Which compliance frameworks does SentinelPanda support?

Seven frameworks: PCI DSS 4.0.1, ISO 27001:2022, ISO 42001:2023, NIST CSF 2.0, SOC 2 (TSC 2017), the HIPAA Security Rule, and COBIT 2019 — 1,330 controls in total, with cross-framework mapping so evidence for one control credits its equivalents.

Can SentinelPanda generate a PCI DSS Report on Compliance?

Yes. SentinelPanda exports a PCI DSS 4.0.1 Report on Compliance (ROC), an Attestation of Compliance (AOC) for merchants and service providers, and SAQ readiness across all nine SAQ types.

One workspace for every framework

Run your compliance program like an engineering team.

Q: Can SentinelPanda be self-hosted?

Yes. SentinelPanda can be deployed on your own infrastructure so tenant data never leaves your environment, with OIDC single sign-on and enforced MFA.

SentinelPanda unifies COBIT 2019, HIPAA, ISO 27001, ISO 42001, NIST CSF, PCI DSS, and SOC 2 into one auditable workspace — with live evidence collection, three-role audit workflow, and one-click ROC, AOC, and SAQ reports.

COBIT 2019HIPAAISO 27001ISO 42001NIST CSFPCI DSSSOC 21,330 controls · 7 frameworks

app.sentinelpanda.com/workspace/acme-fintech/compliance-health

v4.0.1

Workspace overview

Compliance Health

Last sync · 2 min ago

Overall

72%

+4 this week

Open risks

2 high · 3 med

Nonconformities

3 open · 2 in review

Calendar

next 30 days

Compliance by requirement group

Implemented At risk

Build & Maintain a Secure Network

84%

Protect Account Data

71%

Vulnerability Management Program

62%

Strong Access Control

78%

Regularly Monitor & Test Networks

44%

Information Security Policy

91%

02 · The three sides

Built for the three sides of an audit.

One workspace. Three role-shaped surfaces. Every action linked to the same append-only history.

Auditee

The team being audited.

My Tasks4 open

PCI Req 8.3 — Strong cryptography

Today

Draft

ISO A.5.30 — ICT readiness

in 2d

Needs info

SOC 2 CC7.2 — Anomaly detection

in 5d

In review

HIPAA 164.312(b) — Audit controls

in 8d

Approved

My Tasks queue, sorted by due date

Upload evidence, draft once, submit when ready

Reply to auditor questions inline

Auditor

The reviewer, internal or external.

Audit Queue3 awaiting

PCI-1.2.5kira@acme

Service ports inventory

ISO-A.5.7rohan@acme

Threat intelligence program

SOC-CC4.1mei@acme

COSO control monitoring

Audit Queue across every assigned framework

Approve, Reject, or Request More Info in one click

Full workflow history on every control

Support

Programme manager across tenants.

Cross-tenant Portfolio4 tenants

Acme Fintech

72%On track

Helix Health

41%At risk

Lumen Robotics

88%On track

Ridge Insurance

23%Just started

Cross-tenant portfolio dashboard

Review Queue and engagement runbook

Run engagements without leaving the tenant context

Every comment, status change, and approval is recorded to an HMAC-signed append-only audit log.

03 · Coverage

Seven frameworks. One mapping engine.

Evidence for one control auto-credits its equivalents in other frameworks. Stop doing the same work twice.

81.9%mapping coverage

COBIT 2019Governance40controls

Browse controls

HIPAASecurity Rule59controls

Browse controls

ISO 270012022333controls

Browse controls

ISO 42001202338controls

Browse controls

NIST CSF2.0106controls

Browse controls

PCI DSS4.0.1697controls

Browse controls

SOC 2Type II · TSC 201757controls

Browse controls

04 · Workflow

Every control has the same workflow.

Whatever framework you're working in, the path from draft to approved is identical — and reviewable end-to-end.

PCI 8.3.6

Strong cryptography is used to render all authentication factors unreadable

Assessment · PCI DSS 4.0.1 · Last updated 2 hours ago

Under Review

Evidence & Notes

All user authentication factors are stored as argon2id hashes with per-user salts. TLS 1.3 enforced for all auth endpoints; ciphers per CIS Benchmark.

kira.s @ 14:08

Added Okta config export, see file 3.

Evidence Files

hash-config.json

2.1 KB

tls-scan-2026-05.pdf

184 KB

okta-policy-export.zip

12 KB

Comments · 3

Maya · Auditor

Hash params look fine. Can you confirm rotation window?

Kira · Auditee

Confirmed — 90 days, enforced via Okta.

Maya · Auditor

Great — approving.

Workflow Actions

You are reviewing as auditor.

→ Two-stage approval: Confirm Approve required after this step.

Threaded commentsAuditee, auditor, and support all see the same thread on every control.

Recorded transitionsEvery state change captures actor, timestamp, and reason — immutably.

Optional recipient noteApprove or reject with a comment scoped to the person who submitted it.

05 · Evidence

Continuous evidence. No more quarterly screenshot drills.

Native connectors pull live data from your security stack into your control library. Sync on a schedule or on demand.

CrowdStrike Falcon

AWS Config

GitHub Dependabot

Okta

Jamf Pro

GCP SCC

Qualys

Rapid7

Tenable

Trustwave

Microsoft Defender

Snyk

Cloud configCloud findingsApp vulnsIdentity + MFAEndpoint postureEDRExternal vuln scanning

See all connectors

Live evidence streamsample data

ACS3 bucket encryption verifiedaws-config → PCI 3.5.112s ago
OKMFA snapshot · 248 usersokta → SOC 2 CC6.11m ago
SNCritical vulns: 0 · High: 2snyk → ISO A.8.84m ago
CSEndpoint agent health 99.4%crowdstrike → HIPAA §164.3089m ago
PGNightly backup completed · 14.2 GBpostgres → NIST PR.IP-0421m ago

Credentials encrypted with AES-256-GCM at rest. Decrypted only at sync time.

06 · Registers

Everything an auditor will ever ask for, already on screen.

Risk, nonconformity, assets, vendors, scope, applicability — each tile is a working register, not a spreadsheet template. Score every risk on a 5×5 likelihood-by-impact matrix and tie it back to the controls that mitigate it.

Risk heatmap · Likelihood × Impact

Very low

Low

Med

High

Critical

High

Med

Low

Very low

Impact →

Risk Register

risks

Nonconformity Register

open

Asset Inventory

1,284

assets

Software Inventory

386

packages

Vulnerability Scans

this month

Penetration Tests

in last 12 mo

Key Management

218

active keys

Vendor Risk

vendors

Scope Statement

current

Statement of Applicability

controls

07 · PCI DSS 4.0.1

The most complete PCI DSS 4.0.1 surface on the market.

Built around the structure of the current standard — not a generic checklist with PCI-flavoured labels glued on.

01Full 697-control library, mapped to every PCI DSS 4.0.1 requirement.

02All 9 SAQ types with auto-applicability based on your scope answers.

03Versioned Scope Statement — required by Req 12.5, kept under change control.

04Targeted Risk Analysis support for every Req 12.3.x customized frequency.

05Customized Approach and Compensating Controls workflows in the same UI.

06One-click Report on Compliance and Attestation of Compliance export.

Form 1Report on Compliance

PCI DSS 4.0.1335 pp · auto-generatedROC · v4.0.1

Form 2Attestation of Compliance

Merchant · Service ProviderSignature blocks includedAOC · v4.0.1

Form 3SAQ Readiness

Auto-detected SAQ typeGaps highlightedSAQ · A through D

08 · Reports

Ship audit-ready outputs in one click.

Every report is generated from live data — no copy-paste, no spreadsheet stitching, no last-minute scrambles.

Compliance SummaryOne-page snapshot for the board.See sample

Evidence InventoryEvery artifact, hash-signed.See sample

Auditor ReviewWorkflow history with comments.See sample

SAQ ReadinessGap analysis against the right SAQ.See sample

Assessment Data (CSV)Raw export for further analysis.See sample

PCI Report on ComplianceQSA-ready ROC, 335-page template.See sample

PCI Attestation of ComplianceAOC, both merchant and service provider.See sample

09 · GRC Compass

From zero to a tailored compliance program in ten minutes.

GRC Compass profiles your organisation across 9 quick questions — sector, employee count, sensitive data, infra mix, current maturity — and produces a recommended framework set with starter policies, risks, and a calendar.

Answers stay in your browser. Not sent to our server.

Question 3 of 9

Do you handle cardholder data?

10 · Security & trust

Compliance-grade by construction.

A compliance product has to clear the bar it asks customers to clear. These six commitments are non-negotiable.

HMAC-signed audit logEvery state change, comment, and approval written to an append-only log, signed and chained.

AES-256-GCM credentialsIntegration secrets are encrypted at rest. Decrypted only at the moment a sync runs.

SSO + MFA, enforcedPer-tenant OIDC single sign-on, or email + password — all with required MFA and idle session timeout.

Per-tenant isolationEvery record is scoped to a tenant and access is enforced server-side on every call — never at render time.

Three-layer RBACRole, tenant, and resource. Permissions are checked on every server call, not at render time.

Self-hosted optionDeploy SentinelPanda on your own infrastructure so tenant data never leaves your environment.

Run your compliance program like an engineering team.

Compliance Health

Built for the three sides of an audit.

Auditee

Auditor

Support

Seven frameworks. One mapping engine.

Every control has the same workflow.

Continuous evidence. No more quarterly screenshot drills.

Everything an auditor will ever ask for, already on screen.

The most complete PCI DSS 4.0.1 surface on the market.

Ship audit-ready outputs in one click.

From zero to a tailored compliance program in ten minutes.

Do you handle cardholder data?

Compliance-grade by construction.

See your compliance program on one page.