Home/Compliance
Regulatory Support

Security that meets
compliance requirements.

Our assessments are designed to satisfy penetration testing requirements across major regulatory frameworks. Every report includes a compliance mapping section so your auditors see exactly what they need.

PCI DSS 4.0ISO 27001SOC 2 Type IINIST CSFHIPAAGDPR
COMPLIANCE AS A BYPRODUCT
We don't run "compliance pentests" โ€” we run thorough security assessments. Compliance is a natural outcome of genuine testing, not a checkbox exercise. Our reports are structured to satisfy auditors without sacrificing technical depth.
// Frameworks

Frameworks we support

PCI DSS 4.0
Payment Card Industry Data Security Standard

PCI DSS requires annual penetration testing for all CDE-connected systems. Our assessments satisfy Requirements 11.3.1 (internal), 11.3.2 (external), and 11.3.3 (remediation verification).

Requirement 11.3.1 โ€” Internal penetration test
Requirement 11.3.2 โ€” External penetration test
Requirement 11.3.3 โ€” Remediation and re-test
Requirement 6.3.2 โ€” Bespoke and custom software security
ISO 27001:2022
Information Security Management System

ISO 27001 Annex A requires technical vulnerability management and information security reviews. Our assessments directly address multiple controls.

A.8.8 โ€” Management of technical vulnerabilities
A.8.25 โ€” Secure development lifecycle
A.8.29 โ€” Security testing in development
A.5.36 โ€” Compliance with security policies
SOC 2 Type II
Service Organization Control 2

SOC 2 auditors expect evidence of security testing covering CC7.1 (System Monitoring) and CC8.1 (Change Management). Our reports provide this evidence directly.

CC6.1 โ€” Logical and physical access controls
CC6.6 โ€” Boundary protection security
CC7.1 โ€” Threat detection and monitoring
CC8.1 โ€” Change management controls
NIST CSF 2.0
Cybersecurity Framework

The NIST Cybersecurity Framework provides a risk-based approach to managing cybersecurity risk. Our assessments support the Identify and Protect functions, and help build the Detect function.

ID.RA โ€” Risk assessment
PR.AC โ€” Identity management and access control
PR.IP โ€” Information protection processes
DE.CM โ€” Security continuous monitoring
HIPAA
Health Insurance Portability and Accountability Act

HIPAA's Security Rule requires covered entities to conduct regular technical and non-technical evaluations of security controls protecting ePHI. Our assessments satisfy this requirement.

ยง164.308(a)(8) โ€” Evaluation (Technical safeguards)
ยง164.312(a)(1) โ€” Access control assessment
ยง164.312(c)(1) โ€” Integrity controls
ยง164.312(e)(1) โ€” Transmission security
GDPR
General Data Protection Regulation

GDPR Article 32 requires "regular testing, assessing and evaluating the effectiveness of technical and organisational measures" for security of processing. Our pentests directly satisfy this obligation.

Article 25 โ€” Data protection by design and default
Article 32 โ€” Security of processing
Article 35 โ€” Data protection impact assessment
CIS Controls v8
Center for Internet Security Controls

CIS Control 18 (Penetration Testing) requires regular and rigorous assessments. Our assessments are scoped and reported in alignment with CIS guidance for IG1, IG2, and IG3 organizations.

Control 18.1 โ€” Establish penetration testing programme
Control 18.2 โ€” Perform periodic external pen tests
Control 18.3 โ€” Remediate pen test findings
Control 18.5 โ€” Use a PTES-compliant methodology
DORA
Digital Operational Resilience Act (EU)

DORA mandates Threat-Led Penetration Testing (TLPT) for financial entities in the EU. Our red team operations are structured to meet TIBER-EU and DORA TLPT requirements.

Article 26 โ€” TLPT requirements for financial entities
TIBER-EU alignment for red team scope
Article 16 โ€” Simplified ICT risk management framework
// Get Compliant

Meet your audit requirements
and improve real security.

Tell us which framework you're targeting and we'll scope an assessment that satisfies auditors and actually improves your posture.

Request AssessmentOur Methodology