, HIPAA and more.

AI-suggested reach

Beyond the curated families, the platform reviews the documents already attached to a control and suggests which other controls, across any framework, the same evidence plausibly supports. Suggestions only — a person vouches before anything is claimed.

Crosswalk gap report

Pick a target framework and see it split three ways: already evidenced, reachable via crosswalk from work you've done elsewhere — claim it in one click — and the true gaps covered nowhere yet.

Audit-ready

Built for the audit, not just the dashboard

The whole point is the moment an auditor, a client or a cyber-insurer asks you to prove it — and everything is already assembled.

Evidence vault & freshness

Every artifact and scan record lives in a per-client evidence vault, ready for auditor review. Continuous freshness monitoring flags evidence that has gone stale and controls due for their next review before they lapse.

Versioned, audit-ready reports

Generate a white-label PDF for any framework, with per-control status and citations. Every generation is retained as a version, so you can hand over exactly what the posture looked like on any prior date.

CMMC SPRS, SSP & POA&M

For defense-supply-chain clients, estimate a SPRS score across all 110 NIST SP 800-171 Rev 2 requirements and generate the System Security Plan and POA&M from the same evidence — clearly marked as a self-assessment estimate to validate before submission.

Part of one platform

One finding, one fix, one report

10-Framework Compliance is one piece of SBCMSP’s unified loop — every finding is prioritized by real-world risk, paired with AI remediation guidance, mapped to your frameworks and re-verified on the next scan.

  • KEV / EPSS-ranked severity
  • AI remediation guidance
  • Mapped to 10 frameworks
  • White-label client reporting
See the full platform
82
+27 pts
projected after top fixes

Run your first scan free

See a client’s real posture in minutes — then unlock all 1,658 checks.