Standards
Last updated: May 13, 2026
Supported
Fluid Attacks supports the following security standards across security testing and compliance operations:
Correlation
Each standard's requirements are mapped to AppSec findings in the compliance database, making them available in the platform's Compliance section to monitor your organization's security posture against each framework.
- Agile Alliance
- BIZEC APP/11 V2.0 (2012)
- BSA Framework for Secure Software v1.1 (2020)
- BSIMM14
- C2M2 v2.1
- CAPEC™ List v3.9
- CASA
- CCPA of 2018
- CIS Controls v8
- CMMC 2.0
- CPRA of 2018 v2
- CWE™ List v4.13
- CWE/SANS Top 25 (2020)
- CWE Top 25 (2023)
- ePrivacy Directive 2002/58/EC
- FACTA of 2003
- FCRA (September 2018)
- FedRAMP
- FERPA (amended July 6, 2000)
- FISMA (via NIST SP 800-53 Rev. 5)
- GLBA
- HIPAA (2013 Rules Update)
- HITRUST CSF v9.6.0
- IEC 62443-3-3 ed. 1.0 (2013)
- ISO/IEC 27002:2022
- ISSAF 0.2.1B
- LGPD
- MISRA-C:2004
- MITRE ATT&CK®
- MVSP
- NERC CIP v5
- New York SHIELD Act
- NIST CSF v2.0
- NIST SP 800-53 Rev. 5
- NIST SP 800-63B
- NIST SP 800-115 (September 2008)
- NIST SP 800-171 Rev. 2
- NIST SSDF v1.1
- NYDFS Cybersecurity Regulation (23 NYCRR 500), February 2017
- OSSTMM 3.0
- OWASP API Security Top 10 (2023)
- OWASP ASVS v4.0.3
- OWASP MASVS v2.0
- OWASP Mobile Top 10 (2016)
- OWASP SAMM v1.0
- OWASP Secure Coding Practices v2.0.1
- OWASP Top 10:2021
- OWASP Top 10 for LLM Applications 2025
- OWASP Top 10 Privacy Risks v2.0
- PA-DSS v3.0
- PDPA (2020)
- PDPO (2021 update)
- POPIA (2021)
- PTES v1.1 (2014)
- Resolution SB-2021-2126
- SEI CERT® C Coding Standard 2016 Edition
- SEI CERT® Oracle® Secure Coding Standard for Java™ (2011)
- SIG Core (2019)
- SIG Lite (2019)
- SWIFT CSCF v2024
- WASC Threat Classification v2.0
- WASSEC v1.0
Others
Standards that Fluid Attacks holds certifications for or applies across its services and processes, some also mapped to AppSec findings in the compliance database.
- CPE v2.3 (Common Platform Enumeration): Used as the identifier format for dependencies in platform vulnerability findings.
- CREST Penetration Testing: Fluid Attacks holds a CREST Penetration Testing accreditation.
- CVE: Used as the primary identifier for known vulnerabilities in platform findings.
- CVSS v4.0: Used to score vulnerability severity in platform findings, with support up to version 4.0.
- CycloneDX 1.6: Generated by the platform as SBOM exports in JSON and XML formats.
- EPSS v4: Daily exploit prediction scores from FIRST are integrated to enhance vulnerability prioritization.
- FIPS 140-2: Cryptographic module security standard applied to the hardware security modules used in AWS KMS for encryption key management.
- GDPR, Regulation (EU) 2016/679: Fluid Attacks holds a GDPR alignment document, with privacy controls implemented across compliance policies. Additionally, GDPR - OJ L 119, 4.5.2016 requirements are supported as a correlation framework for AppSec findings.
- ISO/IEC 27001:2022: Fluid Attacks holds an ISO/IEC 27001:2022 certificate, with controls implemented across compliance policies. Additionally, ISO/IEC 27001:2022 Annex A requirements are supported as a correlation framework for AppSec findings.
- ISO/IEC 27017:2015: Fluid Attacks holds an ISO/IEC 27017:2015 certificate, with controls implemented across compliance policies.
- ISO/IEC 27018:2019: Fluid Attacks holds an ISO/IEC 27018:2019 certificate, with privacy controls implemented across compliance policies.
- ISO/IEC 27701:2019: Fluid Attacks holds an ISO/IEC 27701:2019 certificate, with privacy controls implemented across compliance policies.
- KEV: CISA's catalog of actively exploited vulnerabilities is integrated to prioritize high-risk findings.
- OAuth 2.0: Used as the authorization framework for platform authentication.
- OpenID Connect Core 1.0: Used as the identity layer for platform client authentication, enabling user identity verification on top of OAuth 2.0.
- OSV Schema v1.5.0: OSV advisories are consumed daily as a source for vulnerability signature updates in SCA scans.
- OWASP MASTG v2 (Mobile App Security Testing Guide): Testing methodology applied in mobile application security testing (MAST) scans to validate findings against OWASP MASVS v2.0 requirements.
- PCI DSS v4.0.1: Fluid Attacks holds a PCI DSS v4.0.1 Attestation of Compliance. Additionally, PCI DSS v4.0 requirements are supported as a correlation framework for AppSec findings.
- SAML 2.0: Used as the single sign-on (SSO) protocol for staff authentication across Fluid Attacks' internal tools.
- SARIF v2.1.0: Generated by the CLI in scanner outputs and GitHub Actions integrations; accepted as input for third-party tool findings via platform upload.
- SLSA v0.1: Fluid Attacks meets SLSA Level 2 for supply chain integrity, with source, build, and provenance requirements documented in SLSA compliance.
- SOC 2®: Fluid Attacks holds a SOC 2® Type II report, with controls implemented across compliance policies. Additionally, SOC 2® Trust Services Criteria requirements are supported as a correlation framework for AppSec findings.
- SOC 3: Fluid Attacks holds a SOC 3 report.
- SPDX 2.3: Generated by the platform as SBOM exports in JSON and XML formats.
Unsupported
Currently, Fluid Attacks has not mapped security requirements to these standards:
Correlation
Standards whose requirements are not yet mapped to AppSec findings in the compliance database.
- AESCSF v2
- AFASA
- Amazon OCSF Ready
- APRA PPG 234
- ASD/DSD Strategies to Mitigate Cyber Security Incidents (Top 35)
- Australian Government Information Security Manual (ISM)
- BCI C5:2026
- Biometric Information Privacy Act, Illinois (BIPA)
- BSI IT-Grundschutz Edition 2023
- California Online Privacy Protection Act (CalOPPA)
- California's Security Breach Notification Act (SB 1386)
- Children's Online Privacy Protection Act (COPPA)
- CIS Benchmarks
- CISA BOD 23-01
- Cloud Controls Matrix (CCM) v4.1 (2025)
- Cyber Essentials v3.3
- Cyber Essentials Plus v3.2
- Cyber Risk Institute Financial Services Profile (CRI) v2.2
- Cybersecurity Law of the PRC (CSL)
- DIFC Data Protection Law
- Digital Operational Resilience Act (DORA)
- DISA STIG
- Esquema Nacional de Seguridad (ENS)
- Essential Eight
- European Directive 1995/46/EC (DPD)
- European Directive 2015/2366 (PSD2)
- European Directive 2022/2555 (NIS 2)
- European Directive 2022/2557 (CER)
- European Regulation 2024/2847 (CRA)
- Executive Order (EO) 14028
- FDA Cybersecurity in Medical Devices
- FDA Section 524B
- Federal Desktop Core Configuration (FDCC)
- FFIEC
- Financial Industry Regulatory Authority (FINRA)
- FIPPA
- HITECH
- Information System Security Management and Assessment Program (ISMAP)
- ISO/IEC 27032:2023
- ISO/IEC 27034-1:2011
- ISO/IEC 27099:2022
- ISO/SAE 21434:2021
- Japan's Personal Information Protection Act
- Kisisel Verilerin Korunmasi Kanunu (KVKK)
- Korea Information Security Management System (K-ISMS)
- MAS Technology Risk Management Guidelines (TRM)
- Massachusetts 201 CMR 17.00
- Microsoft SDL (Security Development Lifecycle)
- MITRE ATLAS (Adversarial Threat Landscape for AI Systems) v5.1.0 (2025)
- MITS
- MLPS 2.0
- Mobile Application Security Assessment (MASA)
- NCSC CAF v4.0
- NCSC Ten Steps for Cybersecurity
- NDPR
- NIST SP 800-63-4 (Digital Identity) (Jul 2025)
- NIST SP 800-63A-4 (Enrollment & Identity Proofing) (Jul 2025)
- NIST SP 800-63C-4 (Federation & Assertions) (Jul 2025)
- NIST SP 800-82 Rev. 3
- NIST SP 800-124 Rev. 2
- NIST SP 800-131A (Transitioning Cryptographic Algorithms) Rev.2
- NIST SP 800-161 Rev. 1
- NIST SP 800-163 Rev. 1
- NIST SP 800-172
- NIST SP 800-190 (Application Container Security) Sep 2017
- NIST SP 800-204A (Microservices - service-to-service) May 2020
- NIST SP 800-204B (Service Mesh) Aug 2021
- NIST SP 800-204C (DevSecOps en microservicios) Feb 2022
- NIST SP 800-219 Rev. 1
- NZISM v3.9
- OJK POJK 38/POJK.03/2016
- OMB M-22-18
- OWASP Docker Top 10
- OWASP IoT Top 10 (2018)
- OWASP Kubernetes Top 10 (2022)
- OWASP Machine Learning Top 10
- OWASP Proactive Controls v4.0 (2024)
- OWASP SCVS (Software Component Verification Standard) 1.0
- OWASP Serverless Top 10 (2017)
- OWASP Top 10 CI/CD Security Risks (2022)
- OWASP Web Security Testing Guide v4.2 (2020)
- PIPED Act
- PIPL
- Privacy Act of 1974
- Risk Management in Technology (RMiT)
- SAFECode Fundamental Practices for Secure Software Development v4 (2018)
- SAMA Cyber Security Framework (CSF) v1.0
- SCF 2025.4
- SEC Cybersecurity Disclosure Rules
- SOX ITGC
- StateRAMP Authorized
- Texas Risk and Authorization Management Program (TX-RAMP)
- TISAX (ISA 6.0)
- TSS-WEB
- United States Government Configuration Baseline (USGCB)
- Video Privacy Protection Act (VPPA)
- W3C WebAuthn (FIDO2) Level 3
Others
Standards not applicable as a correlation framework for AppSec findings.
- AI Software Competency: Could be applied to generative AI security assessment practices.
- Amazon EC2 Spot Ready Product: Could be applied to cloud infrastructure security assessments.
- Amazon EKS Ready Product: Could be applied to Kubernetes container security assessments.
- Amazon Linux Ready Product: Could be applied to Amazon Linux security assessments.
- Amazon RDS Ready Product: Could be applied to database security assessments.
- AWS Built-in Competency: Could be applied to AWS partner solution security practices.
- AWS Graviton Ready Product: Could be applied to AWS Graviton infrastructure assessments.
- AWS Lambda Ready Product: Could be applied to serverless application security assessments.
- AWS Outposts Ready Product: Could be applied to hybrid cloud security assessments.
- AWS PrivateLink Ready Product: Could be applied to private connectivity security assessments.
- AWS Security Incident Response Ready: Could be applied to AWS incident response practices.
- Cloud Operations Software Competency: Could be applied to cloud operations security assessments.
- Containers ISV Competency: Could be applied to container security assessments.
- CREST Incident Response: Could be applied to incident response and cyber crisis management practices.
- CREST STAR-FS Threat Led Penetration Testing: Could be applied to threat-led penetration testing for financial services under DORA.
- CREST Threat Led Penetration Testing: Could be applied to threat-led penetration testing methodologies.
- DevOps ISV Competency: Could be applied to DevOps security assessments.
- Education ISV Competency: Could be applied to security training and educational practices.
- Financial Services Technology Competency: Could be applied to financial services security assessments.
- Government ISV Competency: Could be applied to government sector security assessments.
- Healthcare ISV Competency: Could be applied to healthcare security assessments.
- Machine Learning ISV Competency Migration: Could be applied to AI and machine learning security assessments.
- Migration and Modernization ISV Competency: Could be applied to application migration security assessments.
- Networking ISV Competency: Could be applied to network security assessments.
- Security ISV Competency: Could be applied to AWS cloud security assessments.
- Small and Medium Business Software Competency: Could be applied to SMB environment security assessments.
- 21 CFR: Could be applied to Fluid Attacks' security assessments for pharmaceutical and medical device clients.
- ARJEL: Could be applied to Fluid Attacks' security assessments for gaming and gambling platforms in France.
- AUTOSAR: Could be applied to Fluid Attacks' security testing services for automotive software systems.
- BASEL II: Could be applied to Fluid Attacks' security services for banking and financial institution clients.
- Catalog of Problematic Data Actions and Problems (PDAP): Could be applied to Fluid Attacks' privacy risk assessment methodologies.
- CISA Minimum Requirements for VEX Apr 2023: Could be applied to Fluid Attacks' vulnerability disclosure and reporting practices.
- Cloud Security Alliance (CSA): Could be applied to Fluid Attacks' cloud security governance assessments.
- COBIT 2019: Could be applied to Fluid Attacks' governance recommendations for client organizations.
- Cobro Digital (CoDi): Could be applied to Fluid Attacks' security assessments for digital payment systems in Mexico.
- CSA CAIQ: Could be applied to Fluid Attacks' cloud security controls assessments.
- CSA STAR Level 1: Could be applied to Fluid Attacks' cloud security controls and governance assessments.
- CSA STAR Level 2: Could be applied to Fluid Attacks' third-party cloud security controls auditing and certification practices.
- CSAF v2.0: Could be applied to Fluid Attacks' vulnerability advisory communication practices.
- Data Privacy Framework (DPF): Could be applied to Fluid Attacks' data privacy and international data transfer compliance practices.
- DCID 6/3: Could be applied to Fluid Attacks' security services for intelligence community clients with classified information.
- DO-330 / DO-178C: Could be applied to Fluid Attacks' security assessments for aviation and certification-critical systems.
- DoD Instruction 8500.1 (Change 1, Oct 2019): Could be applied to Fluid Attacks' security services for DoD and federal contractor clients.
- DoD Instruction 8550.1 (Sep 2012): Could be applied to Fluid Attacks' information assurance services for DoD environments.
- Enduring Security Framework (ESF): Could be applied to Fluid Attacks' supply chain security assessments for critical infrastructure clients.
- European Regulation 2019/881 (Cybersecurity Act): Could be applied to Fluid Attacks' product security certification practices under EU requirements.
- European Regulation 2024/1689 (AI Act): Could be applied to Fluid Attacks' AI system governance assessments for EU clients.
- FIN: Could be applied to Fluid Attacks' secure development and design-focused assessment practices.
- GAMP 5 2nd Edition (2022): Could be applied to Fluid Attacks' security validation practices for pharmaceutical clients.
- Hyundai Coding Standards: Could be applied to Fluid Attacks' automotive software security assessments for vehicle manufacturers.
- IDFA: Could be applied to Fluid Attacks' mobile application privacy assessment practices.
- in-toto specification v1.0: Could be applied to Fluid Attacks' supply chain integrity verification practices.
- Infosec Registered Assessors Program (IRAP): Could be applied to Fluid Attacks' security assessments for Australian government and public sector clients.
- ISO/IEC 9001:2015: Could be applied to Fluid Attacks' quality management system and operational excellence practices.
- ISO/IEC 13485:2016: Could be applied to Fluid Attacks' quality management practices for medical device clients.
- ISO/IEC 22301:2019: Could be applied to Fluid Attacks' business continuity and disaster recovery recommendations.
- ISO/IEC 23894:2023: Could be applied to Fluid Attacks' AI system risk management practices.
- ISO/IEC 29147:2018: Could be applied to Fluid Attacks' vulnerability disclosure and responsible security practices.
- ISO/IEC 31000:2018: Could be applied to Fluid Attacks' enterprise risk management recommendations.
- ISO/IEC 37001:2025: Could be applied to Fluid Attacks' anti-corruption compliance recommendations.
- ISO/IEC 42001:2023: Could be applied to Fluid Attacks' AI system implementation and governance practices.
- ITIL 4: Could be applied to Fluid Attacks' IT service management and operational governance practices.
- KYC: Could be applied to Fluid Attacks' anti-money laundering compliance for financial services clients.
- MAS Technology Risk Management Guidelines (TRM): Could be applied to Fluid Attacks' security services for financial institutions in Singapore and Asia-Pacific region.
- Microsoft SSPA (DPR v10): Could be applied to Fluid Attacks' supplier security assessment and procurement governance practices.
- Motion Picture Association of America Content Protection Best Practices: Could be applied to Fluid Attacks' content protection and media security assessments.
- NIST AI 600-1 (GenAI Profile) Jul 2024: Could be applied to Fluid Attacks' generative AI security assessment practices.
- NIST AI RMF 1.0: Could be applied to Fluid Attacks' AI system risk management framework practices.
- NIST IR 8397: Could be applied to Fluid Attacks' emerging cybersecurity practices and client guidance.
- NIST SP 800-30 Rev. 1: Could be applied to Fluid Attacks' risk assessment methodologies.
- NIST SP 800-34 Rev. 1: Could be applied to Fluid Attacks' contingency planning and disaster recovery recommendations.
- NIST SP 800-37 Rev. 2: Could be applied to Fluid Attacks' risk management framework implementation for clients.
- NIST SP 800-40 Rev. 4: Could be applied to Fluid Attacks' patch management and system update recommendations.
- NIST SP 800-61 Rev. 3: Could be applied to Fluid Attacks' incident response recommendations and practices.
- NIST SP 800-108 Rev. 1: Could be applied to Fluid Attacks' cryptographic key management and infrastructure security practices.
- NIST SP 800-144: Could be applied to Fluid Attacks' cloud computing security guidance and assessments.
- NIST SP 800-207 (Zero Trust Architecture) Aug 2020: Could be applied to Fluid Attacks' zero trust architecture implementation and recommendations for clients.
- OCP SAFE: Could be applied to Fluid Attacks' large-scale infrastructure security assessments.
- OpenSSF Scorecard: Could be applied to Fluid Attacks' open source security posture assessment practices.
- OpenVEX Specification v0.2.0: Could be applied to Fluid Attacks' vulnerability disclosure and communication practices.
- OWASP AI Exchange: Could be applied to Fluid Attacks' AI system security assessments and risk mitigation practices.
- OWASP Benchmark v1.2: Could be applied to Fluid Attacks' security testing tool validation and benchmarking practices.
- OWASP CRS v4: Could be applied to Fluid Attacks' Web Application Firewall recommendations for clients.
- PII: Could be applied to Fluid Attacks' personally identifiable information protection practices.
- RFC 9116 (security.txt — A File Format to Aid in Security Vulnerability Disclosure) Apr 2022: Could be applied to Fluid Attacks' vulnerability disclosure policy communication practices.
- Safe Harbor: Could be applied to Fluid Attacks' international data transfer and privacy compliance practices.
- Secure Supply Chain Consumption Framework (S2C2F) v1.1: Could be applied to Fluid Attacks' open source dependency evaluation and supply chain security practices.
- SOC 1 Type II: Could be applied to Fluid Attacks' service organization control and audit compliance practices.
- SOC 2 Type I: Could be applied to Fluid Attacks' point-in-time service organization control and audit practices.
- SOX: Could be applied to Fluid Attacks' security services for publicly-traded financial companies.
- SSVC (Stakeholder-Specific Vulnerability Categorization) v2025.9.5 (Jan 2025): Could be applied to Fluid Attacks' vulnerability prioritization and response framework for clients.
- SWID Tags (ISO/IEC 19770-2) 2015: Could be applied to Fluid Attacks' software asset inventory and lifecycle management practices.
- TCPA: Could be applied to Fluid Attacks' communication security and privacy compliance for regulated clients.
- Transparency & Consent Framework (TCF) v2.3 (2025): Could be applied to Fluid Attacks' consent management and data transparency practices for digital advertising clients.
- WCAG 2.2: Could be applied to Fluid Attacks' web application accessibility assessment practices.
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.
Secrets
Learn what secrets the Fluid Attacks scanner detects across various platforms to ensure the security of your sensitive data.
Ticketing systems
Explore the ticketing systems Fluid Attacks integrates to. Use the Fluid Attacks integrations to streamline issue tracking and enhance your security workflow.