Most SMBs have a vulnerability-scanning obligation but no security team. Perimeter maps every finding to the exact control it satisfies, with a timestamp, so your auditor gets evidence instead of a raw export.
Req. 11.3 mandates internal and external vulnerability scans. Perimeter does both and tags findings 11.3.1 / 11.3.2.
The 2026 Security Rule makes 6-month vuln scans + annual pen test required, no longer addressable. Provable scan recency.
RA.L2-3.11.2 / 3.11.3 (scan + remediate). Open critical/KEV findings feed Bastion's POA&M with due dates.
| Finding type | NIST CSF 2.0 | SOC 2 | PCI 4.0 | ISO 27001 | CMMC L2 |
|---|---|---|---|---|---|
| Vulnerability identified | ID.RA-01 | CC7.1 | 11.3.1/.2 | A.8.8 | RA.L2-3.11.2 |
| Patchable / KEV | ID.RA-06 | CC7.1 | 6.3.3 | A.8.8 | RA.L2-3.11.3 |
| TLS / crypto exposure | PR.DS-02 | CC6.7 | 4.2.1 | A.8.24 | SC.L2-3.13.8 |
| Exposed service / secret | PR.AA-05 | CC6.1 | 2.2.6 | A.8.9 | CM.L2-3.4.6 |
| Attack-surface drift | ID.AM-01 | CC7.2 | 11.3.2 | A.5.7 | CA.L2-3.12.3 |
Mappings are the product-local denormalization of the shared evidence graph; the authoritative cross-product contract is the Keystone canonical evidence object + evidence refs.
A control mapping is the start, not the end. Expand any finding and export a per-finding evidence record: a timestamped, self-describing audit artifact that bundles the assessed object, the detection (engines, corroboration, the de-noise verdict), the exploit intel (EPSS + KEV), the remediation state and SLA, and the exact controls it satisfies — including the Keystone evidence_refs shape so it publishes to the shared graph unchanged.
Each record is wrapped in a detached HMAC-SHA256 signature over a canonical, key-sorted serialization, with the signing timestamp bound into the signed material — it can't be edited or back-dated without breaking verification.
Change a single character and the signature no longer verifies. An auditor or insurer gets an artifact they can independently check, not a CSV they have to take on faith.
You don't write a separate report saying "we scanned and found X." The record proves it — with a timestamp, a control reference, and the exploit context behind the priority.
The whole finding set also exports as an evidence pack (audit binder) and as printable PCI / HIPAA / SOC 2 / CMMC report packs with a control-evidence appendix. See Compliance evidence in the Help Center.
Deferred / hosted Locally a non-secret demo key signs the record so the flow works with no server (proving integrity). In the cloud tier a per-tenant key minted and held in Keystone signs server-side (additionally proving provenance) — the browser never sees the key.
Because Perimeter publishes to the DosanjhLabs shared evidence graph, one scan result satisfies the matching control in Sightline (across 22+ frameworks), Bastion (800-171 SSP/POA&M) and Ward (HIPAA) simultaneously — no re-entry. No standalone scanner can do this, because none is a suite.