§ Docs

Compliance mapping

Every Brektra finding maps to OWASP LLM Top 10, OWASP Top 10, SOC 2, and ISO 27001 controls.

Findings carry a structured compliance_map populated at creation time by lib/compliance/mapping.ts. The map exposes which controls are breached so a CISO or auditor can read the result without re-doing the mapping.

Frameworks

  • OWASP LLM Top 10. AI-surface findings get mapped to LLM01-LLM10. AI-surface findings without an explicit category default to LLM01 (prompt injection).
  • OWASP Top 10 (Web). Web/API findings map to A01-A10.
  • SOC 2 Trust Services Criteria. Common Criteria controls (CC6.1, CC6.6, CC6.7, CC6.8, CC7.1, CC7.2, CC8.1, CC9.1).
  • ISO 27001 Annex A. A.5.23, A.8.3, A.8.5, A.8.7, A.8.9, A.8.16, A.8.25, A.8.26, A.8.28, A.8.29.

Where the map shows up

  • Scan detail. A heatmap visualizes coverage across all four frameworks.
  • Deliverable PDFs. Business plan deliverables include a compliance page.
  • Exports. CSV/JSON exports include the structured map per finding.

Adding mappings

If a finding category is missing, send a PR (the table is in lib/compliance/mapping.ts) or email support@brektra.com. We add mappings in the same release as new attack categories.

Compliance mapping - Brektra Docs