-
Notifications
You must be signed in to change notification settings - Fork 0
Compliance and Frameworks
AbrahamOO edited this page Jun 18, 2026
·
1 revision
security-mcp does not just find issues; it maps every finding to the standards an auditor recognizes and produces the evidence to prove it. This page lists the full framework catalog and the audit artifacts the tool generates.
- OWASP Top 10 (Web and API)
- OWASP ASVS L2 and L3
- OWASP MASVS (mobile)
- OWASP LLM Top 10
- OWASP Testing Guide
- MITRE ATT&CK (Enterprise, Cloud, Mobile)
- MITRE D3FEND (countermeasures)
- MITRE ATLAS (adversarial ML)
- MITRE CAPEC (attack patterns)
- NIST 800-53 r5 (control families)
- NIST CSF 2.0
- NIST 800-207 (Zero Trust)
- NIST 800-218 (SSDF, secure software development)
- NIST AI RMF
- NIST 800-131A (algorithm transition)
- PCI DSS 4.0
- SOC 2 Type II
- ISO 27001:2022 and ISO 27002
- ISO 42001:2023 (AI management)
- GDPR, CCPA, HIPAA
- SLSA L3
- CIS Benchmarks L2
- AWS Foundational Security Best Practices (FSBP)
- Microsoft Cloud Security Benchmark
- CVSS v4.0 and EPSS
| Area | Covers |
|---|---|
| OWASP | Web, API, mobile, and LLM application risk, plus verification levels and test methodology |
| MITRE | Adversary techniques, countermeasures, ML-specific attacks, and attack patterns, used to map and deduplicate findings by technique |
| NIST | Security controls, the cybersecurity framework, zero trust, secure development, AI risk, and cryptographic transition |
| Compliance | The certifications and regulations enterprises are audited against, from payments to privacy to AI management |
| Cloud and supply chain | Provider hardening benchmarks (see Cloud Security Controls) and build-integrity levels |
| Scoring | Severity and real-world exploit probability that drive SLA escalation in the gate |
The tool produces the documents an audit asks for, written into .mcp/reports/:
-
Compliance report. Generated by
generate_compliance_report, it maps findings and controls to the frameworks above (SOC 2, PCI DSS 4.0, ISO 27001, NIST 800-53, HIPAA, GDPR, and more) and shows coverage and gaps. - Attestations. SHA-256 attested reports that record a passing gate result, and the tamper-evident attestation hash chain that links agent attestations. Attestation refuses to sign over a non-PASS result, so an attested report is defensible evidence.
- Risk register. Produced in the orchestrator program, with findings ranked by severity and tied to remediation SLA deadlines.
Together these give an auditor a control-by-control mapping, dated evidence, and a verifiable chain. See CISO Orchestrator for how the compliance-grc team assembles audit-grade evidence packages.
Start here
Engines
Agents
Reference
Operate