Every finding, mapped to the controls your auditor asks for

Senserva is a Microsoft 365 compliance automation and security auditing engine, and a CISA SCuBA tool with Purview security assessment built in. It carries the framework mapping with the finding. 31 MCSB controls and 81 CISA SCuBA codes baked into the report natively, every scan, across 650+ underlying checks you can browse in the catalog. The Senserva MCP layer reaches the rest: NIST 800-53, NIST 800-171, ISO 27001, SOC 2, HIPAA, PCI-DSS, CIS Controls, MITRE ATT&CK, Microsoft Zero Trust Assessment, through Claude, bridged live by Senserva Trustworthy AI using the same source data as evidence.

Every Senserva scan generates audit-ready evidence for compliance: each finding ships with the underlying data Senserva used to detect it, the control mapping it satisfies (or fails), and a validated remediation step.

See your security gaps, free

Watch: Microsoft 365 compliance and audit with Senserva, every finding mapped to CISA SCuBA, MCSB, NIST, ISO 27001, SOC 2, HIPAA and more.

New to these frameworks? Start with the compliance requirements guide: who each framework applies to, what it demands, and the Senserva artifacts that help, with links to every official source.

Patching and log monitoring are explicit requirements

Most frameworks name two things auditors check directly: keeping systems patched, and monitoring your logs. Senserva covers both in the same scan, with the evidence attached. Cyber insurers ask for the same controls: see cyber insurance readiness.

Require patch and vulnerability management

PCI DSS (Req 6), HIPAA Security Rule, SOC 2 (CC7), NIST 800-53 (SI-2) and 800-171 (3.14), CIS Controls (Control 7), Essential Eight (patch applications and operating systems), and Cyber Essentials (security update management).

How Senserva covers patching and CVEs

Require log monitoring

PCI DSS (Req 10), HIPAA audit controls, SOC 2 (CC7.2), NIST 800-53 (AU family) and 800-171 (3.3), and CIS Controls (Control 8).

How Senserva analyzes logs

Compliance view, generated automatically

One scan produces the Compliance tab below. Each row is a Microsoft 365, Intune, or Entra ID finding with the framework codes it satisfies (or fails) right next to it. Filter by code, jump to the failing finding, export to HTML, or pipe the same data into Claude over MCP.

Senserva Compliance tab mapping Microsoft 365, Intune, Defender, Entra ID (logs included), CVEs, and Purview findings to CISA SCuBA, NIST, MCSB, and CIS controls

Compliance tab in the live dashboard. Same data lands in the HTML report and the MCP tool responses.

What lands in the evidence packet

Compliance is not a list of issues. It is a list of issues with proof. Every Senserva HTML report ships the four things an auditor asks for on the same finding row, so there is no separate document to assemble after the scan.

1. THE FINDING

Named entity, severity, the specific configuration or gap, and which Microsoft 365 / Intune / Entra ID workload it lives in.

2. THE PROOF

Underlying scan data Senserva used to reach the conclusion: policy assignment, user properties, sign-in trace, audit-log event, group-membership chain. Reproducible, not synthesized.

3. THE CONTROL MAPPING

MCSB v2 and CISA SCuBA codes attached at the row level on every scan. Ask Claude over the Senserva MCP to bridge to NIST 800-53, NIST 800-171, ISO 27001, SOC 2, HIPAA, PCI-DSS, CIS Controls, MITRE ATT&CK, and Microsoft ZTA.

4. THE REMEDIATION

A validated, step-by-step fix written by Senserva Trustworthy AI. Where possible, an attached PowerShell script ready for review and apply, plus a re-prove pass after the fix lands.

One scan. One self-contained HTML file. Prints to PDF for the audit packet. Try it on the demo →

Three concrete examples

What a Senserva finding looks like with the compliance mapping attached. These are not mock-ups: this is the same data shape the dashboard, the HTML reports, and the MCP tools all return.

Finding 12 of 247 . Conditional Access

CRITICAL . Severity 1875 CONDITIONAL ACCESS

Require MFA for All Users policy excludes the Finance group (28 users)

28 high-privilege Finance users are exempt from the MFA Conditional Access policy. The most common pattern behind business email compromise lives exactly here: one exclusion group that swallowed the rule.

MCSB

IM-6: Use strong authentication controls

CISA SCuBA

MS.AAD.3.1v1, MS.AAD.3.2v1

NIST 800-53

IA-2(1), IA-2(2)

MITRE ATT&CK

T1078 (Valid Accounts), TA0006 (Credential Access)

Finding 31 of 247 . Exchange Online

HIGH . Severity 375 EXCHANGE ONLINE

Auto-forwarding to external domains is allowed at the tenant level

Any compromised mailbox can silently forward inbound mail to an attacker-controlled inbox. The classic data-exfil path after a phishing foothold. Microsoft set the tenant default to Off in 2020; this tenant has it back On.

MCSB

DS-7: Limit data flow to untrusted networks

CISA SCuBA

MS.EXO.1.1v1

CIS Controls

CIS 3.13, CIS 13.4

MITRE ATT&CK

T1114.003 (Email Forwarding Rule)

Finding 4 of 247 . Privileged Access

CRITICAL . Severity 1875 PRIVILEGED IDENTITY

7 standing Global Administrators (PIM-eligible only is 0)

Every Global Admin in this tenant holds the role permanently. None are eligible-only via Privileged Identity Management. Standing-admin count is the single biggest privilege-creep signal and the first thing an attacker who phishes a help-desk credential goes after.

MCSB

PA-1, PA-2, PA-7 (Privileged Access)

CISA SCuBA

MS.AAD.7.1v1, MS.AAD.7.2v1, MS.AAD.7.5v1

NIST 800-53

AC-2(7), AC-6(5), AC-6(7)

MITRE ATT&CK

T1098 (Account Manipulation), T1078.004 (Cloud Accounts)

SCuBA scorecard, one keystroke away

Press C in the dashboard for the SCuBA-by-code scorecard. Every required code, pass or fail, with the count of failing findings and a one-click jump to the offending row. Same view exports to HTML for compliance review packets.

Senserva SCuBA scorecard table showing real CISA SCuBA control codes with pass/fail status

Compliance roadmap

Mapped to what your auditor asks for today, and what regulated teams need next

Every Senserva scan ships framework mappings natively, with more reach through the Senserva Trustworthy AI and Claude MCP layer. Government and defense coverage is next.

Available today

Microsoft Cloud Security Benchmark v2 (MCSB), 31 controls, native in every report
CISA SCuBA, 81 codes, native in every report
Microsoft Zero Trust Assessment alignment
NIST 800-53, ISO 27001, SOC 2, HIPAA, PCI-DSS, CIS Controls, MITRE ATT&CK, bridged live through the Senserva Trustworthy AI and Claude MCP layer using the same scan data as evidence
Patch and vulnerability evidence. Almost every framework requires patch management proof. Senserva carries device patch coverage enriched with MSRC, CISA KEV, and EPSS, a double-check across whatever patching tools you run, in one unified report.

Coming in Q3 2026

CMMC. Cybersecurity Maturity Model Certification mapping for defense contractors and the DIB supply chain.
NIST 800-171. Native control mapping for Controlled Unclassified Information (CUI) handling, the backbone of CMMC Level 2.
GCC and GCC High. Government Community Cloud support so public sector and defense tenants can scan Microsoft 365, Intune, Defender, Entra ID (logs included), CVEs, and Purview in their own environments.

Targeting Q3 2026. Want early access or to influence the control mappings? Tell us about your requirements.

Helpful links

The frameworks and benchmarks Senserva maps findings to. Each opens in a new tab.