How Krait Supports Compliance
Krait performs automated security analysis across:- Application source code
- Container images and configurations
- Infrastructure and configuration settings
- Understand their current compliance posture
- Identify control gaps early
- Prioritize remediation work
- Track progress toward certification readiness
- Share structured technical evidence with auditors
Supported Compliance Frameworks
Krait currently supports the following compliance and security standards.ISO 27001
Krait evaluates technical security controls aligned with ISO 27001 requirements, including:- Identity and access control
- Logging, monitoring, and auditability
- Secure configuration and asset protection
- Encryption and data protection
- Infrastructure and network security
SOC 2 (Trust Services Criteria)
Krait maps findings to SOC 2 Trust Services Criteria, including:- Security
- Availability
- Confidentiality
- Processing integrity (where applicable)
- Control-level pass/fail status
- Evidence derived from code, container, and configuration analysis
- Clear visibility into high-risk gaps affecting audit readiness
OWASP Top 10 (2021)
Krait assesses application security risks against the OWASP Top 10 (2021), including:- Broken Access Control
- Injection vulnerabilities
- Cryptographic failures
- Security misconfigurations
- Identification and authentication failures
CIS Benchmarks
Krait evaluates system and application security against CIS Benchmark controls, including:- System and network configuration
- User account and privilege management
- Audit and logging settings
- Malware defenses and vulnerability management
- Secure service and application configurations
- Data protection and encryption controls
OWASP ASVS (Application Security Verification Standard)
Krait maps findings against the OWASP ASVS, a framework that defines security requirements for designing, developing, and testing secure web applications. Coverage includes:- Authentication and session management
- Access control
- Input validation and sanitization
- Cryptography practices
- API and web service security
NIST SP 800-53A
Krait evaluates controls aligned with NIST SP 800-53A, the assessment procedures framework for federal information systems and organizations. This includes controls across:- Access control and identity management
- Risk assessment and vulnerability management
- System and communications protection
- Audit and accountability
- Configuration management and secure development practices
What Pass / Fail Means
- Pass: No relevant security issues were detected that violate the control within the scanned scope.
- Fail: One or more findings indicate the control is not met and requires remediation.
What Krait Does Not Do
To ensure clarity and transparency:- Krait does not issue compliance certificates
- Krait does not replace external auditors
- Krait evaluates technical controls only, not organizational or procedural policies
Using Krait for Audit Readiness
Krait compliance reports are commonly used to:- Prepare for ISO 27001, SOC 2, and NIST SP 800-53A audits
- Validate application security maturity against OWASP ASVS
- Identify control gaps early in the development lifecycle
- Provide supporting technical evidence to auditors
- Track remediation progress over time