Assess · Monitor · Protect
Compliance that runs continuously
Risk, controls, evidence and reporting in one system — the product we built, and the engine we run every engagement on. What follows is the real thing, screen by screen.
Compliance is treated like a deadline, not a system
Most teams sprint to pass an audit, then let everything drift until next year. CSFaaS closes that gap.
- Audit prep eats weeks of engineering and security time, every year.
- Evidence lives in scattered spreadsheets, screenshots and Slack threads.
- You answer the same security questionnaire from scratch, again and again.
- Nobody actually knows the live compliance posture between audits.
Frameworks we implement & automate
One system, from risk to proof
Everything the program needs in one place. Here is what it actually looks like in the product.
Map once. Prove everywhere.
Start from 40+ prebuilt frameworks — ISO 27001, SOC 2, NIST CSF 2.0, GDPR — or build your own. Define one set of controls and map it across every standard at once, with versioning and approvals handled for you.
- 40+ prebuilt frameworks
- One control set, many standards
- Versioning, approvals & audit trail
Frameworks
8 active · 40+ available to import
94%
compliant
88%
compliant
91%
compliant
83%
compliant
21%
compliant
Controls, mapped and measured.
Define a control once and map it to policies and frameworks at the same time. Track implementation as a maturity level — from Initial to Optimized — with completion rolled up everywhere the control is referenced.
- One control, many mappings
- Maturity: Initial → Optimized
- Completion rolled up automatically
Policies for information security
ISO 27001Use of cryptography
ISO 27001Logical access controls
SOC 2Identities & credentials managed
NIST CSFThreat intelligence
ISO 27001Every assessment starts here.
A risk demand captures the request — business context, systems, data classification — then moves through a defined workflow from initiation to risk response and assurance, with owners, priority and due dates throughout.
- Structured intake
- Initiation → response → assurance
- Owners, priority & due dates
Risk demands
12 open · intake → analysis · SLA tracked
Risk, scored and seen.
Identify, assess and treat risk with a structured method drawn from NIST, ISO and SABSA — threat- and asset-oriented, plotted on a live likelihood-by-impact matrix, from inherent through current to target.
- Likelihood × impact matrix
- Inherent → current → target
- Owners, status & response
Likelihood × impact
Put a number on it.
When qualitative scoring is not enough, model risk in money — probability, single- and annual-loss expectancy, and a loss-exceedance curve — so treatment decisions rest on cost-benefit, not on gut feel.
- Probability × SLE → ALE
- Inherent vs residual exposure
- Cost-benefit on every treatment
Annualised loss exposure
Inherent
$1.21M
Residual
$312k
74% exposure reduction · treatment $190k
Loss exceedance
Findings become work.
Every gap becomes a tracked plan with an owner, a due date and a path to closure — linked back to the risk it answers, with a complete activity trail behind it.
- Owners & due dates
- Linked to the originating risk
- Progress through to closure
Remediation plans
19 plans · 4 owners
↳ RISK-042
↳ RISK-028
↳ RISK-039
↳ RISK-051
↳ RISK-011
Know what you're protecting.
A living inventory of the systems that matter, classified by sensitivity and tied to the risks, controls and evidence that cover them — so scope is never a guess.
- Data classification
- Linked risk assessments
- Owners & review cycles
Systems catalog
23 systems · classified
The supply chain, watched.
Tier every vendor by criticality, assess residual risk and keep reviews on a cycle — so the partners you depend on never quietly drift out of view.
- Tiered by criticality
- Residual risk scored
- Reviews kept on schedule
Third parties
17 vendors · tiered · SLA tracked
Nothing drifts out of date.
Controls, systems, vendors and risks each carry a review cadence and an owner. The platform surfaces what is overdue, due this month, unscheduled or unowned — long before it becomes a finding.
- A cadence for every item
- Ownership coverage at a glance
- Overdue surfaced early
Reviews & periodicity
Review & ownership coverage
A.8.24 · Cryptography
ControlSYS-001 · Production Postgres
SystemTP-001 · Stripe
Third partyRISK-042 · Backups
RiskRD-014 · Payroll change
DemandAudits that close themselves out.
Plan, run and track audits in one place — findings, responses and closure evidence — with progress visible at a glance and nothing slipping between cycles.
- Findings → responses → closure
- Internal & external audits
- Progress tracked to 100%
Audit manager
3 plans · findings & responses
ISO 27001 surveillance 2026
14 findings · 9 closed · lead A. Kerr
SOC 2 Type II readiness
scope being defined · lead M. Diaz
GDPR internal review
6 findings · 6 closed · lead L. Okoye
Audit-ready, quietly.
Evidence is collected and versioned continuously and attached where it belongs — frameworks, controls, demands, remediation, third parties — so audit prep stops being a scramble and becomes a download.
- Continuous collection
- Versioned & fully traceable
- Attached across the platform
Evidence hub
Collected & versioned continuously
Ask once, track everything.
Build questionnaires for vendors, systems and control owners, send them where they are needed, and watch responses and completion roll in — without a single spreadsheet.
- Custom questionnaires
- Sent across the platform
- Live response tracking
Third-party risk assessment
FORM-002 · Published
Three steps to always-on compliance
Connect your scope
Pick your frameworks and workspaces. CSFaaS maps them to a unified control set so you never duplicate work.
Collect evidence continuously
Owners attach evidence against controls as work happens — versioned, timestamped and always audit-ready.
Prove it, anytime
Export audit packages and answer security questionnaires from a live posture, not a year-end scramble.
The modules that run your program
One connected system instead of a dozen disconnected tools and spreadsheets.
Frameworks & Controls
40+ prebuilt frameworks — ISO 27001, SOC 2, NIST CSF 2.0, GDPR — mapped to a single control set, with policy versioning and approvals.
Risk Registry
Document, score and treat risk — threat- and asset-oriented, inherent through target, with owners, status and response.
Demands
Structured risk-assessment requests: business context, systems and data classification gathered before analysis begins.
Remediation
Action plans that drive risk down to closure — owners, due dates, progress and a full activity trail.
Evidence Hub
Attach and version evidence across frameworks, controls, demands, remediation and third parties — always traceable.
Posture & Audit
Live readiness by framework, control and owner, with audit planning and exportable packages on demand.
Buy the tool, or have us run it
CSFaaS stands on its own. But the fastest path to audit-ready is letting DarkProtect deploy it, configure your controls and operate the program alongside your team.
Frameworks & Controls
40+ prebuilt frameworks — ISO 27001, SOC 2, NIST CSF 2.0, GDPR — mapped to a single control set, with policy versioning and approvals.
Risk Registry
Document, score and treat risk — threat- and asset-oriented, inherent through target, with owners, status and response.
Demands
Structured risk-assessment requests: business context, systems and data classification gathered before analysis begins.
Remediation
Action plans that drive risk down to closure — owners, due dates, progress and a full activity trail.
Let's talk about your security program
A free 30-minute conversation, no pitch. We'll map where you stand, the standards you need to meet, and the most direct path to get there.