Skip to main content

How Krait Supports Compliance

Krait performs automated security analysis across:
  • Application source code
  • Container images and configurations
  • Infrastructure and configuration settings
All detected security findings are mapped to relevant compliance controls, producing a clear pass / fail status for each control based on observed technical evidence. This enables teams to:
  • Understand their current compliance posture
  • Identify control gaps early
  • Prioritize remediation work
  • Track progress toward certification readiness
  • Share structured technical evidence with auditors

Supported Compliance Frameworks

Krait currently supports the following compliance and security standards.

ISO 27001

Krait evaluates technical security controls aligned with ISO 27001 requirements, including:
  • Identity and access control
  • Logging, monitoring, and auditability
  • Secure configuration and asset protection
  • Encryption and data protection
  • Infrastructure and network security
Generated reports show which controls pass, fail, or require remediation, helping teams prepare for ISO 27001 audits.

SOC 2 (Trust Services Criteria)

Krait maps findings to SOC 2 Trust Services Criteria, including:
  • Security
  • Availability
  • Confidentiality
  • Processing integrity (where applicable)
Each SOC 2 report provides:
  • Control-level pass/fail status
  • Evidence derived from code, container, and configuration analysis
  • Clear visibility into high-risk gaps affecting audit readiness

OWASP Top 10 (2021)

Krait assesses application security risks against the OWASP Top 10 (2021), including:
  • Broken Access Control
  • Injection vulnerabilities
  • Cryptographic failures
  • Security misconfigurations
  • Identification and authentication failures
This framework helps teams measure exposure to the most critical and commonly exploited application security risks.

CIS Benchmarks

Krait evaluates system and application security against CIS Benchmark controls, including:
  • System and network configuration
  • User account and privilege management
  • Audit and logging settings
  • Malware defenses and vulnerability management
  • Secure service and application configurations
  • Data protection and encryption controls

OWASP ASVS (Application Security Verification Standard)

Krait maps findings against the OWASP ASVS, a framework that defines security requirements for designing, developing, and testing secure web applications. Coverage includes:
  • Authentication and session management
  • Access control
  • Input validation and sanitization
  • Cryptography practices
  • API and web service security
ASVS reports help teams validate that their application meets a defined level of security assurance, making it particularly useful for organizations building software to a specific security maturity target.

NIST SP 800-53A

Krait evaluates controls aligned with NIST SP 800-53A, the assessment procedures framework for federal information systems and organizations. This includes controls across:
  • Access control and identity management
  • Risk assessment and vulnerability management
  • System and communications protection
  • Audit and accountability
  • Configuration management and secure development practices
NIST SP 800-53A reports are commonly used by organizations working toward FedRAMP readiness or those operating in regulated industries that require alignment with NIST standards.

What Pass / Fail Means

  • Pass: No relevant security issues were detected that violate the control within the scanned scope.
  • Fail: One or more findings indicate the control is not met and requires remediation.
All results are based solely on observable technical evidence from the scanned environments.

What Krait Does Not Do

To ensure clarity and transparency:
  • Krait does not issue compliance certificates
  • Krait does not replace external auditors
  • Krait evaluates technical controls only, not organizational or procedural policies
Krait is designed to support audit readiness, not act as a certifying authority.

Using Krait for Audit Readiness

Krait compliance reports are commonly used to:
  • Prepare for ISO 27001, SOC 2, and NIST SP 800-53A audits
  • Validate application security maturity against OWASP ASVS
  • Identify control gaps early in the development lifecycle
  • Provide supporting technical evidence to auditors
  • Track remediation progress over time
Each compliance report is generated per framework and per scan, ensuring clear separation between standards and accurate historical tracking.

Continuous Compliance

Because Krait continuously scans code and containers, teams can move beyond point-in-time assessments toward continuous compliance monitoring, reducing security drift and minimizing audit surprises.