Skip to content

Evidence Exports

Salient generates downloadable compliance reports with control-by-control scoring, evidence citations, and identified gaps. These reports serve as audit artifacts and board-ready documentation.

Report Format

Reports are generated as markdown documents, suitable for conversion to PDF or inclusion in compliance packages.

Report Structure

# NIST CSF 2.0 Compliance Report
Generated: 2025-04-08 | Organization: AcmeCorp

## Executive Summary
Overall Score: 52/100
Framework: NIST Cybersecurity Framework 2.0

## Function Scores
| Function | Score | Trend | Key Finding |
|----------|-------|-------|-------------|
| Identify | 65 | ↑ | Asset inventory improving |
| Protect | 48 | → | MFA gaps on VPN |
| Detect | 35 | ↑ | EDR deployed but triage slow |
| Respond | 55 | ↑ | IR plan exists, escalation weak |
| Recover | 42 | → | Backups untested |

## Control-by-Control Scoring
### ID.AM — Asset Management
Score: 7/10 | Confidence: Verified
Evidence: Okta sync (40 SSO apps), Entra ID sync (250 users)...

### PR.AC — Access Control
Score: 5/10 | Confidence: Observed
Evidence: Exercise #3 response, Okta MFA data...
Contradiction: Team says MFA on VPN, Okta shows no VPN MFA factor.

Scoring Details

Each control's score includes:

Field Description
Score 0-10 based on weighted evidence
Confidence Highest confidence level among supporting evidence
Evidence Specific sources cited (exercise ID, connector, artifact)
Contradictions Where declared and observed posture disagree
Gap What is missing for a higher score
Recommendation Specific action to improve this control

Contradiction Penalties

Contradictions reduce control scores and are highlighted prominently in reports:

PR.AC-3: Remote Access Management
Score: 4/10 (penalty applied)
Declared: "All remote access requires MFA" (Exercise #2)
Observed: Okta sync shows no MFA factor on VPN app
Penalty: -2 points for verified contradiction

Contradictions are features

Contradictions are often the most valuable findings in a compliance report. They show exactly where policy and reality diverge — the gaps that auditors and attackers both find.

Source Citations

Every score traces back to its evidence:

  • exercise:3:q2 — Exercise #3, Question 2 response
  • connector:okta:users — Okta user sync data
  • artifact:ir-plan-v3.pdf — Uploaded IR plan
  • twin:fact:42 — Mined fact from answer mining

Generating Reports

# Via API
GET /api/compliance/report/nist_csf/

# Via MCP
posture_report()

Reports can be generated for any of the five supported frameworks individually or as a combined posture report.

Compliance Overview · Posture Assessment