A vulnerability scanner tells you what is broken. An auditor asks a different question: which control does this break, and how much of the framework do you actually cover? Translating one into the other is tedious, error-prone work that nobody enjoys and most teams put off until it is urgent. The Compliance Dashboard does that translation for you, against the frameworks your auditors actually use.
Seven frameworks, one view
The dashboard ships with seven control frameworks built in, each with its real control structure rather than a token sample:
- NIST SP 800-53 Rev 5 — Access Control, Audit & Accountability, Configuration Management, System & Communications Protection, and more.
- CIS Controls v8 — asset and software inventory, data protection, secure configuration, vulnerability management, audit logs, network defenses.
- OWASP Top 10 (2021) — the full ten categories, from Broken Access Control to SSRF.
- PCI DSS v4.0 — network security, cardholder data protection, encryption, access control, logging, security testing.
- ISO/IEC 27001:2022 Annex A — organizational, people, physical, and technological controls.
- HIPAA Security Rule (45 CFR §164) — administrative, physical, and technical safeguards.
- SOC 2 Trust Services Criteria — logical and physical access, system operations, change management, availability, confidentiality.
Switch frameworks with a tab. You are not re-running anything — the same body of findings is re-projected onto whichever control set you are being assessed against this quarter.
How findings reach controls
When a finding lands in a workspace, the dashboard matches it to relevant controls using the finding's CWE identifiers plus keyword patterns against control descriptions. A finding tagged with a CWE for missing encryption, for example, lights up the encryption controls across PCI, HIPAA, and ISO at once. You can also promote a vulnerability from your findings directly into the dashboard when you want a specific result counted.
Honest scope: the dashboard is an assessment tool, not an auto-remediation tool. It tells you where you stand against each control — Pass, Fail, Partial, or Not Assessed — so you can prioritize and produce evidence. Fixing the control is still your call.
Coverage and pass-rate, not vibes
Two numbers sit at the top of every framework view. Coverage is how many controls you have actually assessed versus the total in the framework — it stops a green dashboard from hiding the controls you never tested. Pass rate is how many of the assessed controls are passing. Below them, a status breakdown splits everything into pass, fail, partial, and not-assessed, and you can filter by control category to zero in on, say, just the Access Control family before a review.
From dashboard to deliverable
The dashboard is not a dead end. Once your findings are mapped, the Reports page can generate a Compliance report that carries the control mapping into a document your stakeholders and assessors can read. That is the whole point: the scan, the mapping, and the evidence live in one workspace instead of three tools and a spreadsheet. We walk through the report side in the companion post below.
If your next audit is a SOC 2 Type II or a PCI v4 assessment, this turns a multi-day spreadsheet exercise into a tab you check as you work. Open the desktop, run your scans, and watch the controls fill in.