PenScannerauthorized · non-destructive · audited

Compliance coverage

Every finding PenScanner produces is tagged with the compliance frameworks it relates to, so the same scan output can feed an auditor review or a SOC 2 evidence package without re-doing the analysis.

SOC 2

Common Criteria 6 (Logical Access) and 7 (System Monitoring). Finding evidence is auto-mapped to CC6.1/CC6.7/CC7.2/CC8.1 where applicable.

  • Trust Services Criteria mapping
  • Evidence trail per finding
  • Auditor-ready PDF dossier

PCI-DSS v4

Requirements 4 (encryption in transit), 6 (secure systems), and 8 (authentication). Findings tagged with the explicit requirement they relate to.

  • Quarterly scan attestation
  • Req. 6.5 injection-flaw checks
  • TLS / cipher posture

ISO 27001 Annex A

Cryptographic controls (A.10), operations security (A.12), and access control (A.9). Findings include the Annex A control ID directly.

  • A.12.6 technical vulnerability mgmt
  • A.9.4 access control
  • A.10.1 cryptography

HIPAA Security Rule

Administrative (164.308) and Technical (164.312) safeguards. Useful for healthtech tenants. Findings include the rule citation.

  • 164.308(a)(1) sec mgmt process
  • 164.312(e) transmission security

GDPR

Article 32 (security of processing). PenScanner is also built to help you comply: Art. 17 (erasure) and Art. 20 (portability) are first-class features.

  • Art. 32 security of processing
  • Art. 17 right to erasure
  • Art. 20 portability export

NIST CSF

Protect (PR) and Detect (DE) functions. Each finding maps to the relevant CSF subcategory.

  • PR.IP-12 vulnerability management
  • DE.CM-1 network monitoring

How it works

  1. PenScanner's safe-by-design adapters surface findings (DNS posture, TLS misconfig, missing security headers, exposed config files).
  2. Each finding is automatically tagged with the relevant OWASP category, CWE ID, and the framework controls it maps to.
  3. The Compliance dossiers feature (Pro and Enterprise plans) generates an auditor-ready document mapping every open finding to its applicable controls, with evidence and remediation instructions. Available for all six frameworks above.
  4. The dossier renders as standalone HTML — open in a browser, print to PDF, or hand to an auditor as-is.

Sample dossier

Below is a representative excerpt from a SOC 2 dossier — finding, severity, mapped controls, evidence captured at scan time.

SOC2 — Compliance Dossier
Acme Corp · generated 2026-05-27 02:30 UTC

Findings included: 14
By severity: Critical 0 · High 2 · Medium 5 · Low 7

────────────────────────────────────────────────────────────────
[High] Exposed .git directory
Controls: CC6.1 — Logical access · CC8.1 — Change management · CWE-538

Evidence:
GET https://app.example.com/.git/HEAD -> 200 (body fingerprint matched).
A .git directory is being served. An attacker can clone the full
source tree with `wget --mirror`.

Remediation:
Remove the .git directory from the document root. Configure
nginx/Apache to deny requests to dot-prefixed paths.
────────────────────────────────────────────────────────────────

Start 14-day trial · See pricing