Security Frameworks and Compliance Initiatives

A proactive approach to meeting requirements with the CyCognito platform.

The platform preempts attacks and helps satisfy key elements of most common security frameworks and many regulatory compliance standards. The CyCognito platform achieves this by discovering and testing your entire attack surface, prioritizing what needs to be fixed first, and automatically validating remediation.


MITRE ATT&CKLOGO-mitre-attack

See an interactive mapping of CyCognito’s capabilities to the MITRE ATT&CK framework.

The CyCognito platform helps you address tactics in the MITRE ATT&CK framework, a free and open knowledge base of adversary tactics and techniques based on real-world observations of cyberattacks. While the majority of the ATT&CK framework is geared to providing insight into detecting attackers in real-time during an attack, its Reconnaissance and Resource Development tactics are focused on attacker preparation. The CyCognito platform preempts attacks by addressing these two tactics. The platform also offers some support for the later ATT&CK tactics such as Initial Access, Execution, Persistence, Privilege Elevation, Defense Evasion, Credential Access, Discovery, Lateral Movement, and Collection.

NIST Cybersecurity Framework

The CyCognito platform helps organizations follow this standard by mapping closely to the Identify and Protect functions of the NIST Framework, and contributing to Detect, Respond and Recover functions.

The National Institute of Standards and Technology (NIST) Framework is voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications among both internal and external organizational stakeholders.

The table to the right shows  shows where the CyCognito platform contributes to the NIST CyberSecurity Framework.

ORANGE = CyCognito maps significantly to the category
YELLOW = CyCognito offers a complementary, incidental, or ancillary mapping

NIST Cybersecurity Framework

International Organization for Standardization ISO/IEC 27000 Series

The CyCognito platform contributes to addressing ISO 27001:2013 sections “6.1.2 Information Security Risk Assessment,” “9.1 Monitoring, Measurement, Analysis and Evaluation” and “10.1 Noncomformity and Corrective Action.”  Of the 14 Categories in the Annex A controls, the CyCognito platform contributes significantly to three; A.8 Asset Management, A.12 Operations Security, and A.13 Communications Security.


One of the most widely known security standards, ISO/IEC 27000 series is a mature international framework focused on information security. Developed by the International Organization for Standardization (ISO), it is the cybersecurity equivalent of the ISO 9000 quality standards for manufacturers and operational excellence. It’s very comprehensive and broad, and can be used across a wide range of types and sizes of businesses.


Center for Internet Security Critical
Security Controls (CIS CSC)

The security controls give pragmatic, actionable recommendations for cyber security.  The CyCognito platform maps to 14 of the CIS controls at least partially and provides extensive coverage around inventory of assets, vulnerability and penetration testing, and security of ports and services.

The table to the right shows broadly where the CyCognito platform contributes to the CIS CSC v7.0.

ORANGE = CyCognito maps significantly to the category
YELLOW = CyCognito offers a complementary, incidental, or ancillary mapping


The CIS guidelines consist of 20 key actions, called critical security controls (CSC), that organizations should implement to block or mitigate known attacks. The controls are designed so that primarily automated methods can be used to implement, enforce and monitor them.


Center for Internet Security Critical Security Controls (CIS CSC)


VIDEO-Prioritize and Eliminate Attack Vectors

Watch this short demo to see how the CyCognito platform identifies
attack vectors that might go undetected by other security solutions.


GDPR and Other Data Privacy Regulations

The CyCognito platform helps organizations maintain GDPR compliance with proactive risk assessment that identifies where sensitive data, including PII, may be exposed. It identifies web servers that have logins that interface with databases, for example, and can identify associated web applications collecting PII, wherever they are hosted. The platform’s automatic risk prioritization and detailed remediation guidance make it efficient to build compliance adherence into security operations workflows. You can assess, monitor and remediate potential GDPR violations with GDPR-specific security hygiene policies, issues and alerts in the CyCognito platform. The platform’s remediation validation, security grading and analytics capabilities help your organization document its GDPR compliance validation. 

The CyCognito platform helps your organization comply with other data privacy regulations around the globe that include protections for the way that PII is obtained, processed and stored. Beyond GDPR, these include: 


Worldwide, 132 out of the 194 countries have legislation to protect data and privacy according to the United Nations Conference on Trade and Development. The CyCognito platform helps your organization fulfill data privacy compliance regulations by assessing your attacker-exposed risks across your extended IT ecosystem, identifying hidden assets and attack vectors, and locating assets where personally identifiable information (PII) could be inadvertently exposed.

Europe’s General Data Protection Regulation (GDPR) which affects all organizations doing business with European natural citizens, is arguably the most stringent data privacy regulation in the world and can result in significant fines for violations. Organization must track where PII is being collected and stored and whether those assets are exposed to external attack, regardless of whether they are owned by the organization or in a cloud environment operated by a third-party service. 




With the CyCognito platform we have greatly improved our attack surface visibility and enhanced our attack surface management workflows. The platform helps us operate smoothly and provides reduced risk, reduced complexity and increased visibility.

Kevin Kealy Global CISO Scientific Games

NIST Special Publication 800-53 

The CyCognito platform maps partially or substantially to 11 of the 19 NIST control families including: Risk Assessment, Assessment, Supply Chain Risk Management, Configuration Management, Communications Protection, Access Controls, Audit and Accountability, Authorization and Monitoring, Identification and Authentication, Incident Response, and PII Processing and Transparency.


The  NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations is a US standard publication that provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks. 


Start Eliminating Your Shadow Risks

CyCognito is solving one of the most fundamental business problems in cybersecurity: the need to understand how attackers view your organization, where they are most likely to break in, and how you can efficiently analyze, monitor and eliminate that risk.