Demo Reports | Auditor Core v2.2 | DataWizual Security

PDF Executive Summary

7-page audit-ready document with Risk Dashboard, Compliance Coverage, Key Findings with source evidence, Remediation Roadmap, SOC 2 control exposure table, and Attestation block with signature lines.

report_django.pdf — Page 1 of 7 · Security Assessment Report

Click any page to enlarge · Showing pages 1–6 of 7 (page 7 is attestation/signatures)

Page 1 — Cover

Assessment Result banner, SPI score, severity breakdown, Scope & Methodology, Intended Use for SOC 2 / cyber insurance.

Page 2 — Risk Dashboard

SPI grade D, K-factor, Core/Prod 92.5%, AI excluded count, severity table, Compliance Framework Coverage (SOC 2 · CIS · ISO 27001).

Pages 3–5 — Key Findings

All CRITICAL & HIGH findings with compliance control tags. Each entry shows SOC 2, CIS, and ISO 27001 references.

Page 6 — Roadmap & Attestation

Priority remediation timeline, SOC 2 control exposure table, Assessment Attestation block.

Pages 8–24 — Evidence Appendix

Source-level code context for every CRITICAL/HIGH finding with ±5 line context. Each snippet is compliance-tagged.

Get Your Report

Interactive HTML Report

Enterprise posture dashboard with severity filters, inline AI analysis blocks, SOC 2 / CIS / ISO 27001 compliance tags per finding, and full WSPM scoring breakdown.

report_django.html — SPI 38.25 · Grade D · 1329 findings

HTML Report — Findings with compliance tags

Click any screenshot to enlarge · 4 sections shown

SPI Dashboard

Score 38.25, Grade D, WSPM formula, Core/Prod 92.5% vs Test/Noise 7.5%, Reachability breakdown, Sensitivity Snapshot.

Severity Filters

One-click filter: CRITICAL (19) · HIGH (15) · MEDIUM (94) · LOW (1201). Finding count on each button.

AI Analysis Blocks

Inline AI VERIFIED / AI FALSE POSITIVE blocks with full Gemini analysis and Intelligence Engine verdict.

Compliance Tags

SOC 2 TSC · CIS Controls v8 · ISO 27001:2022 control tags shown inline per finding row.

Get Your Report

Machine-Readable JSON

Every finding includes compliance_mapping, instance_count, instance_lines, and AI verdict. Top-level framework_summary aggregates all triggered controls — ready for SIEM or CI/CD gating.

// framework_summary — aggregated across all 1329 findings { "framework_summary": { "SOC2": { "controls_triggered": 9, "top_control": "CC6.1", "findings_mapped": 695 }, "CIS": { "controls_triggered": 10, "top_control": "CIS-16.1", "findings_mapped": 836 }, "ISO27001": { "controls_triggered": 12, "top_control": "A.8.24", "findings_mapped": 653 } }, "spi": 38.25, "grade": "D", "weighted_exposure": 187.87, "k_factor": 195.51, "ai_excluded": 7, // individual finding entry "findings": [ { "rule_id": "SAST_SQL_INJECTION", "severity": "CRITICAL", "location": "django/contrib/postgres/operations.py:303", "detector": "SastScanner", "instance_count": 1, "instance_lines": [303], "cvss": 5.78, "ai_verdict": null, "compliance_mapping": { "SOC2": ["CC6.1", "CC6.6", "CC7.1"], "CIS": ["CIS-16.12", "CIS-16.1", "CIS-7.5"], "ISO27001": ["A.8.28", "A.8.26"] } }, { "rule_id": "SAST_COMMAND_INJECTION", "severity": "CRITICAL", "location": "django/template/smartif.py", "instance_count": 16, "instance_lines": [59, 86, 99, 100, 101, "..."], "ai_verdict": "NOT_SUPPORTED", "ai_confidence": 0.97, "compliance_mapping": { "SOC2": ["CC6.6", "CC7.1"], "CIS": ["CIS-16.1", "CIS-16.12", "CIS-7.5"], "ISO27001": ["A.8.28", "A.8.26", "A.8.29"] } } // ... 1327 more findings ] }

framework_summary

Top-level block aggregating all triggered SOC 2, CIS, and ISO controls — ready for direct SIEM submission or underwriter pre-assessment.

compliance_mapping

Per-finding control references for automated compliance gating in CI/CD. Enables blocking pushes that violate specific SOC 2 or ISO controls.

Duplicate Aggregation

instance_count + instance_lines group multiple hits per file into one finding — no noise inflation in SIEM dashboards.

AI Verdict Fields

ai_verdict and ai_confidence per finding where Gemini or Groq analysis was applied.

Get Your Report

REPORT GUIDE

How to Read This Report

Every metric in the Auditor Core report belongs to one of three independent layers: Technical Findings, Risk Modeling (WSPM v2.2 → SPI), and Compliance Mapping.

A normalized exponential risk score from 0–100. Higher = safer. Lower = higher exposure.

Formula: SPI = 100 × e⁻(WeightedExposure / K)

Weighted Exposure — sum of findings after severity weighting, context modeling (prod vs test), AI verification, and reachability scaling. NOT raw CVSS sum — it is post-processed business exposure.

K (Dynamic K-Factor) — controls sensitivity of the exponential curve. Higher K → score drops slower. Lower K → drops faster. Deterministic given same inputs.

Gate Override (v2.2): If CRITICAL findings exist in production code, effective grade is capped at C — regardless of SPI score. Numeric score and policy decision are separate layers.

Grade is derived from the SPI band:

A — 90–100
Hardened / Resilient

B — 75–89
Guarded

C — 60–74
Elevated Risk

D — 40–59
High Risk

D — <40
Critical Risk

Core/Prod — findings in runtime code paths. Affect SPI at full weight.

Test/Noise — findings in /tests/, example files, non-runtime modules. Down-weighted in exposure model.

If a vulnerability exists only in test files — it remains visible in the report BUT does not penalize insurance-grade SPI equally. This prevents false business risk inflation. The Django report shows 92.5% Core/Prod — meaning exposure is concentrated in production code.

Reachable — finding is on a confirmed execution path (e.g. unsanitized user input reaching SQL). Retains full exposure weight.

Static-Safe — finding exists but cannot be triggered at runtime (dead code, sanitized path). Heavily down-weighted.

Unknown — engine cannot confirm reachability (dynamic imports, reflection, indirect chains). Partially weighted.

Sensitivity Snapshot — stress-test scenario: what if ALL unknown findings were confirmed exploitable? Shows worst-case SPI drop. Not current posture.

When AI analysis was applied, each finding shows one of:

🔥 AI VERIFIED — finding confirmed as real and exploitable
🛡️ AI FALSE POSITIVE — finding dismissed after architectural analysis
⚙️ INTEL: REACHABLE / STATIC_SAFE / UNKNOWN — reachability verdict

The AI block includes architectural reasoning, exploit chain (if detected), taint sources, and function-level trace. AI verification influences exposure modeling — it does not overwrite raw findings.

Important: Credibility: STABLE (100/100) measures pipeline reliability — not security level.

Each finding is automatically tagged to control domains it impacts:

CC6.1 → Logical and Physical Access Controls
CC7.1 → Vulnerability Detection & Monitoring
CIS-16.12 → Secure Coding Practices
ISO A.8.28 → Secure Development Lifecycle

These tags transform findings into compliance evidence. The framework_summary in JSON aggregates all triggered controls across the entire scan — ready for direct submission to SOC 2 auditors or cyber insurance underwriters.

Note: Compliance tags are informational metadata and do not constitute formal compliance certification or audit attestation.

1. Technical Findings

Raw detections from 11 engines. Answers: "What was found?"

2. Risk Modeling (SPI)

WSPM v2.2 scoring. Answers: "How exposed is this codebase?"

3. Compliance Mapping

SOC 2 / CIS / ISO tags. Answers: "Which controls are affected?"

Policy verdict (PASS / WARN / BLOCK / FAIL) is an additional governance layer on top of these three.

Full Technical Documentation →

Real Auditor Core v2.2 Output

PDF Executive Summary

Page 1 — Cover

Page 2 — Risk Dashboard

Pages 3–5 — Key Findings

Page 6 — Roadmap & Attestation

Pages 8–24 — Evidence Appendix

Interactive HTML Report

SPI Dashboard

Severity Filters

AI Analysis Blocks

Compliance Tags

Machine-Readable JSON

framework_summary

compliance_mapping

Duplicate Aggregation

AI Verdict Fields

How to Read This Report

1. Technical Findings

2. Risk Modeling (SPI)

3. Compliance Mapping

Run This Against Your Codebase