Auditors don't accept "we have a SOC" as evidence. They want specific controls, specific evidence, and specific dates. The good news: the three AttackShield products map cleanly to the NIST Cybersecurity Framework (CSF) 2.0 functions and to the CIS Critical Security Controls. Here's the mapping.
NIST CSF 2.0 alignment
| Function | AttackShield product | Evidence produced |
|---|---|---|
| Govern (GV) | Risk Management | Asset inventory, risk register, executive reporting |
| Identify (ID) | Risk Management + Red Shield | Asset discovery, vulnerability identification, CMDB |
| Protect (PR) | Blue Shield + Risk Management | Identity protection rules, hardening evidence |
| Detect (DE) | Blue Shield | SIEM with full retention, detection rules, alert audit trail |
| Respond (RS) | Blue Shield | Incident timelines, containment actions, post-incident reports |
| Recover (RC) | Blue Shield + Risk Management | Recovery validation, lessons-learned documentation |
CIS Critical Security Controls v8
The CIS Controls are more granular and map even more directly. Here's how the top 10 break down:
- 1. Inventory and Control of Enterprise Assets — Risk Management (asset discovery + reconciled CMDB).
- 2. Inventory and Control of Software Assets — Risk Management (SaaS + installed software discovery).
- 3. Data Protection — Blue Shield (DLP signals + identity-centric anomaly detection).
- 4. Secure Configuration of Enterprise Assets and Software — Red Shield (cloud configuration assessments) + Risk Management (drift detection).
- 5. Account Management — Risk Management (identity inventory) + Blue Shield (account anomaly detection).
- 6. Access Control Management — Risk Management (entitlement inventory) + Blue Shield (privileged access monitoring).
- 7. Continuous Vulnerability Management — Red Shield (this is the entire product).
- 8. Audit Log Management — Blue Shield (SIEM with unlimited retention).
- 9. Email and Web Browser Protections — Blue Shield (M365/Google Workspace integration).
- 10. Malware Defenses — Blue Shield (EDR signal aggregation and tuning).
What auditors actually want
The mapping is necessary but not sufficient. What auditors really want is evidence. The platform produces it as a byproduct of normal operation:
- Every detection rule with creation date, last modified, last triggered.
- Every alert and the action taken on it, with full audit trail.
- Asset inventory snapshots over time — proof that you knew what you had.
- Vulnerability state over time — proof that critical issues were closed within SLA.
- Incident reports including root cause, containment timeline, and recovery validation.
- Configuration assessment reports for each cloud platform on a recurring cadence.
The best compliance program is one where evidence is generated automatically. Anything else turns into a quarterly fire drill.
SOC 2, ISO 27001, and beyond
The same evidence covers most controls in SOC 2 (security, availability), ISO 27001:2022 (Annex A), and PCI-DSS 4.0 (sections 5–12). For SMBs working toward certification, this consolidation saves months of evidence-gathering work and replaces it with a continuous audit trail.