SOT

SOT Navigator

Deterministic codebase risk artifacts
Back to home

Compliance path

Technical evidence aid for audit and governance teams.

This path is for Security and GRC leaders who need technical-domain control mapping with traceability and explicit confidence boundaries. Outputs are evidence-aid, not certification.

Public pages show capability and proof-of-method. Full control-level target artifacts are delivered in scoped, NDA-first engagements.

When this is high fit

  • Audit prep pressure with short deadlines.
  • Need repeatable technical evidence snapshots.
  • Need a transparent controls gap and unknowns baseline.

Framework outputs

  • SOC2, HIPAA, PCI DSS 4.0, ISO 27001 Annex A, NIST CSF.
  • NIST SP 800-53, NIST SP 800-171, CIS v8, CMMC L2, CSA CCM.
  • GDPR safeguards, NIS2, DORA, FedRAMP Moderate.

Delivery model

What you can review now, and what you receive under NDA.

Public proof preview

  • Supported framework coverage with clear method boundaries.
  • Case-study snapshots including confidence context and top-risk zones.
  • Representative visuals (risk matrix and compliance overlay examples).

NDA delivery package

  • Target-specific `compliance-overlay.json` and `compliance-overlay.svg` outputs.
  • Complete framework mapping artifacts with explicit gap registers.
  • Evidence index, unknowns disclosure, and deterministic manifest for reviewer verification.

Core framework baseline

Current technical-aid capability (deterministic self-scan).

This baseline is product capability from a deterministic self-scan on 2026-02-15. It is not a target-company result, certification, or legal opinion.

Framework Artifact Score Full/Partial/Gap Out of Scope
PCI DSS 4.0 pci-controls.json 100% 9/0/0 0
ISO 27001 Annex A (technical) iso27001-controls.json 100% 9/0/0 0
NIST CSF 2.0 (technical mapping) nist-csf-controls.json 100% 7/0/0 0
GDPR Art. 25/30/32/33 gdpr-safeguards.json 100% 6/0/0 0

Source contract: tools/sotlint/docs/CAPABILITIES_SCORECARD.md.

Visual examples

How to read Risk Matrix and Compliance Overlay.

Risk Matrix (target-scan output)

Visual prioritization of folder-level risk from this specific run.

Risk matrix example
  • Axes represent likelihood and impact for target findings.
  • Color intensity indicates concentration/severity in each cell.
  • This is run-specific output, not global product capability.

Compliance Overlay (target-scan output)

Maps high-risk folders to controls and framework summaries for the scanned target.

Compliance overlay example
  • Top rows = highest-risk mapped folders in this scan.
  • N/A = mapped control marked not applicable (out-of-scope in target context).
  • Framework bars show full/partial/gap status counts for that run.

Proof and verification

What is delivered in a scoped run.

Control visibility

  • `controls-coverage.json`
  • `compliance-overlay.json`
  • Framework-specific control mapping artifacts

Evidence integrity

  • `evidence-index.json` for traceability KPIs
  • `unknowns.json` for blind-spot disclosure
  • `artifacts.sha256` for deterministic reproducibility

Choose execution model when requesting scope:

Request scope (Concierge) Request scope (Joint Guided) Request scope (Offline)
See claim-to-artifact mapping See visual legend in artifact guide Request NDA sample pack