A finding without a control reference is a finding that lands on someone else's desk. "Cool vulnerability," the GRC team says. "Now tell me which NIST family it falls under, and which OWASP category it maps to."
That translation work is annoying, manual, and — let's be honest — usually done by whoever loses the coin flip the morning the audit starts.
Today we're shipping the fix: Compliance Framework Mapping, built directly into RedVeil. Every finding from every pentest, automatically tagged to the frameworks your auditors actually use.
What it does
The moment a finding is created — whether it came from an external pentest, an internal engagement, or a one-click retest — RedVeil's AI reads the full context of the issue (title, description, business impact, evidence, recommendations, severity, references) and maps it against four frameworks at once:
- NIST SP 800-53 — the federal control catalog that underpins FedRAMP, FISMA, and a growing number of enterprise frameworks
- MITRE ATT&CK — the adversary tactics and techniques matrix that turns "we have a vulnerability" into "here's how a real attacker would use it"
- CWE — Common Weakness Enumeration, for code-level and architectural classification
- OWASP — Top 10, API Top 10, or Mobile Top 10, picked automatically based on the project type
Every mapping comes with a confidence score (high / medium / low) and a short rationale grounded in the finding's text — so reviewers can see why a control was selected, not just that it was.
Where it shows up
On every issue page. Open any finding and you'll see a new "Compliance Mappings" section. Expand it to view the mapped controls per framework, the confidence on each, and the rationale tying the finding to the control.
In a brand-new report type: Compliance Mapping Export (CSV). Pick which frameworks to include, click export, and walk away with a flat CSV ready to drop into your audit workpaper, GRC platform, or evidence locker. Each row carries the finding metadata (ID, project, host, severity, status) plus the mapped controls and their confidence scores.
What's new in this release
- Automatic mapping for every new and updated finding, generated in the background as soon as the finding lands
- Four frameworks out of the box — NIST SP 800-53, MITRE ATT&CK, CWE, and OWASP
- Per-finding "Compliance Mappings" section in the issue UI, with collapsible per-framework groupings
- Confidence scoring on every mapped control, with tooltip explanations
- Mapping rationale anchored in the finding text — no opaque "trust the AI" output
- Compliance Mapping Export report type with framework-by-framework column selection
How we built it
A few principles that shaped the design:
- Don't ask the user to do the translation work. If our AI can find a vulnerability, it can also tell you which control it implicates. Manual mapping is a tax on the security team that GRC pays in audit findings.
- Show your work. Every mapping ships with a confidence level and a rationale. If a reviewer disagrees, they can see why the AI made the call before they override it.
Pricing and availability
Compliance Framework Mapping is included in RedVeil at every tier — no upgrade, no add-on, no per-finding fee. Mappings are generated automatically for all eligible projects starting today.
What's next
- Additional frameworks — ISO 27001, PCI-DSS DSS v4 control IDs, HIPAA Security Rule, and CIS Controls v8 are all under consideration. Have a specific compliance requirement you are looking to meet, please reach out
- Reviewer overrides — let your team confirm, reject, or remap individual controls and have those decisions persist across re-tests
- Compliance dashboards — see your full audit posture across every framework, project, and engagement at a glance
- GRC integrations — push mappings directly into third party GRC tools
The next time someone on your GRC team asks "which control does this map to?" — the answer will already be in the report.