Frameworks & controls
What the labels on a finding mean.
Every Sentinel finding is tagged with the standards it provides
evidence toward โ a CWE weakness class, a CIS benchmark
item, a MITRE ATT&CK technique, a NIST control. This
page says what each one is, in a line or two, with a verifiable primary
source. Below that: the wider security & regulatory landscape, to
inform and guide โ clearly marked as context, not coverage.
What every finding maps to
The control labels Sentinel actually emits.
These are the chips on every finding โ in the browser, the
CLI, and the SARIF output. The full per-rule crosswalk lives in
CONTROLS.md.
| Framework | What it is | Source |
| CWE |
The Common Weakness Enumeration โ a community catalogue of
software & hardware weakness types. Each finding is classed under the
weakness it represents. |
cwe.mitre.org |
| CIS Benchmarks |
Center for Internet Security configuration-hardening
baselines (Docker, Kubernetes). Chips cite the specific benchmark item, e.g.
CIS-Docker-5.9. |
cisecurity.org |
| MITRE ATT&CK |
A knowledge base of real-world adversary tactics &
techniques. Each rule maps to the technique it represents, e.g.
T1611 (escape to host). |
attack.mitre.org |
| NIST SP 800-53 r5 |
The U.S. federal catalogue of security & privacy controls.
Findings map to the control(s) they provide evidence toward, e.g.
AC-6 (least privilege). |
csrc.nist.gov |
| NIST SP 800-171 r2 |
Controls for protecting Controlled Unclassified Information
(CUI) in non-federal systems โ the CUI subset of 800-53. |
csrc.nist.gov |
| OWASP Top 10 |
Community top-risk lists for
CI/CD,
Docker, and
Kubernetes;
chips cite the item, e.g. OWASP-CICD-SEC-4,
OWASP-Docker-D04, OWASP-K8s-K01 (K8s on the 2025
revision). |
owasp.org |
Inform & guide
The wider security & regulatory landscape.
Sentinel does not assess these regimes and standards.
This section is here to inform and guide โ the broader security and
regulatory landscape practitioners in this space work with, each with a primary
source. The control mappings above (CWE, CIS, ATT&CK, NIST) are what Sentinel
actually emits on a finding.
EU regulations
DORA โ Digital Operational Resilience Act (Reg (EU) 2022/2554)
Requires EU financial entities to manage ICT & third-party risk, test
resilience, and report major incidents. Applies since January 2025.
Read more
NIS2 Directive (Dir (EU) 2022/2555)
Baseline cybersecurity risk-management and incident-reporting duties for
"essential" and "important" entities across 18 sectors and their ICT suppliers.
Enforced since October 2024.
Read more
EU AI Act (Reg (EU) 2024/1689)
The first horizontal EU law regulating AI by risk tier; high-risk-system
obligations phase in from August 2026.
Read more
GDPR (Reg (EU) 2016/679)
The EU's data-protection law for processing personal data; fines up to โฌ20M or
4% of global turnover.
Read more
Cyber Resilience Act (Reg (EU) 2024/2847)
Mandatory cybersecurity requirements (vulnerability handling, SBOM) for
"products with digital elements"; main duties apply from December 2027.
Read more
International standards
ISO/IEC 27001:2022
The international standard for an information-security management system (ISMS)
โ the common baseline certification.
Read more
AI & agent security
ISO/IEC 42001:2023
The first international standard for an AI management system (AIMS) โ
governance for building and using AI responsibly.
Read more
NIST AI Risk Management Framework (AI RMF 1.0)
Voluntary U.S. guidance for managing risk across the AI lifecycle, with a
companion Generative AI profile.
Read more
OWASP Top 10 for LLM Applications
The community list of the top security risks in LLM / generative-AI
applications (OWASP GenAI Security Project).
Read more
MITRE ATLAS
A knowledge base of adversary tactics & techniques against AI / ML systems
โ the ATT&CK analogue for AI.
Read more
Switzerland (non-EU)
FINMA Circular 2023/1 โ Operational risks and resilience (banks)
The Swiss Financial Market Supervisory Authority's circular covering ICT and
third-party oversight for banks; in force since January 2024.
Read more
Don't trust it โ reproduce it
See the mappings on a real scan.
Run a scan and every finding carries its control labels and a reproducible
report_digest. The full per-rule crosswalk is in the repo.