Frameworks & controls

What the labels on a finding mean.

Every Sentinel finding is tagged with the standards it provides evidence toward โ€” a CWE weakness class, a CIS benchmark item, a MITRE ATT&CK technique, a NIST control. This page says what each one is, in a line or two, with a verifiable primary source. Below that: the wider security & regulatory landscape, to inform and guide โ€” clearly marked as context, not coverage.

What every finding maps to

The control labels Sentinel actually emits.

These are the chips on every finding โ€” in the browser, the CLI, and the SARIF output. The full per-rule crosswalk lives in CONTROLS.md.

FrameworkWhat it isSource
CWE The Common Weakness Enumeration โ€” a community catalogue of software & hardware weakness types. Each finding is classed under the weakness it represents. cwe.mitre.org
CIS Benchmarks Center for Internet Security configuration-hardening baselines (Docker, Kubernetes). Chips cite the specific benchmark item, e.g. CIS-Docker-5.9. cisecurity.org
MITRE ATT&CK A knowledge base of real-world adversary tactics & techniques. Each rule maps to the technique it represents, e.g. T1611 (escape to host). attack.mitre.org
NIST SP 800-53 r5 The U.S. federal catalogue of security & privacy controls. Findings map to the control(s) they provide evidence toward, e.g. AC-6 (least privilege). csrc.nist.gov
NIST SP 800-171 r2 Controls for protecting Controlled Unclassified Information (CUI) in non-federal systems โ€” the CUI subset of 800-53. csrc.nist.gov
OWASP Top 10 Community top-risk lists for CI/CD, Docker, and Kubernetes; chips cite the item, e.g. OWASP-CICD-SEC-4, OWASP-Docker-D04, OWASP-K8s-K01 (K8s on the 2025 revision). owasp.org

Inform & guide

The wider security & regulatory landscape.

Sentinel does not assess these regimes and standards. This section is here to inform and guide โ€” the broader security and regulatory landscape practitioners in this space work with, each with a primary source. The control mappings above (CWE, CIS, ATT&CK, NIST) are what Sentinel actually emits on a finding.

EU regulations

DORA โ€” Digital Operational Resilience Act (Reg (EU) 2022/2554)

Requires EU financial entities to manage ICT & third-party risk, test resilience, and report major incidents. Applies since January 2025. Read more

NIS2 Directive (Dir (EU) 2022/2555)

Baseline cybersecurity risk-management and incident-reporting duties for "essential" and "important" entities across 18 sectors and their ICT suppliers. Enforced since October 2024. Read more

EU AI Act (Reg (EU) 2024/1689)

The first horizontal EU law regulating AI by risk tier; high-risk-system obligations phase in from August 2026. Read more

GDPR (Reg (EU) 2016/679)

The EU's data-protection law for processing personal data; fines up to โ‚ฌ20M or 4% of global turnover. Read more

Cyber Resilience Act (Reg (EU) 2024/2847)

Mandatory cybersecurity requirements (vulnerability handling, SBOM) for "products with digital elements"; main duties apply from December 2027. Read more

International standards

ISO/IEC 27001:2022

The international standard for an information-security management system (ISMS) โ€” the common baseline certification. Read more

AI & agent security

ISO/IEC 42001:2023

The first international standard for an AI management system (AIMS) โ€” governance for building and using AI responsibly. Read more

NIST AI Risk Management Framework (AI RMF 1.0)

Voluntary U.S. guidance for managing risk across the AI lifecycle, with a companion Generative AI profile. Read more

OWASP Top 10 for LLM Applications

The community list of the top security risks in LLM / generative-AI applications (OWASP GenAI Security Project). Read more

MITRE ATLAS

A knowledge base of adversary tactics & techniques against AI / ML systems โ€” the ATT&CK analogue for AI. Read more

Switzerland (non-EU)

FINMA Circular 2023/1 โ€” Operational risks and resilience (banks)

The Swiss Financial Market Supervisory Authority's circular covering ICT and third-party oversight for banks; in force since January 2024. Read more

Don't trust it โ€” reproduce it

See the mappings on a real scan.

Run a scan and every finding carries its control labels and a reproducible report_digest. The full per-rule crosswalk is in the repo.