Vulnerability Management for Your Compliance Program
Metric Tower helps your team meet the technical requirements of major security frameworks.
Metric Tower is a security scanning tool -- we help you meet compliance requirements, we do not provide compliance certifications.
ISO 27001
ISO 27001 is the international standard for information security management systems (ISMS). Metric Tower helps you meet several Annex A controls.
A.8.1.1: Asset Inventory
Subdomain discovery and attack surface enumeration help maintain a complete inventory of internet-facing assets.
Relevant modules: Subfinder, Amass, CrtSh, Dnsx
A.10.1.1: Cryptographic Controls
TLS/SSL scanning validates certificate configuration, cipher strength, and protocol support across your infrastructure.
Relevant modules: Testssl, Tlsx
A.12.6.1: Technical Vulnerability Management
Automated vulnerability scanning with CVE detection, CVSS scoring, and remediation tracking.
Relevant modules: Nuclei, Nmap, WpScan
A.14.2.8: System Security Testing
Web application security testing including injection, XSS, and authentication bypass checks.
Relevant modules: ZAP, Dalfox, Sqlmap
SOC 2
SOC 2 examines controls related to security, availability, processing integrity, confidentiality, and privacy. Metric Tower supports several Common Criteria.
CC6.1: Logical Access
Attack surface discovery identifies exposed services and access points across your infrastructure.
Relevant modules: Subfinder, Nmap, Httpx
CC7.1: System Operations Monitoring
Continuous vulnerability scanning and monitoring of DNS, SSL, and uptime to detect operational issues.
Relevant modules: Nuclei, Nmap, SSL Monitor, DNS Monitor
CC7.2: Monitoring of Anomalies
Scan comparison and diff alerts detect new vulnerabilities and regressions across scan runs.
Relevant modules: Scan Comparison, Diff Alerts
PCI DSS
PCI DSS requires regular vulnerability assessments for organizations that handle payment card data. Metric Tower helps address several requirements.
Requirement 4.1: Encryption in Transit
TLS/SSL analysis validates encryption configuration across all services handling cardholder data.
Relevant modules: Testssl, Tlsx
Requirement 6.5.x: Application Security
Web application scanning detects injection flaws, XSS, CSRF, and other OWASP Top 10 vulnerabilities.
Relevant modules: ZAP, Dalfox, Sqlmap, Commix
Requirement 11.2: Vulnerability Scans
Scheduled scanning with automated reporting supports the quarterly external vulnerability scan requirement.
Relevant modules: Scheduled Scans, PDF/SARIF Export
GDPR
GDPR requires organizations to implement appropriate technical measures to ensure data security. Regular security testing is a key part of demonstrating compliance.
Article 32: Security of Processing
Regular vulnerability assessments and penetration testing help demonstrate appropriate technical security measures.
Relevant modules: Full scanning platform (75+ modules)
Article 5(1)(f): Integrity & Confidentiality
Encryption analysis and security header checks help ensure data is protected in transit and at rest.
Relevant modules: Testssl, HTTP Headers, Email Security
NIST Cybersecurity Framework
The NIST CSF provides a framework for managing cybersecurity risk. Metric Tower supports the Identify, Protect, and Detect functions.
ID.AM: Asset Management
Automated discovery of subdomains, services, and technologies across your attack surface.
Relevant modules: Subfinder, Amass, Nmap, WhatWeb
PR.DS-2: Data in Transit
TLS/SSL and email security scanning validates that data is protected during transmission.
Relevant modules: Testssl, Email Security, Tlsx
DE.CM: Security Continuous Monitoring
Scheduled scans, DNS monitoring, SSL monitoring, and uptime checks provide continuous security observation.
Relevant modules: Scheduled Scans, DNS/SSL/Uptime Monitors
OWASP Top 10
The OWASP Top 10 represents the most critical web application security risks. Metric Tower includes dedicated scanners for each category.
A01:2021: Broken Access Control
Path traversal, directory brute-forcing, and authentication bypass testing.
Relevant modules: ZAP, Ffuf, Nomore403
A03:2021: Injection
SQL injection, command injection, template injection, and NoSQL injection detection.
Relevant modules: Sqlmap, Commix, Tplmap, NoSqlMap
A05:2021: Security Misconfiguration
HTTP headers, CORS, TLS configuration, and exposed sensitive files.
Relevant modules: HTTP Headers, Corsy, Testssl, Sensitive Files
A07:2021: Cross-Site Scripting
Reflected, stored, and DOM-based XSS detection with blind callback support.
Relevant modules: Dalfox, ZAP
Start Meeting Your Compliance Requirements
75+ scanner modules, automated reporting, and continuous monitoring to support your security program.