Audit-grade evidence, generated by what your fleet actually does. Packetman saysI'm Packetman. Every audit cycle burns two to four weeks turning the data your tools produce into evidence an auditor will accept. Tools give you logs and dashboards; auditors need dated, signed, scoped reports proving a control was operating. DataStun skips the stitching — the agent already records the operating evidence as it runs, so we hand you the binder, pre-mapped to controls. Below: the framework crosswalks, the reports feature, and the honest boundary — we're not a GRC platform.

Most security tools produce data. Auditors need evidence. The gap is two to four weeks of analyst time per audit cycle. DataStun produces that evidence directly — control-mapped and ready in the product today, with signed per-framework PDF binders in active development.

Sign up free See the vendor-review pack
Iris Locke, DataStun's leadership voice

Iris Locke
DataStun’s leadership voice

Compliance used to mean chasing other teams for proof a control was actually working. With DataStun, most of that proof is intrinsic — the agent records the operating evidence as it runs, so the attestations are simply there when I need them. I’ve come to rely on it across the board: access, monitoring, transmission, malware, data residency. It lets me walk into an audit from a position of strength, not a scramble.

Data is not evidence

What most tools give you

Raw logs. A dashboard with the right numbers somewhere on it. Twelve CSV exports the analyst has to filter, time-bound, deduplicate, and stitch together. The auditor still has to ask, “but how do you know this control was operating?”

What an auditor will accept

A bounded report — tenant ID, time range, criteria, signature, notarized timestamp — mapped to the specific control it’s attesting against. One PDF per binder. The control evidence is on the page; the evaluation is on the auditor.

The DataStun difference: the agent already records the operating evidence as a side effect of running. A blocklist enforcement is the operating evidence for CC6.6. An exposed-services denial is the operating evidence for CC7.1. An executable-reputation verdict is the operating evidence for HIPAA §164.312(b). A known-exploited-version finding (CISA KEV) is the operating evidence for ISO A.8.8 technical-vulnerability management. Pre-built binders just pull the evidence the platform is already collecting and put it in the format auditors expect.

What comes out: signed, control-mapped binders

The evidence your fleet already produces — packaged into the dated, signed reports an auditor will accept. One PDF per binder.

What the agent already records
blocklist enforcements exposed-service denials TLS posture executable verdicts vulnerability / KEV findings malware-scan results per-agent flow log grade-shift history
SOC 2CC6.6
Encrypted sessions100%
Agents covered142
Signed · notarized 2026-05-21 14:02 UTC
HIPAA§164.312(b)
Flows logged9.2M
Integrity timestamps
Signed · notarized 2026-05-21 14:02 UTC
ISO 27001A.8.20
Blocks enforced1,284
Source + reasoneach
Exposed-service denials17
Signed · notarized 2026-05-21 14:02 UTC · tenant 0x9f3a

Same data you were already collecting — now it’s a report with a date, a signature, a notarized timestamp, and the control it attests to printed on the page. The analyst’s two-to-four-week stitching job is the part we deleted.

Framework crosswalk

Per framework: which DataStun evidence satisfies which control, and the audit-cycle workflow this replaces. Not exhaustive — the surface a working audit needs — with deeper mappings on request.

SOC 2 (TSC 2017)

Common Criteria evidence binders

CC6.6 · CC6.7 · CC7.1 · CC7.2 · CC8.1

Network-control evidence, logical access transmission protections, system monitoring, change-management evidence at the agent layer.

  • CC6.6 transmission protection: agent TLS posture report + per-agent enforced blocklist roster
  • CC6.7 data restriction: tenant-scope enforcement + access audit log
  • CC7.1 system monitoring: exposed-services alerts + per-agent change events
  • CC7.2 anomaly detection: rep grade-drop history + executable-verdict shifts
  • CC8.1 change management: agent self-update manifest + per-agent version timeline
ISO 27001:2022 / 27002

Annex A evidence binders

A.5.7 · A.8.7 · A.8.16 · A.8.20 · A.8.23

Threat intelligence, malware protection, monitoring activities, network security, web filtering — all evidenced by the agent + reputation pipeline as a normal byproduct.

  • A.5.7 threat intelligence: rep feed-source roster + per-IP threat-grade history
  • A.8.7 protection from malware: SBOM + executable-verdict cluster (SIG / NSRL / MBZ / VT)
  • A.8.16 monitoring: per-agent flow log + retention attestation
  • A.8.20 networks security: blocklist enforcement + exposed-services denial roster
  • A.8.23 web filtering: destination-grade enforcement + blocked-flow attribution
HIPAA Security Rule

§164.308 / §164.312 evidence binders

§164.308(a)(1) · §164.312(a) · §164.312(b) · §164.312(e)

Administrative + technical safeguards. The agent observes who-talked-to-whom-and-when across regulated workstations; that’s the audit log HIPAA §164.312(b) wants.

  • §164.308(a)(1) risk analysis: exposed-services + grade-F destination attestation
  • §164.312(a) access control: per-agent + per-tenant access audit
  • §164.312(b) audit controls: per-agent flow log + cryptographic-integrity timestamps
  • §164.312(e) transmission security: TLS-posture report + encrypted-session attestation
  • BAA available on request for tenants in regulated environments
GDPR / UK GDPR

Article 30 + Article 44 evidence

Art. 30 · Art. 32 · Art. 44 · Art. 33

Records of processing, security of processing, transfer impact assessments, breach notification timelines.

  • Art. 30 records of processing: per-tenant data-collection register (machine-readable)
  • Art. 32 security: TLS posture, retention, encryption-at-rest attestation
  • Art. 44 transfers: data-sovereignty rollup — bytes by destination country — see /sovereignty
  • Art. 33 notification: breach-detection timeline derived from agent flow + grade-shift events
  • DPA available on request
PCI-DSS v4.0

Network + monitoring evidence

1.x · 10.x · 11.x · 6.4.x

For tenants whose fleet includes machines in or adjacent to the cardholder data environment. DataStun does not process cardholder data; it provides the network-evidence layer the assessor will ask about.

  • 1.x firewall + segmentation: per-agent enforced blocklist + exposed-services denial
  • 10.x logging: per-agent flow log + cryptographic-integrity timestamps + retention
  • 11.x detection: anomaly events + grade-shift history
  • 6.4.x change control: agent self-update manifest + version timeline
NIST 800-171 r2 / CMMC 2.0

CUI safeguarding evidence (defense industrial base)

3.1.x · 3.3.x · 3.13.x · 3.14.x

For DIB contractors handling Controlled Unclassified Information. The agent generates the access, audit-log, transmission, and integrity evidence the CMMC assessor walks through.

  • 3.1.x access control: per-agent access enforcement + audit
  • 3.3.x audit: per-agent flow log + retention + protection
  • 3.13.x transmission & protection: TLS posture + blocklist enforcement evidence
  • 3.14.x integrity: executable-verdict cluster + change events
  • CMMC Level 2 assessor-friendly evidence formatting
Vulnerability & malware management

Cross-framework: flaw identification + malicious-code evidence

ISO A.8.8 · PCI 5.x / 6.3.x · NIST 3.11.x / 3.14.x · HIPAA §164.308(a)(5) · SOC 2 CC7.1

The executable-reputation pipeline produces two evidence types nearly every framework asks for under a different name: a technical-vulnerability identification record and a malicious-code-protection record. The agent identifies and dates them — remediation stays with your team.

  • Technical vulnerability mgmt (ISO A.8.8 / PCI 6.3.1 / NIST 3.11.x): per-version published-CVE findings for observed software, with the actively-exploited ones (CISA KEV) flagged — the prioritized list assessors expect — plus the patch-lag scoreboard (version share vs current release)
  • Malicious-code protection (PCI 5.x / HIPAA §164.308(a)(5)(ii)(B) / ISO A.8.7 / NIST 3.14.2): multi-source executable verdict (signature / known-good / malware-corpus / multi-engine) + YARA & ClamAV pattern scan over observed binaries, with false-positive discipline
  • Flaw-remediation evidence (NIST 3.14.1 / SOC 2 CC7.1): the version timeline shows when a flagged version was superseded across the fleet — the before/after proof of remediation
  • Federal alignment: the actively-exploited cross-reference is the same CISA KEV catalog behind BOD 22-01, so the prioritization matches the federal standard
FedRAMP

Boundary & sovereignty evidence

Boundary · Continuous monitoring

FedRAMP authorization is most cleanly served by the self-host (Enterprise tier) deployment so the platform sits inside the customer’s authorized boundary. DataStun is not pursuing FedRAMP authorization for the cloud-hosted platform today.

  • Self-host (Custom): platform runs inside the customer FedRAMP boundary
  • Continuous monitoring: per-agent flow log + grade-shift history feeds your ConMon program
  • Boundary leakage detection: data-sovereignty rollup tagged to the FedRAMP-boundary agents
  • For cloud-hosted: not appropriate for FedRAMP-protected workloads today
CCPA / CPRA

Consumer-rights evidence

1798.100 · 1798.105 · 1798.140(d)

Right-to-know, right-to-delete, sale-of-personal-information posture. DataStun does not sell personal information; the in-product privacy controls satisfy right-to-delete in one click.

  • Right to know: in-tenant data-collection register
  • Right to delete: tenant deletion (in-product) deletes all per-tenant rows in one transaction
  • No sale: no customer data is shared, sold, or pooled across tenants for any purpose

Compliance Reports — evidence in the product today, signed binders next

An on-screen, control-mapped evidence report is live in the product now — every control area above, backed by your fleet’s real numbers, with CSV export and print. The dated, signed, notarized multi-page PDF binders auditors prefer are in active development on the Enterprise tier.

In the product today

  • Compliance & evidence report — every control area, live tenant numbers on-screen
  • Boundary, monitoring, exposed-service, malware, and vulnerability evidence, control-mapped on-screen
  • Evidence export CSV
  • Printable report Print
  • Per-tenant audit-log export CSV

In development

  • Signed / notarized per-framework PDF binders — SOC 2, HIPAA, ISO 27001, GDPR, PCI-DSS, NIST 800-171 / CMMC PDF
  • Vulnerability & known-exploited (CISA KEV) evidence binder PDF
  • Customer-defined binder builder (drag-and-drop control mapping for non-standard frameworks)
  • Direct integration with Vanta / Drata / Secureframe (evidence push)

The full report catalog

Every report we build, what goes in it, and which controls it serves. The evidence behind each one is already in the product on-screen (with CSV export and print on the Compliance & evidence report); the signed, notarized PDF packaging is what’s in development.

ReportWhat goes in itServesStatus
Compliance & evidence summary Every control area below, with your fleet’s live numbers, each mapped to the control it attests. Open in the app → Cross-framework Live
Blocklist-enforcement attestation Known-bad destinations refused per agent — each with its source, reason, and dispute link. Open in the app → CC6.6 · ISO A.8.20 · PCI 1.x · NIST 3.13 Live
Activity & audit-log report Per-connection record — source, destination, process, ports, bytes, time — across the retention window. Open in the app → HIPAA §164.312(b) · ISO A.8.16 · NIST 3.3 · PCI 10 Live
Exposed-services roster Internal services found reachable on public IPs — the process, first-seen, and the denial action taken. Open in the app → CC7.1 · ISO A.8.20 · PCI 1.x Live
Executable & malware-protection report Every executable, its signer, the multi-source verdict, and the YARA/ClamAV scan result. Hash-only — the binary never leaves the machine. Open in the app → ISO A.8.7 · PCI 5.x · HIPAA §164.308(a)(5) · NIST 3.14.2 Live
Vulnerability & known-exploited report Software versions carrying published CVEs, with the actively-exploited ones (CISA KEV) flagged, plus the patch-lag scoreboard. Open in the app → ISO A.8.8 · PCI 6.3.x · NIST 3.11.x Live
Data-sovereignty & transfer report Bytes by destination country and organization, with EU→non-EU transfers flagged for review. Open in the app → GDPR Art. 30 · Art. 44 Live
Host inventory & posture Per device: OS and build, disk encryption, firewall, TPM, Secure Boot, and pending updates. Open in the app → ISO A.8.9 · NIST 3.4.x · CMMC CM Live
Executive brief A one-page fleet-posture summary for leadership and board review — the headline numbers without the detail. Open in the app → Cross-framework Live
Per-framework signed binder The dated, signed, notarized multi-page PDF that maps each control to its evidence section — the artifact you hand the auditor. SOC 2 · HIPAA · ISO 27001 · GDPR · PCI · NIST/CMMC In development

Live = the evidence is in the product now, on-screen. In development = the signed/notarized PDF packaging of that evidence.

Compliance Reports is bundled with the other Enterprise org-wide analytics (executable analysis, beaconing detector, data-sovereignty rollup) since they’re only valuable at fleet scale. See pricing →

The honest split

Compliance has two layers, and we want to be clear about which one DataStun is solving for.

What DataStun attests about itself

The vendor-side compliance posture — what we have, what we don’t, the SOC 2 timeline — lives at /security-review. The honest version: we are pre-commercial, the controls are in place, the audit is on the roadmap, and we will not pretend otherwise during your vendor review.

See the vendor-review pack →

What DataStun helps you attest

Everything on this page. The evidence your fleet generates as a normal byproduct of running, packaged into the binder format your auditor will accept. The control mappings. The dated, signed reports. The framework cross-walk. This is the part the customer is buying.

See pricing →

What this isn’t

Not a GRC platform

DataStun produces evidence; it doesn’t track your control narratives, your risk register, your auditor’s open items, your policy library, or your remediation workflow. For full GRC the right surfaces are Vanta, Drata, Secureframe, Hyperproof, or similar. We feed evidence into them and into the auditor’s direct review — we don’t replace them.

The intentional boundary: a GRC platform does the process work of compliance. DataStun does the technical evidence work. Both are needed; we’re the one in the deeper layer that most teams are short on.

Stop spending two weeks per audit cycle on evidence stitching

Sign up free, enroll one agent, and the data DataStun collects starts populating the in-product evidence report on day one. By your next audit cycle, the control-mapped evidence is ready to hand the auditor.

Sign up free Talk about an audit