Reports & compliance
The platform turns scan data into audit-grade evidence: one-click PDF reports, an exportable audit trail and account-level compliance signals for ISO 27001 and NIS2/KSC.
Where reports live
Open Reports in the sidebar (/reports). Compliance artifacts are visible to the Owner, Admin and Auditor roles — the Auditor is read-only and can view and export everything without changing anything. Every report is scoped to your account only.
ISO 27001 report (A.8.8)
A point-in-time PDF of your vulnerability-management posture plus the activity within a chosen audit window — findings, remediation actions and SLA timeliness. Generated on demand, no manual data gathering. It also carries a data-provenance section (feed versions/dates) so an auditor can trust what the numbers are based on.
EOL fleet governance (A.8.9)
Which machines run End-of-Life operating systems, with days left until support ends, migration owner, target date and time-boxed risk acceptance. Exportable to CSV and PDF.
Management review
A one-page summary for management: overall verdict, key metrics and open decisions for a chosen window — reusing the same data as the detailed reports.
Evidence Pack — one ZIP for a period
From Reports, open Evidence Pack (/reports/evidence-pack), pick an audit period and download a single ZIP. It bundles what you would otherwise export one by one: the management, ISO 27001 and EOL PDFs, the risk-acceptance and audit-trail registers as CSV, a machine-readable JSON dataset and a manifest.json. The manifest lists a SHA-256 checksum for every file so an auditor can verify nothing was altered inside the package. All sections share one audit window (computed once in your account timezone), so the numbers line up across the whole pack. Available to Owner, Admin and Auditor. Note: the manifest proves internal package integrity — long-term tamper-evidence / period-lock is a separate capability.
Risk acceptance for CVEs (A.8.8)
When a CVE can't be fixed immediately, record a formal, time-boxed risk acceptance directly on the machine view: the reason, the risk owner, a review deadline and any compensating controls. Accepted CVEs move out of the 'needs action' count until their review date, then resurface. These decisions appear in the ISO report and the Evidence Pack risk-acceptance register — the auditable trail of what risk was knowingly carried, by whom and until when.
Audit trail — who / what / when
The Audit trail page (/reports/audit-trail) is a read-only log of configuration, governance and access-rights changes across your account — each entry shows the timestamp (in your account timezone), the action, the user who made it and the details. Filter by date range and action type, page through the results, and export the filtered view to CSV (Excel-ready, Polish characters). This is accountability evidence for ISO 27001 A.5.18 (access rights) and A.8.32 (change management). Note: it covers changes made in the app — it is not a full authentication or data-access log.
Report branding (your logo)
Owners and Admins can upload the account logo under Account settings; it appears in the header of the ISO and EOL PDF reports. The image is flattened to a white background in the browser and shown on a white preview, so a white/transparent logo is caught before it lands invisibly in the report.
KSC entity mode
If your organisation is an entity of the Polish National Cybersecurity System (KSC), toggle it on under Account settings. A banner with the statutory deadlines (entity register, S46 system) then appears on the dashboard for all account members.

