Report Type

Compliance Report

Audit-ready compliance reports with automatic control mapping, evidence collection, and gap analysis for SOC 2, PCI-DSS, HIPAA, and more.

Enterprise Feature

Full compliance reporting is available on Enterprise plans. Contact sales@agnech.com for a demo and pricing.

Overview

Compliance reports automatically map security findings to regulatory control requirements, collect evidence, and identify gaps—saving weeks of manual audit preparation.

Bash

1# Generate SOC 2 compliance report
2bloodhound report compliance --framework soc2 --output soc2-report.pdf
3
4# Multiple frameworks
5bloodhound report compliance --framework soc2,pci-dss --output compliance.pdf
6
7# With evidence package
8bloodhound report compliance --framework hipaa --evidence-pack --output hipaa/
9
10# Continuous compliance monitoring
11bloodhound report compliance --framework iso27001 --watch --alert-on-regression

Compliance Frameworks

Built-in support for major compliance frameworks with pre-mapped controls.

Framework	Controls	Coverage	Standard
SOC 2 Type II	64	94%	AICPA
PCI-DSS 4.0	78	97%	PCI SSC
HIPAA	45	91%	HHS
ISO 27001	114	89%	ISO
GDPR	38	92%	EU
NIST CSF	108	87%	NIST
FedRAMP	325	85%	GSA
OWASP ASVS	286	96%	OWASP

Control Mapping

Findings are automatically mapped to relevant compliance controls with detailed rationale.

Text

1# Sample Control Mapping Output
2
3═══════════════════════════════════════════════════════════════════
4                    SOC 2 COMPLIANCE REPORT
5                    Trust Service Criteria Mapping
6═══════════════════════════════════════════════════════════════════
7
8OVERALL COMPLIANCE: 94% (60/64 controls satisfied)
9
10CC6: LOGICAL AND PHYSICAL ACCESS CONTROLS
11───────────────────────────────────────────────────────────────────
12
13CC6.1 - Logical Access Security
14Status: ⚠️ PARTIAL (2 findings require attention)
15
16Findings affecting this control:
17┌──────────────────────────────────────────────────────────────────┐
18│ AUTH-001 [CRITICAL] Authentication Bypass                       │
19│ Impact: Violates CC6.1.1 (unique user identification)           │
20│ Evidence: auth/middleware.ts:34 - missing session validation    │
21│ Remediation: Add session validation to all protected routes     │
22├──────────────────────────────────────────────────────────────────┤
23│ AUTH-003 [HIGH] Weak Password Policy                             │
24│ Impact: Violates CC6.1.3 (password complexity requirements)     │
25│ Evidence: config/auth.ts - minimum length = 6                   │
26│ Remediation: Increase minimum to 12, require special chars      │
27└──────────────────────────────────────────────────────────────────┘
28
29CC6.6 - Restriction of Access
30Status: ✓ SATISFIED
31
32Evidence collected:
33• RBAC implementation verified in auth/roles.ts
34• Permission checks found in all sensitive endpoints
35• No authorization bypass findings detected
36
37
38CC7: SYSTEM OPERATIONS
39───────────────────────────────────────────────────────────────────
40
41CC7.1 - Security Monitoring
42Status: ⚠️ PARTIAL (1 finding requires attention)
43
44Findings affecting this control:
45┌──────────────────────────────────────────────────────────────────┐
46│ LOG-001 [MEDIUM] Insufficient Security Logging                   │
47│ Impact: Violates CC7.1.2 (security event logging)               │
48│ Evidence: Missing logging in auth/login.ts                      │
49│ Remediation: Add structured logging for auth events             │
50└──────────────────────────────────────────────────────────────────┘

Evidence Collection

Automatically collect and organize audit evidence for each control.

Bash

1# Generate evidence package
2bloodhound report compliance --framework soc2 --evidence-pack --output evidence/
3
4# Evidence package structure:
5# evidence/
6# ├── soc2-report.pdf              # Main compliance report
7# ├── summary.json                 # Machine-readable summary
8# │
9# ├── CC6.1/                       # Logical Access Controls
10# │   ├── evidence-001.png         # Screenshot: RBAC config
11# │   ├── evidence-002.txt         # Code snippet: auth middleware
12# │   ├── evidence-003.json        # Scan results
13# │   └── finding-AUTH-001.md      # Finding details
14# │
15# ├── CC6.6/                       # Restriction of Access
16# │   ├── evidence-001.png         # Permission matrix
17# │   ├── evidence-002.txt         # Access control code
18# │   └── satisfactory.md          # Control satisfied narrative
19# │
20# ├── CC7.1/                       # Security Monitoring
21# │   ├── evidence-001.txt         # Logging configuration
22# │   ├── evidence-002.png         # Alert dashboard screenshot
23# │   └── finding-LOG-001.md       # Finding details
24# │
25# └── appendix/
26#     ├── scan-log.txt             # Full scan output
27#     ├── methodology.md           # Testing methodology
28#     └── tool-version.txt         # Bloodhound version info

Automated Collection

Code snippets, configuration screenshots, and scan results are collected automatically.

Auditor-Ready

Evidence is organized by control with clear file naming and cross-references.

Gap Analysis

Identify gaps between your current security posture and compliance requirements.

Text

1# Gap Analysis Report
2
3═══════════════════════════════════════════════════════════════════
4                    COMPLIANCE GAP ANALYSIS
5                    Framework: PCI-DSS 4.0
6═══════════════════════════════════════════════════════════════════
7
8SUMMARY
9───────────────────────────────────────────────────────────────────
10Controls Assessed:    78
11Controls Satisfied:   71 (91%)
12Controls with Gaps:    7 (9%)
13Critical Gaps:         2
14High Gaps:             3
15Medium Gaps:           2
16
17GAP DETAIL
18───────────────────────────────────────────────────────────────────
19
20[CRITICAL] Requirement 6.5.1 - SQL Injection Prevention
21───────────────────────────────────────────────────────────────────
22Status: NOT SATISFIED
23Gap: SQL injection vulnerability in payment processing
24
25Finding: SQL-001 (payment-api/src/controllers/charge.ts:89)
26Impact: Cardholder data at risk of exfiltration
27Remediation: Implement parameterized queries
28Effort: 2 hours
29Priority: Immediate
30
31
32[CRITICAL] Requirement 3.4 - Render PAN Unreadable
33───────────────────────────────────────────────────────────────────
34Status: NOT SATISFIED
35Gap: Credit card numbers stored in plain text in logs
36
37Finding: LOG-002 (logging/formatters.ts:45)
38Impact: PAN visible in application logs
39Remediation: Mask card numbers in all log output
40Effort: 4 hours
41Priority: Immediate
42
43
44[HIGH] Requirement 8.3.6 - Password Complexity
45───────────────────────────────────────────────────────────────────
46Status: PARTIAL
47Gap: Password policy does not meet PCI requirements
48
49Current: 8 characters, alphanumeric
50Required: 12 characters, mixed case, numbers, special characters
51Finding: AUTH-003
52Remediation: Update password policy configuration
53Effort: 1 hour
54Priority: This week
55
56
57REMEDIATION ROADMAP
58───────────────────────────────────────────────────────────────────
59To achieve 100% PCI-DSS compliance:
60
61Week 1:
62• Fix SQL-001 (SQL Injection) - 2h
63• Fix LOG-002 (PAN in logs) - 4h
64• Update password policy - 1h
65
66Week 2:
67• Implement remaining high-priority fixes - 8h
68• Update documentation - 4h
69
70Estimated total effort: 19 hours

Audit Package

Generate complete audit packages ready for external auditors.

Bash

1# Generate complete audit package
2bloodhound report compliance --framework soc2 \
3  --audit-package \
4  --auditor-name "Big4 Auditing Firm" \
5  --audit-period "2024-01-01 to 2024-12-31" \
6  --output audit-package/
7
8# Audit package contents:
9# audit-package/
10# ├── 00-cover-letter.pdf          # Customized for auditor
11# ├── 01-executive-summary.pdf     # High-level overview
12# ├── 02-methodology.pdf           # Testing methodology
13# ├── 03-control-matrix.xlsx       # All controls with status
14# ├── 04-findings-detail.pdf       # Detailed findings
15# ├── 05-gap-analysis.pdf          # Gap analysis
16# ├── 06-remediation-plan.pdf      # Remediation roadmap
17# │
18# ├── evidence/                    # All evidence files
19# │   └── [organized by control]
20# │
21# ├── technical/
22# │   ├── scan-configuration.json  # Scan settings
23# │   ├── scan-log.txt             # Raw scan output
24# │   └── tool-attestation.pdf     # Tool certification
25# │
26# └── appendix/
27#     ├── previous-audits.pdf      # Historical comparison
28#     └── remediation-tracking.xlsx # Fix tracking sheet

Continuous Compliance

Set up scheduled compliance scans to maintain audit readiness:bloodhound schedule compliance --framework soc2 --weekly

Auditor Testimonials

"Bloodhound's compliance reports cut our SOC 2 audit prep time by 60%. The automatic control mapping and evidence collection is exactly what we need."

— Security Director, Fortune 500 FinTech