Compliance mapping

Compliance frameworks ask for evidence. Noxen produces evidence. Every finding and every probe in a Noxen scan is tagged with the control references it relates to under CIS Controls v8, SOC 2 Trust Services Criteria, and ISO 27001:2022 Annex A. The output is a CSV your auditor can drop straight into their evidence binder.

What Noxen does — and doesn't — claim

Noxen is a vulnerability scanner with a compliance overlay, not a compliance product. It does not certify your organisation against any framework. It does not generate an attestation report. It does not assert that any particular control is "passing" — that judgement belongs to your auditor, your assessor, or your internal compliance lead. What Noxen does is surface concrete, dated, per-host technical evidence (a CVE finding, an exposed admin surface, a weak TLS cipher, a missing security header) and label each item with the control numbers it speaks to.

In other words: the auditor still reviews. Noxen feeds the auditor. The mapping is the bridge between "we ran a scan" and "here is the evidence for Control 7.1 / CC7.1 / Annex A 8.8 over the last 90 days."

Frameworks supported

• CIS Controls v8 — 18 controls and roughly 153 safeguards across Implementation Groups IG1, IG2, and IG3. Noxen covers most of the technical IG1 baseline plus parts of IG2.
• SOC 2 (Trust Services Criteria) — the AICPA criteria set used for SOC 2 Type I and Type II attestations. Noxen produces evidence aligned with the Security TSC and parts of Availability.
• ISO 27001:2022 — 93 controls in Annex A across four themes (Organisational, People, Physical, Technological). Noxen covers a subset of the Technological theme.

How to use compliance output

The workflow is short on purpose. Scanners that produce "compliance reports" with hundreds of pages of theatre tend to produce worse evidence than ones that produce a flat CSV.

1. Scan. Run a manual scan, or wait for the scheduled nightly scan. Findings land in your local SwiftData store with severity, CVE ID where applicable, and the host they came from.
2. Review. Open the scan in the app, triage findings, mark known false positives. Anything left after review is the evidence set for that point in time. Severity guidance lives in our triage post.
3. Export. Per-host CSV or fleet-wide CSV from the export menu. The file includes the finding, the affected host, the severity, the date, and the framework control references (CIS / SOC 2 / ISO) in separate columns.
4. Attach. The CSV goes into the audit evidence binder alongside the other technical evidence you collect — configuration baselines, change tickets, log retention samples. Re-export periodically (monthly is typical for SOC 2 Type II observation windows).

Compliance mapping ships with the MSP / Team tier ($149/month). If you are running audits for clients, that is the tier you want. For a single organisation chasing one framework, the Live Feed tier covers the scanning cadence and you can hand-map the small number of controls yourself.

See pricing →