Compliance and Audit
Detectify provides continuous vulnerability management evidence that supports compliance frameworks like ISO 27001, SOC 2, and other standards requiring ongoing security assessment. Instead of generating point-in-time reports before an audit, Detectify maintains a continuous record of your security posture.
Compliance Challenges Detectify Addresses
Proving Ongoing Vulnerability Management
Most compliance frameworks require organizations to demonstrate that they regularly test for and remediate vulnerabilities. Auditors want to see:
- Evidence that vulnerability assessments are conducted regularly
- A record of findings over time, including severity and status
- Proof that identified vulnerabilities are tracked to remediation
- Documentation of the testing methodology used
Detectify’s scheduled scans, finding history, and remediation tracking provide this evidence automatically.
Demonstrating Asset Awareness
Frameworks like ISO 27001 require organizations to maintain an inventory of information assets. Surface Monitoring continuously discovers and catalogs internet-facing assets, providing an up-to-date asset inventory with:
- Domains and subdomains
- IP addresses and open ports
- Running technologies and versions
- SSL/TLS certificate status
Tracking Remediation Timelines
Compliance frameworks often require that vulnerabilities are remediated within defined timeframes based on severity. Detectify’s finding lifecycle tracks:
- When a vulnerability was first detected
- When it was acknowledged or assigned
- When it was resolved
- Whether it has regressed (reappeared after being fixed)
This timeline data can be exported for audit evidence.
ISO 27001
ISO 27001 Annex A includes controls relevant to vulnerability management:
- A.12.6.1 — Management of technical vulnerabilities — Requires timely identification of vulnerabilities and appropriate measures to address risk. Detectify’s continuous scanning and finding management supports this control.
- A.14.2.8 — System security testing — Requires security testing during development and acceptance. Pre-production scanning with Detectify’s API integration supports this control.
- A.8.1.1 — Inventory of assets — Requires maintaining an inventory of information assets. Surface Monitoring’s asset discovery supports this control.
Generating Audit Evidence
Scan History
Detectify retains a complete history of all scans, including:
- Scan start and completion timestamps
- Scope of each scan (which assets were tested)
- Number and severity of findings
- Modules executed
Finding Reports
Export finding data through the Detectify dashboard or REST API:
- Current findings — All open vulnerabilities with severity, description, and remediation guidance
- Historical findings — Complete history including resolved and regressed findings
- Finding details — Exact request/response pairs that demonstrate each vulnerability, providing proof of exploitability
Scheduled Reporting
Configure automated reports delivered on a schedule to maintain continuous compliance documentation without manual effort.
Workflow for Audit Preparation
- Ensure scan schedules are active — Verify that Surface Monitoring is running continuously and Application Scanning is on a regular schedule
- Review open findings — Prioritize remediation of outstanding vulnerabilities before the audit window
- Export scan history — Generate reports covering the audit period showing regular scanning activity
- Document remediation — Export finding lifecycle data showing vulnerabilities detected, assigned, and resolved within your SLA
- Prepare asset inventory — Export the asset inventory from Surface Monitoring
Data Retention and Export
Detectify retains scan data and finding history for the duration of your subscription. Data can be exported via:
- Dashboard exports — CSV and PDF reports from the web interface
- REST API — Programmatic access to all scan and finding data
- Integrations — Findings forwarded to Jira, ServiceNow, or other ticketing systems for centralized tracking
Next Steps
- Continuous Security Testing — Establish the regular testing cadence auditors expect
- Attack Surface Visibility — Build the asset inventory auditors require
- Platform Overview — Full product overview