Run web, API, code, dependency, cloud, AI, and internal-network assessments from one queue with unified findings, evidence, remediation, and audit output.
Risk, reporting, and compliance
Audit and compliance
Evidence packs mapped to OWASP, PCI DSS, SOC 2, ISO 27001, HIPAA, NIST, and GDPR.
Findings, reports, dashboards, exports, integrations, and retests all read from the same normalized record.
Pencheff favors repeatable checks, then uses AI for triage, enrichment, orchestration, and remediation where it adds signal.
Coverage
What does Audit and compliance test?
- Evidence packs mapped to OWASP, PCI DSS, SOC 2, ISO 27001, HIPAA, NIST, and GDPR.
- This page is part of Platform under Operational Core.
- It links back into the broader a complete adversarial security platform experience.
- Executive dashboard, letter grade, risk trends, severity rollups, and portfolio posture.
- Technical dossier with findings, reproduction, affected components, remediation, evidence, and re-examination state.
- Compliance mapping for OWASP, PCI DSS, SOC 2, NIST, ISO 27001, HIPAA, OWASP LLM, MITRE ATLAS, NIST AI RMF, EU AI Act, and GDPR.
- Threat modeling with STRIDE, DREAD, attack trees, abuse cases, mitigations, and scan context.
- Unified findings stream, AI triage, advisory enrichment, comments, suppressions, and audit appendices.
Execution
How does Pencheff run this?
- Collect findings from runtime, repo, supply chain, infrastructure, AI, and manual sources.
- Normalize severity, confidence, category, exploitability, reachability, and owner state.
- Generate executive, engineering, compliance, or retest views from the same source record.
- Track suppression, comments, fixes, re-examinations, and residual risk across scan history.
- Export reports and feed integrations without losing the underlying evidence chain.
Evidence
What evidence does this produce?
- Executive summaries, trend charts, severity counts, grade drivers, and business impact language.
- Technical evidence, scanner provenance, reproduction steps, remediation, and references.
- Framework control mappings and audit appendix entries tied to actual findings.
- Retest and verification history for closure and residual risk decisions.
Controls
How is this kept safe to run?
- Compliance rollups are deterministic and recomputed from finding state.
- Triage output distinguishes verified facts from advisory context.
- Reports inherit the same authorization and workspace boundaries as scans.
- Executives and auditors can read summaries while engineers keep deep evidence.
Documentation
Read the full reference.
References
Authoritative sources
FAQ
Common questions
- Which compliance frameworks does Pencheff support?
- Pencheff maps every finding to OWASP Top 10 (2021), PCI-DSS 4.0, NIST SP 800-53, SOC 2 Trust Services Criteria (CC6/CC7), ISO 27001:2022, HIPAA Security Rule, and OWASP LLM Top 10. AI security findings additionally map to MITRE ATLAS.
- How do I use Pencheff evidence in a SOC 2 audit?
- Run an assessment, export the report as PDF or DOCX, and submit it as evidence for CC6.1 (logical access) and CC7.1 (vulnerability management) controls. The report includes finding severity, CWE references, request/response excerpts, and a compliance appendix.
- Can Pencheff schedule recurring assessments for continuous compliance?
- Yes. Pencheff supports scheduled assessments — daily, weekly, or monthly — so you maintain a continuous evidence record rather than a point-in-time snapshot. Findings are tracked across scans to show remediation progress.
- Does Pencheff produce a re-test certificate after remediation?
- Yes. After you remediate a finding, Pencheff can re-run the specific test to confirm the fix, and the resulting re-examination report serves as a formal closure certificate for audit evidence packages.
Related