Compliance that maps to what attackers actually do.
Most security tools hand you a checklist and walk away. We start from the control a regulator wrote down, then show you the exact evidence O3 produces for it — the SBOM, the reachability proof, the runtime telemetry, the remediation log.
Pick the framework you're measured against. Each page is written by people who read the guideline, not a generator.
Control first, then evidence
We read the actual clause and tell you which O3 output satisfies it. No mapping theatre.
Proof, not screenshots
Auditors get machine-readable artefacts — xBOMs, reachability traces, remediation timelines — not a slide deck.
One pass, many frameworks
The same scan feeds CERT-In, SEBI, RBI, EU CRA and EO 14028. Collect once, report many times.
Where O3 helps you comply
13 frameworks across India, the US and Europe, each a deep dive into the requirements and how to meet them.
India
CERT-In AI-Assisted Exploitation Blueprint
CERT-In’s blueprint for defending against AI-assisted attacks, mapped control by control to evidence you can produce.
Read the guideCERT-In · v2.0 (Jul 2025)CERT-In SBOM / CBOM / QBOM / AIBOM / HBOM Guidelines
The definitive Indian xBOM reference: SBOM minimum elements, SDLC SBOM classes, VEX/CSAF, CBOM/QBOM, AIBOM and HBOM.
Read the guideSEBI · Circular 2024/113SEBI CSCRF
The only Indian regulation with a field-level SBOM mandate, plus VAPT via CERT-In auditors, built on the NIST CSF.
Read the guideRBI · IT Governance MD 2023RBI Cyber Security Framework
How banks, NBFCs and payment operators meet RBI’s IT Governance, Cyber Security and Digital Payment Security directions.
Read the guideUnited States
EO 14028 + NIST SSDF + CISA Attestation
Secure-software self-attestation: NIST SSDF practices, SBOM and provenance evidence behind the CISA attestation form.
Read the guideFedRAMP · Baselines Rev 5FedRAMP Rev 5
RA-5 scan cadence and 30/90/180-day SLAs, the new SR supply-chain family, and continuous monitoring for cloud providers.
Read the guidePCI SSC · DSS v4.0.1PCI DSS 4.0 Software Security
Requirements 6 and 11: secure SDLC, vulnerability ranking, component inventory, payment-page scripts, scans and pentest.
Read the guide23 NYCRR Part 500NYDFS Part 500
Automated vulnerability scanning (§500.5), application-security policy and 72-hour reporting for NY financial entities.
Read the guideCNSA 2.0 · M-23-02 · FIPS 203-205Post-Quantum Cryptography (CNSA 2.0)
Crypto inventory and migration under CNSA 2.0, OMB M-23-02 and NIST PQC, where CBOM and QBOM do the heavy lifting.
Read the guideEurope
EU Cyber Resilience Act (CRA)
The first horizontal law to mandate an SBOM. Annex I requirements, vulnerability handling and the 2027 timeline.
Read the guideEU · Directive 2022/2555NIS2 Directive
Article 21 supply-chain security and vulnerability handling for essential and important entities across 18 sectors.
Read the guideEU · Regulation 2022/2554DORA
ICT risk management, resilience testing and third-party risk for EU financial entities, in force since January 2025.
Read the guideEU · Regulation 2024/1689EU AI Act (High-Risk Security)
Article 15 robustness and cybersecurity for high-risk AI: poisoning and evasion resilience, AIBOM and logging.
Read the guide- We start from the control a regulator actually wrote and tell you which O3 output satisfies it — the bill of materials, the function-level reachability proof, the pentest finding, the eBPF runtime telemetry, the remediation log. Advisory means our team helps you scope the controls that apply to you and assemble audit-ready evidence, rather than handing over a generic checklist.
- Live today: CERT-In’s AI-Assisted Exploitation Blueprint, CERT-In Technical Guidelines v2.0 on SBOM/CBOM/AIBOM/QBOM/HBOM (with the related SEBI CSCRF and RBI expectations), and post-quantum readiness against NIST PQC and NSA CNSA 2.0. EU CRA, EO 14028, DPDP and ISO 27001 mappings are in progress.
- No. One O3 scan produces the underlying artefacts — bills of materials, reachability traces, remediation timelines — and the same evidence is mapped to multiple frameworks. You collect once and report against CERT-In, SEBI, RBI, EU CRA and others.
- Machine-readable artefacts, not screenshots: CycloneDX bills of materials (SBOM, CBOM, QBOM, AIBOM, HBOM) enriched with OSV vulnerability status and VEX, function-level reachability traces showing which findings are exploitable, agentic pentest findings, SLSA/cosign provenance reads on container images, eBPF runtime telemetry (process trees and egress baselines), and a timestamped remediation log (including autofix PRs) mapped to each control.