Compliance
Two parallel coverage views over the same training data. The OWASP view scores your workforce against the four OWASP Top 10 families. The regulatory view scores the same training against external standards (PCI DSS, ISO/IEC 27001, SOC 2) by mapping each control to its underlying CWEs.
Where this lives
Sidebar → Compliance under the Overview section, at /organization/compliance. The page has two tabs at the top: OWASP and Regulatory. Both tabs share the same underlying calculation engine; they differ only in which framework set is shown.
How coverage is calculated
An eligible user is any active organization member whose role is not org_admin. A user counts as trained on a topic if they have at least one practice attempt with score ≥ passing score (70) inside the last window (365 days). A risk item — an OWASP module or a regulatory control — flips to status covered once the percentage of eligible users trained on it crosses your org's coverage threshold, defaults to 80% and configurable between 50 and 100 in Organization Settings.
Risk items that have no shipping content yet (mapped to a CWE we do not yet have a training topic for) report status no-content so they are visible as a known gap rather than scoring against your workforce.
OWASP tab
One panel per family — Web, API, Mobile, Client-Side. Each panel shows the framework's overall coverage percentage and average score at the top, then a per-module breakdown beneath with status (covered / partial / no-activity / no-content), trained-user count, and average score. Click a module to drill into its constituent topics and the CWEs each topic addresses.
Regulatory tab
Three frameworks ship today: PCI DSS v4.0 Requirement 6 (secure systems and software), ISO/IEC 27001:2022 Annex A secure-development controls, and SOC 2 Trust Services Criteria (TSC 2017). Each framework expands to the underlying controls; each control lists the CWE set used to map training topics to it, and rolls up to a per-framework coverage percentage you can copy directly into an evidence pack.
Evidence PDF
Click Download Evidence PDF on either tab to generate a framework-scoped PDF. The Regulatory tab also lets you pick a specific framework and produce a PDF that includes only that framework's controls — useful when the auditor's request is narrow ("PCI 6.2.4 evidence please") and you do not want to hand over the wider coverage report.
Programmatic access
Same numbers, machine-readable: see API → Compliance. Common automations include syncing per-framework coverage into a GRC dashboard, alerting when any control's coverage drops below threshold, and feeding the per-module breakdown into a sprint planning tool to auto-create remediation training assignments.