Audit-ready by design.
Auditors do not accept adjectives. They accept test results they can trace back to a control. This page maps a Vexera engagement to the penetration-testing requirements in the frameworks security teams are measured against, so one assessment does double duty as your evidence.
Framework mapping. One assessment, in the control language each framework uses to ask for it.
PCI DSS v4.0
- 11.4.1
A defined, documented penetration-testing methodology
- 11.4.2 / 11.4.3
Internal and external testing at least every 12 months and after significant change
- 11.4.4
Exploitable findings corrected, then testing repeated to verify
Requirement 11.4 asks for internal and external penetration testing performed to a defined, documented methodology, at least once every 12 months and after any significant infrastructure or application change. Sub-requirement 11.4.4 requires that exploitable vulnerabilities and weaknesses found during testing are corrected and that testing is repeated to confirm the fix.
A Vexera engagement runs to a written scope and rules of engagement across the agreed perimeter and application layers, whitebox, blackbox, or both cross-checked. Every finding ships with reproduction evidence and the exact path taken, which is what a QSA reads as test results. Retest is part of the engagement, so corrected issues are re-exercised and the outcome recorded rather than assumed.
SOC 2 (Trust Services Criteria)
- CC4.1
Ongoing or separate evaluations that controls are present and operating
- CC7.1
Procedures to identify new vulnerabilities and configuration weaknesses
CC4.1 expects the entity to perform ongoing or separate evaluations to confirm that internal controls are present and functioning, and an independent penetration test is a common separate evaluation. CC7.1 expects detection and monitoring procedures that identify configuration changes introducing new vulnerabilities and susceptibility to newly discovered ones.
Vexera delivers a scoped, independent assessment with dated, evidence-backed findings that a service auditor can cite as a separate evaluation. Because engagements can be re-run after each release, they also work as an ongoing control that surfaces newly introduced weaknesses, and the report ties each finding to the affected systems for CC7.1.
ISO/IEC 27001:2022 (Annex A)
- A.8.8
Management of technical vulnerabilities
- A.8.29
Security testing in development and acceptance
- A.5.35
Independent review of information security
Annex A 8.8 requires that information about technical vulnerabilities is obtained, the organization's exposure evaluated, and appropriate measures taken. A 8.29 calls for security testing across the development life cycle, and A 5.35 for independent review of the security approach at planned intervals or after significant change.
An engagement obtains that vulnerability information through active exploitation rather than a signature list, and grades each finding by demonstrated impact so exposure can be evaluated and prioritized. Delivered by an external party, it also serves as the independent review under A 5.35, and it can be scheduled against your release cycle to support A 8.29.
NIS2 (Directive (EU) 2022/2555)
- Art. 21(2)(e)
Security in acquisition, development, and maintenance, including vulnerability handling
- Art. 21(2)(f)
Policies to assess the effectiveness of risk-management measures
Article 21(2) sets the minimum risk-management measures essential and important entities must take, including vulnerability handling under point (e). Point (f) requires policies and procedures specifically to assess whether those measures are effective in practice.
Testing that produces a reproducible exploit is direct evidence of effectiveness, or the lack of it, rather than a policy attestation. A Vexera engagement gives your management body and, where asked, supervisory authorities concrete results tied to named systems, and the retest step shows that remediation actually closed the issue.
DORA (Regulation (EU) 2022/2554)
- Art. 24-25
A resilience testing programme, including vulnerability assessments and penetration testing
- Art. 26-27
Threat-led penetration testing (TLPT) for designated entities
Articles 24 and 25 require financial entities to run a digital operational resilience testing programme that includes, among other tests, vulnerability assessments and penetration testing of the ICT systems supporting critical functions. Articles 26 and 27 add threat-led penetration testing at least every three years for entities designated by competent authorities, with specific requirements for the testers.
Vexera covers the general programme with scoped, evidence-backed penetration testing of the systems you nominate. For TLPT, our threat-led, intelligence-driven method and senior human oversight fit the model in Articles 26 and 27, though the formal designation, TIBER-EU alignment, and tester attestations are handled per engagement with your competent authority.
HIPAA Security Rule
- §164.308(a)(8)
Periodic technical and nontechnical evaluation
The evaluation standard requires a periodic technical and nontechnical evaluation establishing the extent to which security policies and procedures meet the Security Rule, in response to environmental or operational changes that affect the security of electronic protected health information.
A Vexera engagement provides the technical half of that evaluation: hands-on testing of the systems that store or transmit ePHI, with findings evidenced and ranked by demonstrated risk. Re-running after significant changes keeps the evaluation current instead of a once-a-year snapshot.
Honest about where we are.
Vexera ApS is an early-stage Danish company operating under EU jurisdiction. We hold no security certification today. SOC 2 Type II and ISO/IEC 27001 certification are on our roadmap, not claims we make now.
Our current status, sub-processors, and how we hold your source code and findings are documented in the Trust Center. We share further detail under NDA on request.
- Jurisdiction
Danish company under EU jurisdiction. Source and findings stay in Europe.
- Model providers
Contractual zero-training agreements with every provider we use.
- Data handling
Source minimized, processed in ephemeral workspaces, purged at engagement end.
- Certification
SOC 2 Type II and ISO/IEC 27001 on the roadmap. None held today.
This mapping is informational and is not certification or legal advice. Control and article text is paraphrased and abbreviated; confirm the current wording and how it applies to your environment with your own auditor, QSA, or assessor.
Map an engagement to your framework.
Tell us which framework you are preparing for and the systems in scope. We come back with a concrete scope, an engagement mode, and a timeline, usually within a day.