ComplianceOverview

Compliance mapping

Every finding Pencheff produces is automatically mapped to up to ten compliance frameworks so that a single scan becomes a single piece of audit evidence across your entire security programme.

Web / cloud / data frameworks

FrameworkScopeControls covered
OWASP Top 10 (2021)Web / APIA01–A10
PCI-DSS 4.0Card data environments2.2, 4.1, 6.2, 6.5.x, 7.x, 8.x
NIST 800-53 Rev 5US federal / FedRAMPAC, AU, CM, IA, SC, SI
SOC 2Service orgsCC6.x, CC7.x, A1.x
ISO 27001:2022International ISMSAnnex A.5.x, A.8.x
HIPAAHealthcare (US)164.308, 164.312
OWASP Mobile Top 10 (2024)Mobile appsM1–M10

AI / LLM frameworks

LLM red-team findings automatically attach mappings for the AI-specific governance frameworks. Each finding’s compliance.MITRE ATLAS / NIST AI RMF / EU AI Act keys map the underlying OWASP LLM category onto the relevant controls.

FrameworkScopeMapping
OWASP LLM Top 10 (2025)LLM applicationsLLM01–LLM10
MITRE ATLASAdversarial ML threat modelAML.T0010–AML.T0058
NIST AI Risk Management FrameworkUS guidanceMAP / MEASURE / MANAGE functions
EU AI ActEU regulationArticles 10, 13, 14, 15, 17, 50, 55

Example LLM01 finding (prompt injection) maps to:

{
  "owasp": "LLM01: Prompt Injection",
  "compliance": {
    "OWASP":      ["LLM01: Prompt Injection"],
    "MITRE ATLAS": ["AML.T0051", "AML.T0054"],
    "NIST AI RMF": ["MAP 1.5", "MEASURE 2.7", "MANAGE 2.3"],
    "EU AI Act":   ["Article 15", "Article 55"]
  }
}

How the mapping works

Each finding carries a category (e.g. injection, auth, crypto, components) and an owasp_category. The reporting layer in reporting/compliance.py maps those onto control identifiers for every framework.

Example (a SQL injection finding):

{
  "owasp": "A03: Injection",
  "compliance": {
    "OWASP":      ["A03: Injection"],
    "PCI-DSS":    ["6.5.1"],
    "NIST-800-53": ["SI-10", "SI-16"],
    "SOC2":       ["CC6.1", "CC6.6"],
    "ISO27001":   ["A.8.24", "A.8.28"],
    "HIPAA":      ["164.312(a)(2)(iv)", "164.312(c)(1)"]
  }
}

Focused profiles

Use targeted profiles when an audit asks for a specific framework:

  • compliance — 5-framework breadth, OWASP-first
  • compliance-full — every module + SCA + IaC, all six frameworks
  • pci-dss / soc2 — single-framework policy YAML

Report exports

Compliance mappings appear in:

  • DOCX reports — per-finding table + framework summary appendices
  • JSON exportscompliance: { FRAMEWORK: [controls] } on every finding
  • CSV exports — one column per framework, comma-separated controls
  • SBOMs — declared license + PURL for A06 (Vulnerable Components) support

Custom mappings

Add additional frameworks (e.g. CIS Controls, NERC-CIP) by extending the maps in plugins/pencheff/pencheff/config.py — PRs welcome.