Compliance Labs independently evaluates cybersecurity software against IT, OT and AI regulations and frameworks. Our evaluation process is built on the NIST IR (Internal Report) series and the NIST OLIR mapping methodology. Assessments follow the procedures defined in NIST SP (Special Publication).
1000+ software solutions listed
40+ regulations & frameworks
Every evaluation follows the same structured approach. Detailed methodology available on request.
The CAE is a design-level evaluation. Compliance Labs reviews proprietary vendor documentation and maps each software capability to specific regulatory articles and framework controls. The evaluation assesses whether the controls are suitably designed to address the targeted requirements, following the examine method defined in NIST SP (Special Publication). Every mapping is documented with a relationship type, a source authority, and a written rationale.
Deliverable: CAE report with control coverage, gap analysis, configuration dependencies, written rationale per mapping, and a shareable compliance badge.
The EEE is an effectiveness-level evaluation. It includes everything in the CAE, then adds direct testing in a controlled environment. Compliance Labs installs, configures and operates the software to verify that controls function as designed over a defined observation period, following three methods defined in NIST SP (Special Publication): examine, interview, and test. Where a control does not operate as documented, the gap is recorded with expected behavior, observed behavior, and regulatory impact.
Deliverable: EEE report with test results per control, structured evidence pack, gap analysis with regulatory impact, complete audit trail, and a verified effectiveness badge.
Custom Testing extends the CAE and EEE methodology to software that is not commercially available or that requires evaluation in a specific environment: pre-release versions, internally developed applications, integration services, and off-the-shelf solutions deployed in custom configurations. The evaluation follows the same NIST SP (Special Publication) assessment procedures, with scope and testing depth adapted to the context.
Deliverable: Custom evaluation report with scope-specific test results, gap analysis, and regulatory impact assessment.
OUR EVALUATION PROCESS
Every Compliance Labs evaluation follows a structured mapping process built on the NIST IR series and the NIST OLIR methodology. Every relationship between a software capability and a regulatory control is documented, traceable, and reproducible.
Step 1
The evaluation starts with the regulation or framework the software must address. It determines the scope of every mapping that follows. Nothing is evaluated outside its scope.
Step 2
Compliance Labs maps software capabilities against three shared control frameworks: NIST CSF 2.0, NIST SP (Special Publication), and ISO/IEC 27001. These frameworks provide the structured control language that connects software capabilities to regulatory requirements.
Step 3
Each mapping uses set-theory relationships to describe how the software capability relates to the regulatory control. Five relationship types are used: subset of (the capability covers part of the control), intersects with (the capability and the control share common elements), superset of (the capability exceeds the control), equal to (the capability fully corresponds to the control), and not related to (no meaningful connection). This eliminates ambiguity.
Step 4
A cybersecurity software doesn't address regulatory requirements on its own. It delivers technical capabilities that can be verified directly, and it contributes to organizational practices that people operate. Our evaluation measures the two separately, so a compliance officer can see exactly where the software ends and organizational work begins.
Step 5
Every mapping includes a written rationale explaining why this capability addresses this control, and what the limitations are. The rationale gives auditors, compliance officers, and security architects the context they need to make decisions.
Regulatory mapping shows what controls exist. Threat mapping shows what they prevent.
Compliance Labs maps every evaluated software against MITRE ATT&CK to connect regulatory coverage to real-world attack techniques. You see not only which controls a software addresses, but which threats it detects or prevents.
Enterprise — covering IT attack tactics
ICS — for industrial control systems
Mobile — covering mobile-specific attack vectors
ATLAS — for AI-specific threats
When Compliance Labs evaluates a software’s access control capabilities against DORA Art. 9, the MITRE mapping shows which credential theft, privilege escalation, and lateral movement techniques those controls would detect or prevent. The compliance map tells you the software addresses the regulation. The threat map tells you what that means against real adversary behavior.
Regulations, standards and frameworks across IT, OT and AI security covered by Compliance Labs evaluations.
The expertise and principles behind every compliance map and report.
Every evaluation follows the same methodology regardless of the vendor.
Every mapping includes its source, relationship type, and rationale.
25+ years of compliance and cybersecurity experience, structured into a methodology.
