Pencheff

Risk, reporting, and compliance · Company

Company overview

Pencheff is built around the principle that evidence-backed, adversarial testing should be as rigorous as a formal audit — readable by engineers, executives, and compliance teams on the same page.

Reporting turns raw scanner output into evidence-backed decisions: executive posture, technical dossiers, compliance mappings, retest history, threat models, and clear remediation ownership.

Task routerdocumented
8coverage areas
5operator steps
4evidence fields
Coverage8
Execution5
Evidence4
Controls4
DocsAPIReportsSupport

Operational paths point to setup, references, and the right next task for the workflow.

ScopeAbout Pencheff
SectionCompany
MethodDeterministic-first
OutputUnified evidence
ProfileRisk, reporting, and compliance
01

Coverage

What does Company overview test?

  • The practice behind the platform
  • Pencheff is built around the principle that evidence-backed, adversarial testing should be as rigorous as a formal audit — readable by engineers, executives, and compliance teams on the same page.
  • Dropdown section: About Pencheff.
  • Executive dashboard, letter grade, risk trends, severity rollups, and portfolio posture.
  • Technical dossier with findings, reproduction, affected components, remediation, evidence, and re-examination state.
  • Compliance mapping for OWASP, PCI DSS, SOC 2, NIST, ISO 27001, HIPAA, OWASP LLM, MITRE ATLAS, NIST AI RMF, EU AI Act, and GDPR.
  • Threat modeling with STRIDE, DREAD, attack trees, abuse cases, mitigations, and scan context.
  • Unified findings stream, AI triage, advisory enrichment, comments, suppressions, and audit appendices.
02

Execution

How does Pencheff run this?

  • Collect findings from runtime, repo, supply chain, infrastructure, AI, and manual sources.
  • Normalize severity, confidence, category, exploitability, reachability, and owner state.
  • Generate executive, engineering, compliance, or retest views from the same source record.
  • Track suppression, comments, fixes, re-examinations, and residual risk across scan history.
  • Export reports and feed integrations without losing the underlying evidence chain.
03

Evidence

What evidence does this produce?

  • Executive summaries, trend charts, severity counts, grade drivers, and business impact language.
  • Technical evidence, scanner provenance, reproduction steps, remediation, and references.
  • Framework control mappings and audit appendix entries tied to actual findings.
  • Retest and verification history for closure and residual risk decisions.
04

Controls

How is this kept safe to run?

  • Compliance rollups are deterministic and recomputed from finding state.
  • Triage output distinguishes verified facts from advisory context.
  • Reports inherit the same authorization and workspace boundaries as scans.
  • Executives and auditors can read summaries while engineers keep deep evidence.

Documentation

Read the full reference.