Nucleus Verify maps security findings to industry-standard frameworks used by auditors and compliance teams across 11 regulatory and security standards.
Select a framework to jump to its detailed mapping below.
The OWASP Top 10 for Large Language Model Applications is the industry-standard classification of security risks specific to LLM-powered systems. It provides a shared vocabulary for development teams, security auditors, and compliance officers to identify and communicate AI-specific vulnerabilities.
| Category | Name | Nucleus Coverage |
|---|---|---|
| LLM01 | Prompt Injection | Detected |
| LLM02 | Insecure Output Handling | Detected |
| LLM03 | Training Data Poisoning | Partial |
| LLM04 | Model Denial of Service | Partial |
| LLM05 | Supply Chain Vulnerabilities | Detected |
| LLM06 | Sensitive Information Disclosure | Detected |
| LLM07 | Insecure Plugin Design | Detected |
| LLM08 | Excessive Agency | Partial |
| LLM09 | Overreliance | Structural |
| LLM10 | Model Theft | Partial |
The NIST AI Risk Management Framework (AI RMF 1.0) provides organisations with a structured approach to managing AI-related risks throughout the AI lifecycle. It defines four core functions that together form a comprehensive risk management strategy for AI systems.
Establishes organisational policies, processes, and accountability structures for AI risk management across the enterprise.
Nucleus role: Provides verifiable, signed evidence of code verification that integrates into existing governance workflows. Certificates and proof packs create the audit trail governance frameworks require.
Identifies and categorises AI risks in context, including risks arising from third-party components and AI-generated outputs.
Nucleus role: Maps findings to CWE, OWASP, and compliance frameworks automatically. Every detected vulnerability is categorised by type, severity, and applicable regulatory context.
Quantifies and tracks identified AI risks using appropriate metrics, tools, and techniques for ongoing assessment.
Nucleus role: Produces quantified trust scores, severity distributions, and trend data across scans. Deterministic operators ensure repeatable, comparable measurements over time.
Prioritises and acts on identified risks through allocation of resources and implementation of mitigation strategies.
Nucleus role: Prioritises findings by severity and provides actionable remediation guidance. CI/CD integration enables risk management as a continuous process, not a one-time audit.
ISO/IEC 27001:2022 is the internationally recognised standard for information security management systems (ISMS). Annex A controls provide a comprehensive set of security measures that organisations implement to protect information assets. Nucleus Verify detects code-level patterns that map to the following Annex A controls.
| Control / Article | What Nucleus Detects |
|---|---|
| A.5.23 | Cloud and third-party security — detects vulnerable third-party dependencies and supply chain risks. |
| A.8.9 | Configuration management — detects Kubernetes secrets stored in ConfigMaps. |
| A.8.12 | Data leakage prevention — detects hardcoded secrets, credentials in environment files, and sensitive data in log output. |
| A.8.24 | Use of cryptography — detects weak or deprecated cryptographic algorithms and insecure random token generation. |
| A.8.25 | Secure development lifecycle — detects SQL injection, command injection, and cross-site scripting (XSS) vulnerabilities. |
| A.8.26 | Application security — detects authorisation mismatches, missing brute-force protection, insecure deserialization, SSRF, and path traversal. |
| A.8.27 | Secure system architecture — detects exposed internal IP addresses and debug mode left enabled. |
| A.8.28 | Secure coding — detects dynamic code execution via eval, exec, and compile injection. |
| A.8.29 | Security testing — detects CI/CD pipeline injection vulnerabilities. |
The Digital Operational Resilience Act (Regulation (EU) 2022/2554) sets uniform requirements for the security of network and information systems supporting the business processes of financial entities. It entered into application on 17 January 2025. Nucleus Verify maps code-level findings to the following DORA articles.
| Control / Article | What Nucleus Detects |
|---|---|
| Art. 9(2)(b) | ICT security — detects hardcoded credentials, authorisation mismatches, and missing brute-force protection. |
| Art. 9(2)(c) | ICT security — detects weak or deprecated cryptographic algorithms. |
| Art. 9(2)(d) | ICT security — detects sensitive data in logs and exposed internal IP addresses. |
| Art. 9(4)(a) | Secure development — detects SQL injection, command injection, XSS, code injection, and insecure deserialization. |
| Art. 25(1) | Digital operational resilience testing — detects CI/CD pipeline injection vulnerabilities. |
| Art. 28(4)(b) | ICT third-party risk — detects vulnerable dependencies and typosquatting in supply chain. |
| Art. 28(4)(c) | ICT third-party risk — detects licence compliance violations in dependencies. |
FCA Supervisory Statement SS1/21 sets expectations for operational resilience of UK-regulated financial services firms. Sections 7.4 through 7.8 address ICT and third-party risk management requirements. Nucleus Verify maps code-level findings to these expectations.
| Control / Article | What Nucleus Detects |
|---|---|
| SS1/21 §7.4 | ICT security — detects hardcoded credentials, authorisation mismatches, and weak cryptography. |
| SS1/21 §7.5 | Cyber resilience — detects missing rate limiting and brute-force protection on authentication endpoints. |
| SS1/21 §7.6 | Application security — detects injection vulnerabilities (SQL, command, XSS), debug mode, path traversal, and CI/CD pipeline risks. |
| SS1/21 §7.7 | Data security — detects sensitive data exposure in application logs. |
| SS1/21 §7.8 | Third-party risk — detects vulnerable third-party dependencies and supply chain risks. |
The Revised Payment Services Directive (PSD2) and its Regulatory Technical Standards (RTS) on Strong Customer Authentication set security requirements for payment service providers. Nucleus Verify maps code-level findings to the following RTS articles relevant to secure software development.
| Control / Article | What Nucleus Detects |
|---|---|
| RTS Art. 3 | Strong customer authentication — detects weak cryptography, hardcoded credentials, and timing-attack vulnerabilities in authentication. |
| RTS Art. 4 | Authentication safeguards — detects missing brute-force protection and access control weaknesses. |
| RTS Art. 22(1) | Security measures — detects injection vulnerabilities, XSS, insecure deserialization, and path traversal. |
| RTS Art. 22(3) | Data security — detects payment data and credentials exposed in application logs. |
| RTS Art. 30 | Open Banking API security — detects server-side request forgery (SSRF) in API endpoints. |
The SWIFT Customer Security Programme (CSP) and its Customer Security Control Framework (CSCF) define mandatory and advisory security controls for all institutions connected to the SWIFT network. Nucleus Verify detects code patterns relevant to the following CSCF controls.
| Control / Article | What Nucleus Detects |
|---|---|
| CSCF 1.1 | SWIFT environment protection — detects hardcoded credentials and exposed internal network addresses. |
| CSCF 2.2 | Security updates — detects vulnerable dependencies and supply chain integrity risks. |
| CSCF 4.1 | Password policy — detects weak cryptography, missing brute-force protection, and timing-attack vulnerabilities. |
| CSCF 6.1 | Malware protection — detects code execution vulnerabilities and insecure deserialization. |
| CSCF 7.1 | Vulnerability scanning — detects SQL injection, command injection, XSS, and path traversal vulnerabilities. |
| CSCF 7.3A | Penetration testing — detects CI/CD pipeline injection vulnerabilities. |
The General Data Protection Regulation (Regulation (EU) 2016/679) governs the processing and protection of personal data. Nucleus Verify detects code-level patterns relevant to data-protection-by-design principles across key GDPR articles.
Deep analysis available covering Article 5 (data processing principles), Article 17 (right to erasure), Article 20 (data portability), Article 25 (data protection by design), Article 32 (security of processing), and Article 35 (data protection impact assessment).
View Compliance Pack pricing →HIPAA establishes national standards to protect individuals' electronic personal health information. The Security Rule (45 CFR Part 164) specifies safeguards that covered entities and business associates must implement. Nucleus Verify detects code-level patterns relevant to the technical safeguard requirements.
Deep analysis available covering §164.312 technical safeguards — access controls, audit controls, integrity controls, person-or-entity authentication, and transmission security.
View Compliance Pack pricing →PCI-DSS provides a baseline of technical and operational requirements designed to protect cardholder data. Version 4.0 introduces updated requirements for software security and modern development practices. Nucleus Verify detects code patterns relevant to the following requirements.
Deep analysis available covering Requirement 3 (protect stored account data), Requirement 6 (develop and maintain secure systems), Requirement 8 (identify users and authenticate access), and Requirement 10 (log and monitor all access).
View Compliance Pack pricing →SOC 2, developed by the AICPA, defines criteria for managing customer data based on trust service principles: security, availability, processing integrity, confidentiality, and privacy. Nucleus Verify detects code-level patterns relevant to the common criteria and availability principle.
Deep analysis available covering CC6 (logical and physical access controls), CC7 (system operations), CC8 (change management), CC9 (risk mitigation), and A1 (availability).
View Compliance Pack pricing →In addition to the frameworks above, every Nucleus Verify finding includes a CWE reference (Common Weakness Enumeration), providing a standardised identifier that links directly to the MITRE CWE database. CWE references enable cross-mapping to virtually any compliance framework or internal security taxonomy your organisation uses.