Pass audits without
months of prep
SOC 2, ISO 27001, HIPAA, PCI-DSS, GDPR, ENS — covered by certified pentesters. Audit-ready reports in 2-3 weeks, not 2-3 months.
Frameworks we cover
Every framework includes the controls your auditor will check, tested by humans with the certifications to back it up.
SOC 2 Type II
TSC 2017 / 2022 revisionRequires: Operating effectiveness of controls across the five Trust Service Criteria over a 3-12 month period.
Our coverage: We test every CC-series control with real evidence: access reviews, change management, monitoring, encryption, and incident response.
ISO 27001:2022
Annex A — 93 controlsRequires: An ISMS aligned with the 2022 control set, mapped to your Statement of Applicability.
Our coverage: Technical validation of A.5–A.8 controls, including cryptography, supplier access, secure development, and threat intel.
HIPAA Security Rule
45 CFR §164.308 / .310 / .312Requires: Administrative, physical, and technical safeguards for ePHI for covered entities and business associates.
Our coverage: Risk analysis, access enforcement, audit controls, transmission security — every safeguard tested, not just documented.
PCI-DSS v4.0
12 requirement domainsRequires: Protection of cardholder data across network, application, and process controls — with the new 4.0 customised approach.
Our coverage: Segmentation testing, ASV-style external scans, internal pentest (Req. 11.4), application layer review, and QSA-ready evidence.
GDPR — Art. 32
EU 2016/679Requires: Technical and organisational measures appropriate to the risk of processing EU personal data.
Our coverage: DPIA support, encryption-at-rest / in-transit validation, access control review, and pseudonymisation testing.
ENS Alto / Medio
Real Decreto 311/2022Requires: Mandatory for working with Spanish public administration. 73 measures across operational, organisational, and protection dimensions.
Our coverage: Full op.* and mp.* control testing, declared categorisation evidence, and certification-body-ready reporting in Spanish.
Why KAOS for compliance
Built specifically for teams who need to pass an audit, not just check a box.
Validated findings, not paper-only
We exploit to confirm — every finding includes proof-of-concept evidence, not just a banner-grab or version-check. Auditors trust what we deliver because we proved it works.
Auditor-ready package
Signed PDF report, control-mapping spreadsheet, and per-finding evidence bundle. Hand it to your QSA, CB, or third-party assessor — no rework, no follow-up questions.
Speed
2-3 weeks end-to-end for most frameworks. Traditional firms quote 8-12 weeks. We hit your audit window without sacrificing depth.
Continuous compliance via platform
Combine the assessment with the KAI Platform for ongoing control monitoring between audits — drift detection, re-test on demand, evidence refresh. Learn more →
The engagement process
Five steps. 2-3 weeks total. Designed to minimise distraction for your engineering team.
Scoping call
Frameworks, asset inventory, timeline, audit window. We confirm scope and price in one call.
Asset discovery + threat model
Surface mapping, in-scope vs out-of-scope clarification, threat model aligned to the framework's control objectives.
Active testing
Certified pentesters validate every control with real-world techniques. Daily check-ins; critical findings flagged immediately.
Validated findings + report
Per-finding evidence, control mapping, executive summary, remediation roadmap. Delivered as a complete audit package.
Remediation review + audit support
Free re-test on remediated findings. We coordinate directly with your QSA, certification body, or third-party auditor.
Scoping call
Frameworks, asset inventory, timeline, audit window. We confirm scope and price in one call.
Asset discovery + threat model
Surface mapping, in-scope vs out-of-scope clarification, threat model aligned to the framework's control objectives.
Active testing
Certified pentesters validate every control with real-world techniques. Daily check-ins; critical findings flagged immediately.
Validated findings + report
Per-finding evidence, control mapping, executive summary, remediation roadmap. Delivered as a complete audit package.
Remediation review + audit support
Free re-test on remediated findings. We coordinate directly with your QSA, certification body, or third-party auditor.
What's in your deliverable
One signed PDF, one control-mapping spreadsheet, and a complete evidence bundle. Audit-ready.
Executive summary
1-2 page overview written for the board: posture, risk, headline findings, and go/no-go for audit.
Methodology
Frameworks tested, scope boundaries, tools used, testing windows, and evidence-collection approach.
Findings table
Every finding ranked by CVSS + compliance impact, with affected assets, control reference, and status.
Per-finding PoC
Step-by-step reproduction, request/response captures, screenshots, and remediation guidance.
Compliance mapping
Each test mapped to specific controls (SOC 2 CC6.1, ISO 27001 A.8.24, PCI 11.4.x) so auditors trace evidence to requirement.
Remediation roadmap
Prioritised action plan with effort estimates and owner suggestions — what to fix, in what order, and why.
Appendix
Raw scan data, payloads, full request logs, and re-test verification (delivered after remediation).
Frequently Asked Questions
Common questions about our compliance assessment process.
Trusted by
Ready to start your compliance assessment?
Tell us your target framework and audit window. We will deliver an audit-ready package in 2-3 weeks.