RedVeil.ai | Autonomous Penetration Testing

Export RedVeil findings mapped to NIST SP 800-53, MITRE ATT&CK, CWE, and OWASP references.

Compliance mapping adds security taxonomy references to RedVeil findings and exports them as a CSV report. It is designed to help teams connect penetration test findings to common control and weakness frameworks without manually mapping every issue.

The Reports page includes several standard report and export types:

Executive Report.
Technical Report.
Full Report.
Letter of Attestation.
Letter of Engagement.
Testing Certificate.
Issues CSV.
Compliance Mapping CSV.
Segmentation Test Report for segmentation projects.

The dedicated compliance feature is Compliance Mapping Export, generated as compliance_mapping_csv.

What compliance mapping does

For each finding, RedVeil evaluates the finding title, description, evidence, impact, recommendations, references, source, severity, project type, and host context. It then creates mapping records for supported frameworks.

Supported mapping families:

NIST SP 800-53 controls.
MITRE ATT&CK techniques.
CWE weaknesses.
OWASP categories.

Each mapping item includes a confidence level and rationale grounded in the finding. RedVeil is instructed not to invent exact framework IDs; when there is no defensible match, the family can be marked as having no mapping.

OWASP framework selection

OWASP mapping depends on project context.

Mobile application findings map to OWASP Mobile categories.
Other project types map to OWASP Top 10 or OWASP API Top 10 based on the finding context.

The export includes the OWASP framework used for each row when the OWASP column family is selected.

Mapping status

Compliance mappings can have the following status values:

mapped: All framework families have mappings.
partial: At least one framework family has a mapping, but not every family maps cleanly.
failed: Mapping could not be generated.

If mapping generation fails for a finding, the CSV uses the user-safe error text Compliance mappings not available.

Generating a Compliance Mapping CSV

Open a project.
Go to Reports.
Click Create report.
Under CSV, choose Compliance Mapping.
Select the mapping families to include.
Start generation.
View or download the completed CSV from the report list.

Available column families:

NIST SP 800-53.
MITRE ATT&CK.
CWE.
OWASP.

If no specific columns are provided, RedVeil includes all supported families.

Availability and scan status

Compliance Mapping CSV is available for standard project types when report generation access is enabled for the organization plan.

For segmentation projects, the Reports page only exposes the Segmentation Test Report and Issues CSV. Compliance Mapping CSV is not shown for segmentation projects.

While a scan is running, paused, cancelling, or cancelled, PDF reports are restricted, but CSV exports such as Issues CSV and Compliance Mapping CSV can remain available depending on project type.

CSV contents

Every Compliance Mapping CSV includes finding and project context columns, followed by the selected compliance families.

Base columns include:

finding_id
project_id
project_name
host_key
host_title
affected_assets
issue_group_id
issue_group_title
issue_group_instance
finding_title
severity
severity_label
status
mapping_status
mapping_generated_at
mapping_error
references
created_at
updated_at

When NIST SP 800-53 is selected, RedVeil adds:

nist_800_53_controls
nist_800_53_rationale
nist_800_53_confidence

When MITRE ATT&CK is selected, RedVeil adds:

mitre_attack_techniques
mitre_attack_rationale
mitre_attack_confidence

When CWE is selected, RedVeil adds:

cwe_weaknesses
cwe_rationale
cwe_confidence

When OWASP is selected, RedVeil adds:

owasp_framework
owasp_categories
owasp_rationale
owasp_confidence

Long cells can be expanded when previewing the CSV in the Reports page.

Project group compliance exports

Compliance Mapping CSV can also be generated for project groups through the reporting workflow. The export includes findings across the selected group and preserves each finding's project ID and project name.

Regeneration and updates

Mappings are tied to a source hash of the finding content and a mapping version. If the finding content changes or the mapping version changes, RedVeil can regenerate the mapping. Existing valid mappings are reused when the source content has not changed.

This avoids unnecessary remapping while keeping exports aligned with current finding content.

CLI usage

Generate a Compliance Mapping CSV for a project with all mapping families:

pentest-agent report generate \
  --project <project_id> \
  --type compliance_mapping_csv

Generate only selected mapping families:

pentest-agent report generate \
  --project <project_id> \
  --type compliance_mapping_csv \
  --compliance-column nist80053 \
  --compliance-column cwe

Comma-separated values are also supported:

pentest-agent report generate \
  --project <project_id> \
  --type compliance_mapping_csv \
  --compliance-column nist80053,cwe,owasp

Allowed values are:

nist80053
mitreAttack
cwe
owasp

The --compliance-column option can only be used with --type compliance_mapping_csv.

How to use the export

Common uses include:

Mapping pentest findings into GRC evidence workflows.
Prioritizing remediation by control family.
Providing audit support for stakeholders who need NIST, MITRE, CWE, or OWASP references.
Joining RedVeil findings with internal risk registers.
Tracking repeated issue groups against compliance categories across project groups.

Review guidance

Compliance mapping is generated from finding context and should be reviewed before being used as final audit evidence. Treat the export as a strong starting point, not a substitute for compliance ownership or assessor judgment.

Compliance Reports and Mapping