Compliance Reports¶

SentriKat generates compliance reports to help you meet regulatory requirements and communicate security posture to stakeholders.

Available Reports¶

NIS2 Article 21 Compliance Report¶

Maps your vulnerability management activities to the requirements of the EU Network and Information Security Directive (NIS2), specifically Article 21 on cybersecurity risk-management measures.

The report covers:

Generate:

1. Go to Reports > Compliance > NIS2 Article 21
2. Select the organization(s) to include
3. Choose the reporting period
4. Click Generate Report

The report is generated as a PDF with:

• Executive summary with compliance score
• Detailed mapping of each Article 21 requirement
• Evidence of vulnerability management activities
• Remediation timelines and status
• Recommendations for gaps

CISA BOD 22-01 Report¶

Tracks compliance with CISA's Binding Operational Directive 22-01, which requires federal agencies (and is recommended for all organizations) to remediate Known Exploited Vulnerabilities by their due dates.

The report shows:

• Total KEV vulnerabilities affecting your inventory
• Remediation status (on-time, overdue, in-progress)
• Due date compliance rate
• Breakdown by severity and product
• Trend over time

Generate:

1. Go to Reports > Compliance > CISA BOD 22-01
2. Select the organization(s) and date range
3. Click Generate Report

Executive Summary PDF¶

A high-level PDF report designed for management and board-level stakeholders:

• Risk Score — Overall vulnerability risk score (0-100)
• KPIs — Key performance indicators (mean time to remediate, open critical count, compliance rate)
• Trends — 30/60/90-day vulnerability trends
• Top Risks — Highest-priority unresolved vulnerabilities
• Agent Coverage — Percentage of assets with active agents

Generate:

1. Go to Reports > Executive Summary
2. Select the organization(s)
3. Click Generate PDF

Data Export¶

CSV Export¶

Export vulnerability data as CSV for use in spreadsheets or external tools:

1. Go to Vulnerabilities or Products
2. Apply any filters (severity, status, organization)
3. Click Export > CSV

Exported fields include: CVE ID, severity, CVSS score, EPSS score, product, vendor, status, confidence tier, due date, organization.

Excel Export¶

Same as CSV but in .xlsx format with formatted columns:

1. Go to Vulnerabilities or Products
2. Apply filters
3. Click Export > Excel

Scheduled Reports¶

Automate report delivery on a schedule:

1. Go to Reports > Scheduled Reports
2. Click Create Schedule
3. Configure:
4. Report Type: NIS2 Article 21, CISA BOD 22-01, or Executive Summary
5. Frequency: Weekly, monthly, or quarterly
6. Day/Time: When to generate
7. Recipients: Email addresses for delivery
8. Format: PDF (compliance reports) or CSV/Excel (data exports)
9. Save

Scheduled reports are generated automatically and emailed to the configured recipients.

Report History¶

View previously generated reports:

1. Go to Reports > History
2. Filter by report type, date, or organization
3. Download any previous report

Reports are retained for the duration of your subscription.

API Access¶

Generate reports programmatically:

# Generate NIS2 Article 21 report
curl -X POST http://localhost:5000/api/reports/compliance/nis2 \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"org_ids": [1], "start_date": "2026-01-01", "end_date": "2026-02-11"}' \
  -o nis2_report.pdf

# Generate Executive Summary
curl -X POST http://localhost:5000/api/reports/executive-summary \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -d '{"org_ids": [1]}' \
  -o executive_summary.pdf

# Export vulnerabilities as CSV
curl "http://localhost:5000/api/vulnerabilities/export?format=csv&severity=critical,high" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -o vulnerabilities.csv

Sprint 4+5 additions¶

SentriKat ships signed gap-analysis reports for the following frameworks out of the box. All reports are exported as JSON or PDF with PASS / PARTIAL / FAIL per control plus an HMAC-SHA256 integrity block at the end of each export.

PCI-DSS v4.0¶

Focus areas covered:

• Req 6.3 — Identify security vulnerabilities in-house and from third parties; rank by risk. SentriKat's severity ranking plus vendor advisory sync map directly to this requirement.
• Req 6.3.1 — Rank vulnerabilities by risk. SentriKat's KEV/EPSS/CVSS composite score plus the risk exception workflow (Risk Exceptions) covers the "documented decisions" expectation.
• Req 11.3 — External and internal vulnerability scans at least quarterly and after any significant change. SentriKat's continuous scanning satisfies this as long as you keep agents deployed and the quarterly cadence is documented.
• Req 11.3.1 — All "high risk" and "critical" vulnerabilities must be remediated within 30 days. The Remediation module with a custom 30-day SLA policy for Critical+High matches PCI-DSS guidance; see Remediation.

ISO/IEC 27001:2022¶

Focus areas covered:

• Annex A.8.8 — Management of technical vulnerabilities. SentriKat's full vulnerability lifecycle (detection → assignment → remediation → closure) maps directly.
• Annex A.8.16 — Monitoring activities. Hourly scans, agent heartbeats, and the Trending Dashboard produce the continuous-monitoring evidence auditors look for.
• Annex A.5.24 — Information security incident management planning and preparation. Audit trails on every finding, assignment, and closure produce the evidence needed.

The ISO 27001:2022 report lists each applicable Annex A control with its implementation status based on your current SentriKat configuration (e.g. "A.8.8 PASS — last scan 2026-04-15 09:00 UTC, all findings have assignments, average MTTF within SLA").

SOC 2 (Trust Services Criteria)¶

Focus areas covered:

• CC6.6 — Logical access / vulnerability management: evidence of continuous vulnerability scanning with documented remediation
• CC7.1 — Detect and respond to system events: continuous monitoring evidence
• CC7.2 — Analyze events for anomalous or unauthorized activity: audit log export with KEV publication correlation
• CC7.4 — Incident response: audit trail of every finding and remediation action, exportable as JSON/PDF

The SOC 2 report is specifically structured for auditors: one section per applicable CC criterion, with embedded PASS/PARTIAL/ FAIL and direct links to the underlying findings or audit entries.

HMAC-SHA256 integrity block¶

Every signed report (PCI/ISO/SOC2/NIS2/DORA/BOD 22-01) ends with an integrity block:

{
  "integrity": {
    "algorithm": "HMAC-SHA256",
    "key_id": "sentrikat-report-v1",
    "signature": "a1b2c3d4e5f6...",
    "generated_at": "2026-04-15T09:00:00Z"
  }
}

The signature covers the canonical serialization of the entire report body minus the integrity block itself, so auditors can tamper-check by:

1. Computing HMAC-SHA256(report_body_without_integrity, integrity_key) themselves.
2. Comparing the result to the integrity.signature field.

The integrity key is per-organization, rotatable from Admin → Integrity Keys. Rotation invalidates old reports but keeps them readable (they still have their old signature embedded).

Generating a signed report¶

From the UI:

1. Reports → pick the framework (PCI-DSS / ISO 27001 / SOC 2 / NIS2 / DORA / BOD 22-01).
2. Pick scope (organization, product, date range).
3. Pick format (JSON / PDF).
4. Click Generate signed report.
5. Download.

Via the API:

curl -sf \
  -H "Authorization: Bearer $SENTRIKAT_API_KEY" \
  "https://sentrikat.example.com/api/reports/compliance/pci-dss" \
  -o pci-dss-2026-04.json

Next Steps¶

• Dashboard for real-time vulnerability overview
• Vulnerabilities for detailed vulnerability management
• SBOM Export for CycloneDX / SPDX / STIX export
• Remediation for assignments and SLA policies
• Risk Exceptions for accept-the-risk workflow
• SIEM Integration for forwarding events to your SIEM