There are no testimonials on this page, because we have no customers yet. Instead, here is the thing a customer would actually receive. Download it, open it, and check the hashes against the manifest.
The pack hashes to ce40e958d50efa7b01dead2006d07f77d848438e24bac668e4537ae39a597fbe
Eight files. A rendered report, the full control matrix in both JSON and CSV, one JSON record per piece of evidence, and a manifest that hashes all of them.
| File | SHA-256 | Bytes |
|---|---|---|
| controls/control_matrix.csv | 32f6f1e44d10858578fade69… | 1475 |
| controls/control_matrix.json | 8f58845222c5267d2ac34e46… | 5299 |
| evidence/ev_1b8e33d5_crb.json | 223d355bdc09b219966e68ba… | 588 |
| evidence/ev_5a0d6e92_bpa.json | 5beba4f9151ebfb4ec1bcab3… | 629 |
| evidence/ev_7f21a4c0_admin.json | 0a91cfbbc5e46df0b8c9f302… | 545 |
| evidence/ev_9e6c07f4_enc.json | 66d5adace8076bd95fe8b0d9… | 612 |
| evidence/ev_c93f10ab_key.json | 8ceaedcd16c60df562972599… | 465 |
| report/sample-report.html | ae16de72efa0dd53d08e5fa6… | 492 |
There are two hashes in the pack and they answer two different questions. Both are reproducible with nothing but a shell.
Every file in manifest.json carries the SHA-256 of its own bytes. Hash any file and compare.
$ unzip enforcer-sample-evidence-pack.zip
$ shasum -a 256 evidence/ev_5a0d6e92_bpa.json
5beba4f9151ebfb4ec1bcab34e1b21a84c2980f7abbfa366864c705494c190a7 evidence/ev_5a0d6e92_bpa.jsonSeparately, the evidence_integrity block carries the hash the database computed when the record was first inserted. Evidence is append-only: that hash is never recomputed, because a hash that heals itself proves nothing. It covers the config_values — the raw configuration Enforcer read — not the file wrapper.
$ python -c "import json,hashlib,sys
rec = json.load(open('evidence/ev_5a0d6e92_bpa.json'))
blob = json.dumps(rec['config_values'], sort_keys=True, default=str)
print(hashlib.sha256(blob.encode()).hexdigest())"That value appears against the record's id in manifest.json → evidence_integrity.
One row per control, per resource, per check. The sample below is a synthetic environment: a contractor holding AdministratorAccess, an access key 417 days old, and a bucket with public access unblocked. Note that ISO27001-8.2 appears three times — once for an IAM user, once for a Kubernetes role binding, once for an S3 bucket. One control, evidenced across both clouds.
control_code,control_name,control_severity,control_type,asset_display_name,asset_external_id,asset_type,evaluation_status,evaluated_at,control_evaluation_id
ISO27001-8.2,Privileged access rights,high,detective,svc-deploy-contractor,arn:aws:iam::000000000000:user/svc-deploy-contractor,iam_user,failed,2026-07-09T02:14:07+00:00,ce_7f21a4c0
ISO27001-8.2,Privileged access rights,high,detective,ci-deployer-binding,clusterrolebinding/ci-deployer-binding,k8s_clusterrolebinding,failed,2026-07-09T02:14:11+00:00,ce_1b8e33d5
ISO27001-8.2,Privileged access rights,high,detective,acme-payments-exports,arn:aws:s3:::acme-payments-exports,s3,failed,2026-07-09T02:14:09+00:00,ce_5a0d6e92
ISO27001-5.18,Access rights,medium,periodic,svc-deploy-contractor,arn:aws:iam::000000000000:user/svc-deploy-contractor,iam_user,failed,2026-07-09T02:14:07+00:00,ce_c93f10ab
ISO27001-8.5,Secure authentication,high,detective,dana.okafor,arn:aws:iam::000000000000:user/dana.okafor,iam_user,passed,2026-07-09T02:14:07+00:00,ce_2d47bb61
ISO27001-8.24,Use of cryptography,high,detective,acme-payments-ledger,arn:aws:s3:::acme-payments-ledger,s3,passed,2026-07-09T02:14:09+00:00,ce_9e6c07f4
ISO27001-5.14,Information transfer,medium,periodic,acme-payments-ledger,arn:aws:s3:::acme-payments-ledger,s3,passed,2026-07-09T02:14:09+00:00,ce_4c1a5f30
ISO27001-8.13,Information backup,high,detective,acme-payments-ledger,arn:aws:s3:::acme-payments-ledger,s3,passed,2026-07-09T02:14:09+00:00,ce_63b98ad7
The score in this pack is 50% — four passing of eight evaluated. The other 68 ISO 27001 controls are not counted as failing, because they were never evaluated: no cloud configuration can evidence a background check or a locked server-room door. Enforcer answers 25 of the 93 controls in the standard, and stays quiet about the rest.
You are the only person qualified to tell us whether this format is worth anything, and so far we have not asked one of you. That is the single largest gap in this company, and it sits above every feature on the roadmap.
We want thirty minutes. What do you accept today as evidence that an infrastructure control was operating? What makes you distrust automated collection? What do your clients struggle most to produce? We will take the criticism and publish what you tell us, including if you tell us this is not evidence at all.
Case studies land on this page when they are real, measured, and signed. Until then the space stays empty rather than filled with invented quotes and stock photographs.
Audit-prep hours saved, detection latency, assessment turnaround. If we cannot measure it with the customer, we do not publish it.
Real companies, real roles, quotes the person signed off on. A company that sells evidence cannot run on unverifiable claims — that would be the exact problem we exist to fix.
No auditor has reviewed this format. When one does, we will publish what they said — including if they reject it. That assessment will carry more weight than any marketing quote, and it comes before any of them.