Security Posture — GRC Executive Summary
1. Security Posture At-a-Glance
2. Compliance Framework Readiness
Readiness is evaluated using policy-driven heuristics based on each framework's risk tolerance. Thresholds reflect common audit expectations for critical and high-severity findings (including hardcoded secrets), not framework-mandated limits. Infrastructure compensating controls are factored into severity.
3. Finding Categories & Compensating Controls
Each finding category is listed with its count, severity (after infrastructure context adjustment), and the compensating controls in place.
| CWE | Name | Count | Severity | Compensating Controls / Notes |
|---|---|---|---|---|
| CWE-396 | Declaration of Catch for Generic Exception | 38 | medium | API Gateway auth boundary detected. |
| CWE-918 | Server-Side Request Forgery | 7 | medium | Argument from admin-configured source. Internal service — not directly internet-facing. Internal service — not directly internet-facing.; API Gateway auth boundary detected. W4: finding in adapter/factory module — likely config-driven data flow.; API Gateway auth boundary detected. |
| CWE-1004 | Sensitive Cookie Without HttpOnly Flag | 1 | medium | API Gateway auth boundary detected. |
| CWE-400 | Uncontrolled Resource Consumption | 3 | low | API Gateway auth boundary detected. |
| CWE-22 | Path Traversal | 1 | low | Argument from admin-configured source. Internal service — not directly internet-facing. W4: finding in adapter/factory module — likely config-driven data flow.; API Gateway auth boundary detected. |
4. Infrastructure Security Context
AEGIS automatically discovers infrastructure components and uses them to contextualize findings. The following compensating controls were detected and applied to severity ratings.
5. Sensitive Data Governance
6. Methodology
This assessment was performed using AEGIS, a governed Cyber Reasoning System developed by Equilateral AI. The analysis pipeline includes:
- Static Analysis — AST-based parsing via tree-sitter for 14 languages, detecting 114 CWE patterns with CVSS 3.1 scoring.
- Taint Analysis — Inter-procedural data flow tracking with 117 taint sources and 172 sinks, including RBAC-aware trust classification.
- Infrastructure Discovery — Automatic detection of databases, auth boundaries, gateways, APM, containers, and cloud providers from IaC and configuration files.
- Compensating Control Analysis — Infrastructure context is applied to adjust finding severity when architectural controls mitigate the risk (e.g., managed databases with VPC isolation reduce TLS cert verification findings).
- Secret Detection — 29 patterns for API keys, tokens, and credentials with entropy analysis.
- Compliance Mapping — Findings are mapped to 12 compliance frameworks (NIST 800-53, ISO 27001, SOC2, PCI-DSS, HIPAA, OWASP, EU AI Act, DORA, CMMC, FedRAMP, DoD SRG, SEC/FINRA).