Manage Scans

Compliance

Compliance section inside Scan Report allows you to assess how your application aligns with key global security and data protection standards. Each compliance framework includes specific technical and procedural requirements aimed at protecting sensitive data, ensuring system security, and reducing business risk.

Our scanner maps its findings to the relevant compliance controls and presents a summary in an easy-to-understand format:

  • ✅ Passed – The application meets the requirement.
  • ❌ Failed – The application has vulnerabilities that may cause non-compliance.
  • 🚫 Not Applicable – This control cannot be evaluated using a Dynamic Application Security Testing (DAST) scanner and lies outside our assessment scope.

Each result includes mapped vulnerabilities, exact details, and tailored remediation suggestions with code examples.

While we help detect application-layer issues, remember that full compliance often involves broader organizational and infrastructural efforts.

GDPR – General Data Protection Regulation

ZeroThreat evaluates application-level security risks relevant to GDPR compliance by mapping vulnerabilities to specific technical controls such as:

  • A.10.3.2 System Acceptance
  • A.11.4.4 Remote Diagnostic and Configuration Port Protection
  • A.11.6.1 Information Access Restriction
  • A.12.3.1 Policy on the Use of Cryptographic Controls
  • A.12.3.2 Key Management
  • A.12.5.5 Outsourced Software Development
  • A.12.2.1 Input Data Validation
  • A.12.2.4 Output Data Validation
  • A.12.5.4 Information Leakage
Thumbnail

What It Means:
GDPR is a robust regulation centered on data privacy and protection of personal information, especially for individuals in the European Union. The regulation mandates that organizations implement technical and organizational measures to secure personal data.
ZeroThreat helps identify issues such as unauthorized access, data leakage, insecure encryption, and inadequate validation, all of which can lead to GDPR violations. Our scan results can alert you to risks that could otherwise result in regulatory penalties or data breach consequences.

Warning: Even minor application-level misconfigurations can impact GDPR compliance. Don't rely solely on infrastructure-level audits—web application security plays a critical role.

HIPAA – Health Insurance Portability and Accountability Act

Our scanner maps test results to the HIPAA Security Rule with checks against:

  • 164.312(e)(2)(i) – Prevent Unauthorized Changes
  • 164.105 – Protect Private Health Info
  • 164.306(a)(1) – Keep Info Safe and Available
  • 164.306(a)(2) – Protect Against Threats
  • 164.306(a)(3) – Stop Unauthorized Access
  • 164.308(a)(1)(i) – Prevent and Fix Problems
  • 164.308(a)(1)(ii)(B) – Lower Security Risks
  • 164.312(e)(1) – Protect Info Sent Online
Thumbnail

What It Means:
HIPAA is designed to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). Healthcare organizations and their service providers are required to secure patient data from unauthorized access and cyber threats.

ZeroThreat assists with this by identifying vulnerabilities that may lead to data exposure, session hijacking, injection attacks, or weak transmission protocols, which directly violate HIPAA standards. While not a full compliance tool, it plays an essential role in covering the technical safeguards defined under HIPAA.

HIPAA compliance requires layers of protection—ZeroThreat helps you build a solid foundation by identifying the most commonly overlooked risks in your web apps.

ISO 27001 – A

SO/IEC 27001 is one of the most widely adopted international standards for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). It offers a structured and risk-based approach to securing sensitive data, ensuring business continuity, and minimizing the likelihood and impact of security incidents.

While ISO 27001 covers a broad range of security domains, Annex A specifically outlines a comprehensive set of control objectives and controls across areas such as access control, cryptography, physical security, software development, incident response, and more. These controls are designed to protect the confidentiality, integrity, and availability of information assets.

Thumbnail

ZeroThreat plays a supporting role in this compliance journey by helping identify application-level risks that undermine the secure design and operation of web systems. Although ISO 27001 compliance spans both organizational and technical controls, addressing application-layer vulnerabilities is a critical component of a strong ISMS.

By remediating these issues, teams can significantly strengthen their application security posture—an essential pillar in achieving ISO 27001 objectives.

OWASP – Open Worldwide Application Security Project

ZeroThreat directly maps vulnerabilities to the OWASP Top 10, ensuring you’re addressing the most critical risks in modern web applications:

  • A1 – Broken Access Control
  • A2 – Cryptographic Failures
  • A3 – Injection Flaws
  • A4 – Insecure Design
  • A5 – Security Misconfiguration
  • A6 – Vulnerable and Outdated Components
  • A7 – Identification and Authentication Failures
  • A8 – Software and Data Integrity Failures
  • A10 – Server-Side Request Forgery (SSRF)
Thumbnail

What It Means:
The OWASP Top 10 is not a compliance framework but a practical checklist of the most common and impactful web application vulnerabilities. Addressing OWASP findings is often a baseline expectation across nearly all security audits and regulatory reviews.
ZeroThreat helps you stay ahead by automatically identifying these vulnerabilities and showing their potential impact on confidentiality, integrity, and availability. Fixing OWASP-listed flaws also helps indirectly support your compliance with standards like GDPR, ISO 27001, HIPAA, and PCI DSS.

Many regulatory breaches originate from OWASP-level issues—use this list as your first layer of defense.

PCI DSS – Payment Card Industry Data Security Standard

ZeroThreat maps scan findings to key PCI DSS requirements such as:

  • 2.2.2 / 2.2.3 – Limit Unnecessary Services & Secure Insecure Services
  • 2.3 – Encrypt Administrative Access
  • 4.1 – Encrypt Cardholder Data in Transit
  • 6.2 – Apply Security Patches Promptly
  • 6.5.1 – Prevent Injection Flaws
  • 6.5.3 – Secure Cryptographic Storage
  • 6.5.4 – Secure Communication Channels
  • 6.5.5 – Implement Robust Error Handling
  • 6.5.7 – Prevent Cross-Site Scripting (XSS)
  • 6.5.8 – Avoid Improper Access Control
  • 6.5.9 – Prevent CSRF Attacks
  • 6.5.10 – Fix Broken Authentication Issues
  • 2.2.4 – Harden System Configuration
Thumbnail

What It Means:
PCI DSS is a mandatory security standard for businesses that process cardholder data. It emphasizes the protection of sensitive payment information across storage, processing, and transmission layers.
ZeroThreat provides visibility into common weaknesses that affect PCI compliance, such as SSL/TLS vulnerabilities, outdated libraries, input validation flaws, and error message leaks. It helps you proactively remediate risks before audits and safeguard your payment systems from exploitation.

Warning: Failing even one PCI control can lead to compliance failure. Use ZeroThreat’s detailed remediation guidance to tighten controls before your next assessment.

Making Compliance Actionable

Each compliance section in ZeroThreat doesn't just stop at mapping vulnerabilities and checkmarks. We go a step further by:
✅ Highlighting the exact vulnerabilities that violate a requirement
✅ Providing tailored remediation steps, often with code snippets suited to your tech stack
✅ Helping you understand what’s in scope, what’s not, and what needs fixing now