Catch gaps early, before auditors do.

What it is

A readiness pass that cross-references your workspace docs against public framework catalogues. It does not produce a certification. It does not replace your auditor. What it does is read every document, diagram, plan, and improvement already in scope, match each framework control to evidence (or a lack of it), and give you a punch list of work to do before formal audit prep starts.

The scan runs the same retrieval the rest of the workspace uses — full-text plus vector — so a control like “V2.1 password security requirements” lands on whichever doc actually talks about passwords, regardless of where it lives or what it's called.

Why it matters

Most teams don't fail audits because their security is bad — they fail because the evidence is scattered across wikis, screenshots, Slack threads, and one engineer's head. By the time the auditor arrives there's a six-week scramble to write everything down.

Compliance Readiness flips that. The scan tells you, in plain language, which controls already have evidence in your workspace and which don't — so the scramble starts now, not the week the auditor lands.

Frameworks supported

We index publicly available control catalogues. The list below is what ships today — more frameworks are added on a rolling basis, prioritised by what enterprise customers ask for. If yours isn't listed, ask sales when it's scheduled or sponsor it directly.

• OWASP ASVS 5.0 — application security verification, the standard we lean on hardest. Covers V1 (architecture & threat modelling) through V14 (configuration).
• NIST SSDF 1.1 — Secure Software Development Framework. The process-side controls (SP 800-218) — preparation, protection, production, response.
• CIS Controls v8 — operational security across asset inventory, access management, incident response, and the rest of the 18 control groups.
• ISO 27001 · SOC 2 · TISAX — auditor-facing frameworks. Coverage is rolling out incrementally; the readiness output is mapped to common Trust Services Criteria + Annex A control IDs so an auditor can follow it.
• More on the way. HIPAA, PCI DSS, GDPR (data-handling articles), Australian Essential Eight, and additional region-specific frameworks are on the backlog. The catalogue is meant to grow — request what you need.

How a scan works

A scan is run against a project (the same scope you use for documents and the Knowledge Graph). It produces a per-framework report you can re-run whenever you like.

• 1. Pick the framework. Open the project's Compliance tab and add a framework. Frameworks you haven't tried before are added with a single click.
• 2. The scan runs. For each control in the framework catalogue, Stable Baseline retrieves the most-relevant chunks across your project and asks an LLM whether they actually satisfy the control — not just “mention” it. A weak match is a gap.
• 3. Evidence links are recorded. Every control that's judged covered carries a list of source documents — clickable from the report. Auditors (or your security team) walk straight from the control ID to the doc that satisfies it.
• 4. Gaps become improvements. Every uncovered control is logged as an improvement with a deep link back to the framework catalogue, so the person picking it up has the canonical wording on hand.

Reading the readiness output

The report header gives you the headline numbers — how many controls are covered, how many are gaps, and how many evidence links the scan found across your docs. Below that, controls are grouped by section so you can review them the way an auditor would.

What it's not

It's worth being explicit about scope. Compliance Readiness is a readiness tool — it makes the gap between “what we've written down” and “what the framework asks for” legible. It's not:

• An auditor. The output is a punch list for your team, not an attestation. Real audits still need real auditors.
• A certificate. Stable Baseline does not issue ISO 27001 certificates, SOC 2 reports, or TISAX labels. Those come from accredited bodies.
• A control library. We index publicly available catalogues; you author the evidence that satisfies them. We don't ship boilerplate policies for you to rebrand.
• Legal or regulatory advice. A green “covered” status reflects what the LLM observed in your docs — not a guarantee that the control is correctly implemented in your systems, that the evidence will satisfy a particular auditor, or that your organisation meets the framework as a whole. Treat every result as a hypothesis to verify.

Security model

• Tenant isolation. Every scan, control match, and evidence link is org-scoped at the database layer. Compliance reports never cross workspaces.
• Zero-retention model providers. The agents that classify control coverage run through ZDR-contracted model providers. Your content is never used to train a model.
• Credit ledger. Every credit-spending scan lands in the same credit ledger as document AI calls and Knowledge Graph builds — visible from the org's billing page.

Enabling Compliance Readiness

On the Enterprise plan:

• Open Org settings → Features and enable Compliance. (Requires owner / admin role.)
• Open the project's Compliance tab and add the framework you want to start with — most teams begin with OWASP ASVS.
• Click Run scan. The first scan can take a few minutes for a large workspace; subsequent re-runs are incremental and finish in seconds.
• Triage gaps from the report — assign each improvement to a teammate or an agent, and re-scan whenever you ship the work.