Audit-ready,
by default.
DORA Article 5, NIS2 Article 21, ISO 27001 Annex A — controls mapped at scan time. Evidence chain hashed per finding. Auditor pack on demand.
Auditors want evidence.
Proof that you're scanning. Proof that you're tracking remediation. Proof that you're meeting SLAs — and proof the records weren't massaged after the fact. Pulling this data from multiple tools into audit-ready format eats days every audit cycle. Doing it under DORA / NIS2 timelines makes it worse.
Nine frameworks, one map.
Every finding in Vornin auto-links to the controls it impacts across all nine frameworks at scan time. Compliance scores update live. Auditor pack exports include a chain-verification manifest.
Automatic framework mapping.
Every vulnerability is auto-linked to relevant controls across DORA (EU 2022/2554), NIS2 (EU 2022/2555), ISO 27001:2022, SOC 2 Type II, PCI DSS 4.0, HIPAA Security Rule, GDPR, NIST 800-53 Rev 5, and CIS Controls v8.
Live compliance scores + 90-day trend.
Per-framework coverage % updates as findings are opened and closed. Daily snapshots build a 90-day score chart for every selected framework.
Per-finding auditor ZIP.
Download a ZIP per finding: manifest.json with chain verification, state.json, events.json, comments, compliance mappings, evidence files, attestation evidence, and a README with the canonicalization recipe.
SLA evidence.
SLA policies prove you're meeting remediation deadlines. Historical MTTR per severity and SLA compliance charts feed straight into audit narratives.
Full audit log.
Every action logged: scans run, findings acknowledged, assignments made, rules created. Give auditors read-only access or export.
Bring your own scans.
Import Nessus / OpenVAS / CSV / JSON to fold external scans into the same compliance pipeline and the same evidence chain. One system of record.
Mappings as CSV or JSON.
Auditors live in spreadsheets. Every framework page exports a control-by-control table with status, open-finding count, and the actual finding titles — CSV or JSON, on demand at /api/compliance/{slug}/mappings.csv.
Honest scoring + coverage gaps.
Governance, training, third-party, and BCP controls are excluded from the score denominator and shown separately as “manual attestation required”. The framework page also surfaces every scan type you haven’t run yet plus the controls it would cover — so you know exactly what your score is missing.
DORA, NIS2, and seven more — pre-mapped.
Compliance mapping isn't a side feature — it's the wedge. Mapping is a single source of truth (ComplianceMappingRules) consumed by both the scan-time tracker and the per-framework UI block, so what you see in your evidence pack is what was actually applied at write-time.
DORA — EU 2022/2554
Digital Operational Resilience Act. Articles on ICT risk management, incident classification, resilience testing, and third-party risk. Map your scanner findings to the right articles before an auditor asks. Read the Article 5 walkthrough →
NIS2 — EU 2022/2555
Network and Information Security Directive 2. Article 21 risk-management measures spanning asset management, supply-chain security, encryption, and incident handling — mapped to scanner controls and SLA evidence. Read the Article 21 walkthrough →
ISO 27001:2022
Annex A controls (A.5 Organisational, A.6 People, A.7 Physical, A.8 Technological) cross-walked to scan types.
SOC 2 Type II
Trust Services Criteria mapped to scanner output. Useful for software vendors approaching first audit, often paired with ISO 27001.
PCI DSS 4.0
Requirements 6 (secure development) and 11 (testing) cross-mapped to web, code, and infra scanner findings.
HIPAA Security Rule
Administrative, Physical, and Technical safeguards mapped to vulnerability lifecycle and SLA evidence.
GDPR (2016/679)
Articles 32 (security of processing) and 33 (breach notification) mapped to severity and SLA enforcement.
NIST 800-53 Rev 5
Control families RA, SI, CM cross-walked. Useful for federal-adjacent and US-export buyers.
CIS Controls v8
153 controls including IG1 / IG2 / IG3 baselines. Available on every tier as the compliance preview.
An evidence chain auditors can verify themselves.
A spreadsheet of scan results doesn't survive an auditor's "are you sure these weren't edited last night?" question. A cryptographic per-tenant chain does. On Business, every status change is hashed into a tamper-evident ledger, and the auditor pack ships with the verification result baked in. The same evidence layer your NIS2, DORA, or ISO 27001 assessor expects.
Per-tenant SHA-256 chain.
Every status change — UI, API, or background — writes a VulnerabilityEvent row. Each row carries Hash and PreviousHash. Tampering with one event invalidates every later one.
Advisory-locked transactions.
Each save takes pg_advisory_xact_lock(tenantId) before stamping. Concurrent writers serialize per tenant, so the chain stays linear — no fork, no race.
Microsecond-truncated timestamps.
.NET ticks (100ns) get truncated to Postgres microsecond precision before hashing, so canonical hashes round-trip exactly across read and write.
Walk + verify on demand.
The verification service walks a tenant's events, recomputes hashes, and returns the first break. The result is included in every auditor-pack manifest so an auditor can re-run the calculation themselves.
Per-finding ZIP, tenant-wide PDF.
From any finding, download a ZIP containing manifest, state, events, comments, mappings, evidence, attestation evidence, and a canonicalization README. Business also renders a tenant-wide PDF rolling every chain into one auditor document.
External anchor.
Today the chain is self-anchored to Vornin (still tamper-evident inside your tenant). Roadmap: stamp tip-hashes into RFC 3161 timestamp authorities and a public transparency log so even Vornin can't rewrite history.
Business and above: tamper-evidence chain, per-finding auditor ZIP, and tenant-wide auditor PDF. Built for buyers under NIS2, DORA, and ISO 27001 audit pressure.
Be audit-ready,
always.
Free includes CIS Controls as a preview so you can see the mapping UX. Team unlocks all nine frameworks and the attestation workflow. Business adds the tamper-evidence chain, the per-finding auditor pack ZIP, and the tenant-wide auditor PDF.