Pencheff

Risk, reporting, and compliance · Company

Our auditors

Guidance for readers validating scope, evidence, and compliance output.

Reporting turns raw scanner output into evidence-backed decisions: executive posture, technical dossiers, compliance mappings, retest history, threat models, and clear remediation ownership.

Deliverable previewaudit-ready
8coverage areas
5operator steps
4evidence fields
A–FLetter grade
Coverage8
Execution5
Evidence4
Controls4
DOCXPDFSARIFSPDXCycloneDX

Letter grade, compliance mappings, and exports recompute deterministically from finding state.

ScopeOur Practice
SectionCompany
MethodDeterministic-first
OutputUnified evidence
ProfileRisk, reporting, and compliance
01

Coverage

What does Our auditors test?

  • Guidance for readers validating scope, evidence, and compliance output.
  • This page is part of Company under Our Practice.
  • It links back into the broader the practice behind the platform experience.
  • Executive dashboard, letter grade, risk trends, severity rollups, and portfolio posture.
  • Technical dossier with findings, reproduction, affected components, remediation, evidence, and re-examination state.
  • Compliance mapping for OWASP, PCI DSS, SOC 2, NIST, ISO 27001, HIPAA, OWASP LLM, MITRE ATLAS, NIST AI RMF, EU AI Act, and GDPR.
  • Threat modeling with STRIDE, DREAD, attack trees, abuse cases, mitigations, and scan context.
  • Unified findings stream, AI triage, advisory enrichment, comments, suppressions, and audit appendices.
02

Execution

How does Pencheff run this?

  • Collect findings from runtime, repo, supply chain, infrastructure, AI, and manual sources.
  • Normalize severity, confidence, category, exploitability, reachability, and owner state.
  • Generate executive, engineering, compliance, or retest views from the same source record.
  • Track suppression, comments, fixes, re-examinations, and residual risk across scan history.
  • Export reports and feed integrations without losing the underlying evidence chain.
03

Evidence

What evidence does this produce?

  • Executive summaries, trend charts, severity counts, grade drivers, and business impact language.
  • Technical evidence, scanner provenance, reproduction steps, remediation, and references.
  • Framework control mappings and audit appendix entries tied to actual findings.
  • Retest and verification history for closure and residual risk decisions.
04

Controls

How is this kept safe to run?

  • Compliance rollups are deterministic and recomputed from finding state.
  • Triage output distinguishes verified facts from advisory context.
  • Reports inherit the same authorization and workspace boundaries as scans.
  • Executives and auditors can read summaries while engineers keep deep evidence.
01

From the Pencheff docs

Compliance overview

Every finding Pencheff produces is automatically mapped to up to ten compliance frameworks so that a single scan becomes a single piece of audit evidence across your entire security programme.

Web / cloud / data frameworks

FrameworkScopeControls covered
OWASP Top 10 (2021)Web / APIA01–A10
PCI-DSS 4.0Card data environments2.2, 4.1, 6.2, 6.5.x, 7.x, 8.x
NIST 800-53 Rev 5US federal / FedRAMPAC, AU, CM, IA, SC, SI
SOC 2Service orgsCC6.x, CC7.x, A1.x
ISO 27001:2022International ISMSAnnex A.5.x, A.8.x
HIPAAHealthcare (US)164.308, 164.312
OWASP Mobile Top 10 (2024)Mobile appsM1–M10

AI / LLM frameworks

LLM red-team findings automatically attach mappings for the AI-specific governance frameworks. Each finding's compliance.MITRE ATLAS / NIST AI RMF / EU AI Act keys map the underlying OWASP LLM category onto the relevant controls.

FrameworkScopeMapping
OWASP LLM Top 10 (2025)LLM applicationsLLM01–LLM10
MITRE ATLASAdversarial ML threat modelAML.T0010–AML.T0058
NIST AI Risk Management FrameworkUS guidanceMAP / MEASURE / MANAGE functions
EU AI ActEU regulationArticles 10, 13, 14, 15, 17, 50, 55

Example LLM01 finding (prompt injection) maps to:

{
  "owasp": "LLM01: Prompt Injection",
  "compliance": {
    "OWASP":      ["LLM01: Prompt Injection"],
    "MITRE ATLAS": ["AML.T0051", "AML.T0054"],
    "NIST AI RMF": ["MAP 1.5", "MEASURE 2.7", "MANAGE 2.3"],
    "EU AI Act":   ["Article 15", "Article 55"]
  }
}

How the mapping works

Each finding carries a category (e.g. injection, auth, crypto, components) and an owasp_category. The reporting layer in reporting/compliance.py maps those onto control identifiers for every framework.

Example (a SQL injection finding):

{
  "owasp": "A03: Injection",
  "compliance": {
    "OWASP":      ["A03: Injection"],
    "PCI-DSS":    ["6.5.1"],
    "NIST-800-53": ["SI-10", "SI-16"],
    "SOC2":       ["CC6.1", "CC6.6"],
    "ISO27001":   ["A.8.24", "A.8.28"],
    "HIPAA":      ["164.312(a)(2)(iv)", "164.312(c)(1)"]
  }
}

Focused profiles

Use targeted profiles when an audit asks for a specific framework:

  • compliance — 5-framework breadth, OWASP-first
  • compliance-full — every module + SCA + IaC, all six frameworks
  • pci-dss / soc2 — single-framework policy YAML

Report exports

Compliance mappings appear in:

  • DOCX reports — per-finding table + framework summary appendices
  • JSON exportscompliance: { FRAMEWORK: [controls] } on every finding
  • CSV exports — one column per framework, comma-separated controls
  • SBOMs — declared license + PURL for A06 (Vulnerable Components) support

Custom mappings

Add additional frameworks (e.g. CIS Controls, NERC-CIP) by extending the maps in plugins/pencheff/pencheff/config.py — PRs welcome.

02

From the Pencheff docs

SOC 2

Pencheff maps findings to SOC 2 Trust Services Criteria (primarily Security / Common Criteria CC6–CC7 and Availability A1).

TSCExample controlsCoverage
CC6.1 — Logical access controlsCC6.1, CC6.2, CC6.3scan_auth, scan_authz, scan_oauth, scan_mfa_bypass
CC6.6 — Boundary protectionCC6.6CORS, SSRF, clickjacking, WebSocket security
CC6.7 — EncryptionCC6.7scan_infrastructure (TLS)
CC7.1 — Detection / monitoringCC7.1Passive scanner, change detection via ASM
CC7.2 / CC7.3 — Anomaly handlingCC7.2, CC7.3Continuous profile + retest automation
CC8.1 — Change managementCC8.1SBOM + dep scan in CI/CD gate
A1.1 — Availability / capacityA1.1scan_business_logic (rate limiting, race), cloud misconfig

Policy example

apiVersion: pencheff/v1
kind: ScanPolicy
metadata: { name: soc2 }
spec:
  targets: [{ url: "${TARGET_URL}" }]
  modules:
    - { name: scan_infrastructure, depth: standard }
    - { name: scan_auth,           depth: standard }
    - { name: scan_authz,          depth: standard }
    - { name: scan_cloud,          depth: standard }
    - { name: scan_dependencies,   params: { path: "./" } }
    - { name: generate_sbom,       params: { path: "./", format: spdx } }
  thresholds: { fail_on: high }
  reports:
    - { format: docx, path: "./reports/soc2/" }

Evidence packet

The DOCX report has a SOC 2 Control Mapping appendix with one row per CC control, showing findings and remediation status — suitable for submission to your auditor as Type II evidence.

03

From the Pencheff docs

PCI-DSS 4.0

Pencheff covers the PCI-DSS v4.0 technical requirements most commonly exercised by external auditors. Use the pci-dss or compliance-full profile.

Requirements covered

RequirementMeaningPencheff module
2.2Secure configurationscan_infrastructure, scan_dockerfile, scan_kubernetes
4.1Strong cryptographyscan_infrastructure (SSL/TLS)
6.2Bespoke / custom software secure developmentSCA + IaC + DAST
6.5.1Injection flawsscan_injection
6.5.7Cross-site scriptingscan_client_side, scan_dom_xss
6.5.8Broken access controlscan_authz
6.5.10Broken authentication / session mgmtscan_auth, scan_oauth, scan_advanced
6.6Web application firewall or code reviewscan_waf
7.1 / 7.2Access controlscan_authz
8.1 / 8.2 / 8.3Strong authentication + MFAscan_auth, scan_mfa_bypass
11.3Internal + external vuln scansscan_host_vulns, scan_network_misconfig

Report

pencheff run-policy policies/examples/pci_dss.yaml

The resulting DOCX includes a PCI-DSS 4.0 mapping table listing every requirement touched by the scan, and the findings that hit each.

?

FAQ

Common questions

Who are the security practitioners behind Pencheff?
Pencheff is built by practitioners with hands-on experience in application penetration testing, red team engagements, and compliance assessment. The platform encodes the same techniques, evidence standards, and reporting rigour used in institutional-grade manual assessments.
Can Pencheff reports serve as a substitute for manual penetration testing?
Pencheff produces audit-grade reports that satisfy the evidence requirements for SOC 2, PCI-DSS, ISO 27001, and HIPAA assessments. For programmes requiring a named human penetration tester or a CREST/OSCP-certified assessor signature, Pencheff can be combined with a human review engagement.
How does Pencheff maintain assessment quality at scale?
Every finding promotion requires re-verification with a confirmatory payload. Findings that cannot be reproduced are automatically discarded. The methodology is versioned (currently v4.2) and the compliance mapping is updated with each framework revision — so report quality is consistent regardless of scan volume.