Most SMBs have a vulnerability-scanning obligation but no security team. Perimeter maps every finding to the exact control it satisfies, with a timestamp, so your auditor gets evidence instead of a raw export.
Req. 11.3 mandates internal and external vulnerability scans. Perimeter does both and tags findings 11.3.1 / 11.3.2.
The 2026 Security Rule makes 6-month vuln scans + annual pen test required, no longer addressable. Provable scan recency.
RA.L2-3.11.2 / 3.11.3 (scan + remediate). Open critical/KEV findings feed Bastion's POA&M with due dates.
| Finding type | NIST CSF 2.0 | SOC 2 | PCI 4.0 | ISO 27001 | CMMC L2 |
|---|---|---|---|---|---|
| Vulnerability identified | ID.RA-01 | CC7.1 | 11.3.1/.2 | A.8.8 | RA.L2-3.11.2 |
| Patchable / KEV | ID.RA-06 | CC7.1 | 6.3.3 | A.8.8 | RA.L2-3.11.3 |
| TLS / crypto exposure | PR.DS-02 | CC6.7 | 4.2.1 | A.8.24 | SC.L2-3.13.8 |
| Exposed service / secret | PR.AA-05 | CC6.1 | 2.2.6 | A.8.9 | CM.L2-3.4.6 |
| Attack-surface drift | ID.AM-01 | CC7.2 | 11.3.2 | A.5.7 | CA.L2-3.12.3 |
Mappings are the product-local denormalization of the shared evidence graph; the authoritative cross-product contract is the Keystone canonical evidence object + evidence refs.
Because Perimeter publishes to the DosanjhLabs shared evidence graph, one scan result satisfies the matching control in Sightline (across 22+ frameworks), Bastion (800-171 SSP/POA&M) and Ward (HIPAA) simultaneously — no re-entry. No standalone scanner can do this, because none is a suite.