Skip to main content

Compliance Frameworks

Cybrium maps every finding it produces to one or more compliance frameworks so that the same data that drives remediation also drives audit readiness. Seven frameworks ship out of the box, and each tenant can enable, disable, or extend them independently.

Screenshot: Compliance tab with framework coverage bars

Supported Frameworks

  • CIS Benchmarks — configuration hardening baselines for operating systems, containers, Kubernetes, and the major cloud providers.
  • HIPAA — the Security Rule's administrative, physical, and technical safeguards, aligned to §164.308 through §164.312.
  • PCI-DSS v4.0 — the twelve requirements, with explicit coverage for network segmentation, cardholder-data encryption, access control, and logging.
  • SOC 2 Type II — the Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy).
  • OWASP Top 10 — the current (2021) list, plus the API Top 10 for API-specific scans.
  • NIST CSF 2.0 — the six functions (Govern, Identify, Protect, Detect, Respond, Recover) and their subcategories.
  • ISO/IEC 27001:2022 — Annex A controls.

How Findings Map to Controls

Every scanner and adversary technique in Cybrium carries metadata declaring which controls it is capable of evidencing. When a finding is produced, the platform consults that metadata and attaches the affected controls to the finding record. Controls can be attached automatically (by rule), manually (by the auditor), or via custom mapping tables uploaded by the tenant.

A single finding commonly maps to several controls at once — an unencrypted S3 bucket, for example, lights up PCI-DSS 3.5, SOC 2 CC6.1, CIS AWS 2.1.1, and NIST PR.DS-1 simultaneously. Cybrium keeps the mapping many-to-many and does not deduplicate across frameworks, so each audit sees its own complete picture.

Compliance Tab View

The Compliance tab is framework-first. Pick a framework from the switcher and the view reorganizes itself into the framework's native structure — CIS sections, HIPAA safeguards, SOC 2 criteria. For every control, you see the current coverage status (covered, partially covered, not covered, not applicable), the findings attached to it, and the last-evidenced date.

Export to PDF or Excel produces an auditor-ready document with evidence references per control. Continuous monitoring runs recompute the view nightly; drift from a previously-passing state triggers a compliance alert.