When a security scanner hands you a list of findings, you have done about 10% of what an audit actually needs. An auditor does not want "you have 3 medium issues." They want: which control does this map to, what is the evidence it is satisfied or not, and as of when? That gap — between a vulnerability list and control-mapped evidence — is what a compliance readiness pack closes, and it is what NANOTESTING produces on every scan.
A finding is not evidence. A mapping is.
Every NANOTESTING finding, and every positive proof point, is mapped to the control IDs your framework cares about. Not a vague "this helps with security" — the specific control. When the scan confirms HSTS with a one-year max-age, or that TLS 1.0/1.1 are disabled, or that DNSSEC validates to the root, those become evidence rows tagged with the exact ISO 27001:2022 Annex A control, SOC 2 Trust Services Criterion, and OWASP category they satisfy.
We map seven frameworks today:
- ISO 27001:2022 — Annex A controls
- SOC 2 — Trust Services Criteria
- HIPAA — Security Rule safeguards
- PCI DSS 4.0 — requirement mappings
- NIST CSF 2.0 — function / category mappings
- CIS Controls v8 — safeguard mappings
- OWASP Top 10 2021 — category mappings
That is 93 controls and 223 signal mappings living in the database — so adding an eighth framework needs no code change.
What is actually in the pack
- Dual view per control. The Compliance dashboard shows BOTH what is broken (findings) AND what is verified satisfied (evidence), with green / red / grey coding. A reviewer sees at a glance what passes, what fails, and what was not exercised this scan.
- Per-scan immutable snapshot. Generated when each scan completes. You can show "as of this scan date, controls X, Y, Z were satisfied with this evidence" — and that record stays stable even after the next scan, so an audit window has a fixed reference point.
- Per-framework export. One-click PDF, CSV, or JSON per framework. Hand the SOC 2 pack to your SOC 2 auditor without exposing the other six frameworks they have no business seeing.
- Drill-through from control to finding. Click any control row and land on the exact set of findings that contributed to its tally. No more hunting for "where are the 3 mediums on PCI 6.2."
Where teams actually use it
- ISO 27001 readiness — recurring evidence that the technical Annex A controls are exercised and tracked over time.
- SOC 2 preparation — proof for the Security and Availability criteria across the observation window.
- Vendor security reviews — answer the questionnaire with a dated evidence pack instead of a spreadsheet of promises.
- HIPAA & PCI scoping — map technical safeguards to the requirements that apply to your in-scope systems.
The honest part
This is evidence support, not a certification or attestation. NANOTESTING gives your auditor a structured, control-mapped evidence pack and a per-scan immutable snapshot. Your auditor remains the source of truth for sign-off, framework interpretation, and the final report. We sit underneath the auditor, not above them — and that is exactly what makes the pack useful rather than a checkbox nobody trusts.
See the full breakdown on the compliance evidence page, or look at a sample report to see what an evidence pack actually looks like.