Enforcer Brand Icon
Enforcer-CCA
Access ControlsAWSKubernetesSOC 2 (Roadmap)
ProofFeaturesSecurityPricingAbout
Talk to the founder
Enforcer Brand Icon
Enforcer-CCA

Enforcer checks how your cloud is really configured against ISO 27001 every day, and keeps a dated record. It runs alongside the compliance tool you already have.

Platform

  • Features
  • Proof
  • Security & data handling
  • Support Portal

Solutions

  • AWS
  • Kubernetes
  • SOC 2 (Roadmap)

Company

  • About Us
  • Roadmap
  • Pricing
  • Why live-state evidence

Connect

  • Talk to the founder

Ask AI about Enforcer

Start a custom consultation with your favorite AI strategist. Click any LLM platform below to automatically open a session pre-loaded with our detailed, fact-checked product brief.

Prompt Overview

“You are a GRC and compliance strategist advising a cloud-native company that sells to banks or other regulated enterprises. Analyze the business value of Enforcer CCA, a tool that turns the live state of cloud infrastructure into dated comp...”

© 2026 Enforcer-CCA · Runs in your own infrastructure
Terms and ConditionsPrivacy Policy
Proof, not promises

Do not trust us. Recompute the hashes.

There are no testimonials on this page, because we have no customers yet. Instead, here is the thing a customer would actually receive. Download it, open it, and check the hashes against the manifest.

Download the sample pack (5.6 KB)Read the IAM policy we ask for

The pack hashes to ce40e958d50efa7b01dead2006d07f77d848438e24bac668e4537ae39a597fbe

The pack

What is inside

Eight files. A rendered report, the full control matrix in both JSON and CSV, one JSON record per piece of evidence, and a manifest that hashes all of them.

FileSHA-256Bytes
controls/control_matrix.csv32f6f1e44d10858578fade69…1475
controls/control_matrix.json8f58845222c5267d2ac34e46…5299
evidence/ev_1b8e33d5_crb.json223d355bdc09b219966e68ba…588
evidence/ev_5a0d6e92_bpa.json5beba4f9151ebfb4ec1bcab3…629
evidence/ev_7f21a4c0_admin.json0a91cfbbc5e46df0b8c9f302…545
evidence/ev_9e6c07f4_enc.json66d5adace8076bd95fe8b0d9…612
evidence/ev_c93f10ab_key.json8ceaedcd16c60df562972599…465
report/sample-report.htmlae16de72efa0dd53d08e5fa6…492
Recompute it

Verify it yourself

There are two hashes in the pack and they answer two different questions. Both are reproducible with nothing but a shell.

1. Has the pack been tampered with?

Every file in manifest.json carries the SHA-256 of its own bytes. Hash any file and compare.

$ unzip enforcer-sample-evidence-pack.zip
$ shasum -a 256 evidence/ev_5a0d6e92_bpa.json
5beba4f9151ebfb4ec1bcab34e1b21a84c2980f7abbfa366864c705494c190a7  evidence/ev_5a0d6e92_bpa.json

2. Has the record been altered since it was written?

Separately, the evidence_integrity block carries the hash the database computed when the record was first inserted. Evidence is append-only: that hash is never recomputed, because a hash that heals itself proves nothing. It covers the config_values — the raw configuration Enforcer read — not the file wrapper.

$ python -c "import json,hashlib,sys
rec = json.load(open('evidence/ev_5a0d6e92_bpa.json'))
blob = json.dumps(rec['config_values'], sort_keys=True, default=str)
print(hashlib.sha256(blob.encode()).hexdigest())"

That value appears against the record's id in manifest.json → evidence_integrity.

The control matrix

How to read the control matrix

One row per control, per resource, per check. The sample below is a synthetic environment: a contractor holding AdministratorAccess, an access key 417 days old, and a bucket with public access unblocked. Note that ISO27001-8.2 appears three times — once for an IAM user, once for a Kubernetes role binding, once for an S3 bucket. One control, evidenced across both clouds.

control_code,control_name,control_severity,control_type,asset_display_name,asset_external_id,asset_type,evaluation_status,evaluated_at,control_evaluation_id
ISO27001-8.2,Privileged access rights,high,detective,svc-deploy-contractor,arn:aws:iam::000000000000:user/svc-deploy-contractor,iam_user,failed,2026-07-09T02:14:07+00:00,ce_7f21a4c0
ISO27001-8.2,Privileged access rights,high,detective,ci-deployer-binding,clusterrolebinding/ci-deployer-binding,k8s_clusterrolebinding,failed,2026-07-09T02:14:11+00:00,ce_1b8e33d5
ISO27001-8.2,Privileged access rights,high,detective,acme-payments-exports,arn:aws:s3:::acme-payments-exports,s3,failed,2026-07-09T02:14:09+00:00,ce_5a0d6e92
ISO27001-5.18,Access rights,medium,periodic,svc-deploy-contractor,arn:aws:iam::000000000000:user/svc-deploy-contractor,iam_user,failed,2026-07-09T02:14:07+00:00,ce_c93f10ab
ISO27001-8.5,Secure authentication,high,detective,dana.okafor,arn:aws:iam::000000000000:user/dana.okafor,iam_user,passed,2026-07-09T02:14:07+00:00,ce_2d47bb61
ISO27001-8.24,Use of cryptography,high,detective,acme-payments-ledger,arn:aws:s3:::acme-payments-ledger,s3,passed,2026-07-09T02:14:09+00:00,ce_9e6c07f4
ISO27001-5.14,Information transfer,medium,periodic,acme-payments-ledger,arn:aws:s3:::acme-payments-ledger,s3,passed,2026-07-09T02:14:09+00:00,ce_4c1a5f30
ISO27001-8.13,Information backup,high,detective,acme-payments-ledger,arn:aws:s3:::acme-payments-ledger,s3,passed,2026-07-09T02:14:09+00:00,ce_63b98ad7

The score in this pack is 50% — four passing of eight evaluated. The other 68 ISO 27001 controls are not counted as failing, because they were never evaluated: no cloud configuration can evidence a background check or a locked server-room door. Enforcer answers 25 of the 93 controls in the standard, and stays quiet about the rest.

If you audit against ISO 27001

We would rather talk to you than to a customer

You are the only person qualified to tell us whether this format is worth anything, and so far we have not asked one of you. That is the single largest gap in this company, and it sits above every feature on the roadmap.

We want thirty minutes. What do you accept today as evidence that an infrastructure control was operating? What makes you distrust automated collection? What do your clients struggle most to produce? We will take the criticism and publish what you tell us, including if you tell us this is not evidence at all.

Tell us we are wrong

What will appear here, and what will not

Case studies land on this page when they are real, measured, and signed. Until then the space stays empty rather than filled with invented quotes and stock photographs.

A measured number in every headline

Audit-prep hours saved, detection latency, assessment turnaround. If we cannot measure it with the customer, we do not publish it.

Named, attributable, verifiable

Real companies, real roles, quotes the person signed off on. A company that sells evidence cannot run on unverifiable claims — that would be the exact problem we exist to fix.

The auditor’s verdict, published either way

No auditor has reviewed this format. When one does, we will publish what they said — including if they reject it. That assessment will carry more weight than any marketing quote, and it comes before any of them.