Zypheron
ZYPHERON
EngineeringJune 5, 202614 min read

Compliance Evidence Auditors Accept — Straight From Your Scans

"We scanned everything" is not evidence. An auditor does not want your scan; they want proof that a specific control is met, on a date, with something to show for it. Here is how to turn the work you already do into the evidence they actually accept.

What auditors are really asking for

Compliance frameworks are lists of controls — discrete statements like "encrypt cardholder data in transit" or "review access rights periodically." An assessor's job is to decide, control by control, whether you meet it and whether you can prove it. That second half is where most teams lose time. The scan output exists, the fix exists, but the line connecting "finding #14" to "PCI DSS Requirement 4" lives only in someone's head. Evidence is that line, written down and dated.

From finding to control, automatically

The Compliance Dashboard draws that line for you. When a finding enters a workspace, it is matched to relevant controls using its CWE identifiers plus keyword patterns against each control's description. A weak-TLS finding does not just sit in a list — it attaches to the encryption controls in PCI, HIPAA, and ISO simultaneously. You can also promote a specific vulnerability into the dashboard when you want it explicitly counted against a control.

The result is the artifact an auditor wants: a control, a status, and the finding that justifies it.

The frameworks built in

  • SOC 2 Trust Services Criteria — the one most SaaS vendors face first.
  • PCI DSS v4.0 — for anyone touching cardholder data.
  • ISO/IEC 27001:2022 Annex A — the international ISMS standard.
  • NIST SP 800-53 Rev 5 — the control catalog behind much of US federal security.
  • HIPAA Security Rule — administrative, physical, and technical safeguards for health data.
  • CIS Controls v8 — a pragmatic, prioritized baseline.
  • OWASP Top 10 (2021) — for application-layer coverage.

Coverage vs pass rate: the number that keeps you honest

A dashboard that is all green can still be lying — if you only assessed three of forty controls. That is why the Compliance Dashboard separates two metrics. Coverage is the share of a framework you have actually assessed. Pass rate is the share of assessed controls that pass. A mature evidence story has high coverage and an honest pass rate; a weak one has a great pass rate over a tiny slice of the framework. Showing both is what makes the evidence defensible when the assessor probes it.

Each control carries one of four statuses — Pass, Fail, Partial, or Not Assessed. "Not Assessed" is a feature: it tells you and the auditor exactly where you have not looked yet, instead of pretending silence is success.

Packaging it for the auditor

Once findings are mapped, the Reports page generates a Compliance report that carries the control mapping into a document — PDF for the formal deliverable, or HTML, Markdown, or JSON if the recipient wants something else. The assessor gets controls, statuses, and the findings behind them in one file, instead of a scan export plus a verbal explanation. The same evidence is already on disk from your scans, so the report is assembled from real results rather than retyped from memory.

An honest boundary

This is assessment and evidence generation, not automatic remediation, and not a substitute for a formal audit. The dashboard tells you where you stand and hands you the proof; closing a failing control and passing the actual assessment is still your team's work. What it removes is the spreadsheet archaeology between testing and proving — which, in practice, is where compliance prep goes to die.

Frequently asked questions

Does a vulnerability scan count as compliance evidence?

Not by itself. It becomes evidence once each finding is tied to a specific control with a status and a date — which is exactly the mapping the Compliance Dashboard performs.

Which frameworks does the desktop support?

NIST 800-53 Rev 5, CIS Controls v8, OWASP Top 10 (2021), PCI DSS v4.0, ISO 27001:2022, the HIPAA Security Rule, and SOC 2 Trust Services Criteria.

What is the difference between coverage and pass rate?

Coverage is how much of the framework you assessed; pass rate is how much of what you assessed passed. The dashboard shows both so the picture stays honest.

If you are heading into a SOC 2 or PCI assessment, stop building the evidence by hand. Run your scans, let the mapping happen, and export the report.

ShareLinkedInX
Email List

Get AD security drops in your inbox

Release notes, identity attack-path research, and early access. Low volume, real signal only. Unsubscribe anytime.

Recommended next read
ZYPHERON

ZYPHERON Desktop is a cybersecurity IDE for offensive and defensive workflows. The open source CLI remains available for terminal-first users.

AUTHORIZED USE ONLY

Infrastructure

Network

© 2025 ZYPHERON SYSTEMS//DESKTOP + CLI