Skip to content
For compliance & regulatory officers — the gate you can't quietly pass

Measured compliance — we evidence the automatable slice, you declare the rest, a named person signs.

A control Watchdog catches failing can't be silently passed — overriding it is recorded, in full, in the artifact. We measure the automatable slice of each framework; you declare the rest; a named person signs. We measure; you declare; we never certify — the honesty model an auditor trusts and a vendor can't game.

Non-technical by design — the verdict is in plain language; your security engineer drills the findings behind it.

authby ruben-rasmussen Exemplary
CAI98 / 100
6298↑ +36
Code health 98
Architecture 99
Maturity 99
Readiness 96
Security 100
Domain 100
Rebuild cost~€380,000
Bus factor1 of 3 devs
Lines of code35,954

The Security & Compliance lens rolls up real scanning — and feeds the conformance verdict, not a self-assessment.

The asymmetry you're up against

A vendor's self-assessment isn't audit-defensible.

"We're NIS2-ready" on a supplier's letterhead is the party with the most to lose grading their own work. An auditor, a regulator or a counterparty needs measured evidence, frozen at signature time, that a control was actually checked — and a record of every control that was overridden.

Today: a checkbox you take on trust

A self-declared "compliant" with nothing behind it — no evidence the gate was met, no record when it wasn't, nothing that survives an audit.

Now: measured, gated, signed

The automatable slice is measured; a control caught failing is gated (overriding it is recorded in the artifact); the rest you declare and a named person signs — frozen to a commit and a rubric version.

What you get

One conformance home — the verdict up front, the findings a drill-down.

The most buried-but-built surface, consolidated: the framework verdict, what's missing, the evidence register and the signed pack — in plain language, with the engineer's findings one click away.

EU-regulated frameworks first

NIS2, DORA and GDPR up front — the pressing obligations — then SSDF, SLSA, OWASP ASVS, WCAG 2.2, ISO 27001, CRA and EN 301 549. The full catalog →

A signed Conformance Pack

A PDF an auditor accepts: what's met, what's missing, exactly what's needed, and every override on the record — frozen to a commit + a pinned rubric so it reproduces.

An evidence & audit register

Each declaration frozen and signed at signature time, with a CycloneDX SBOM and the PII data-flow map — the supply-chain evidence a CRA or DORA reviewer asks for.

How it works — for you

Self-assess for free; sign when you're ready.

1 · Measure

Watchdog evidences the automatable slice of each framework from the code and its supply chain — no questionnaire.

2 · Gate

A control caught failing can't be passed silently; the override is recorded, in full, in the pack.

3 · Declare

You declare the controls a tool can't see; the verdict shows measured vs declared, never blurring the two.

4 · Sign

A named person signs; the pack is frozen to a commit + rubric version. Self-assessment is free; signing into a Conformance Pack is part of the compliance module.

Independent — and you don't have to trust us

An auditor can re-run the measurement themselves.

Measured by an open standard

The conformance verdict rolls up the CAI, an open, reproducible standard — the algorithm, lenses and rubric are public, and the reference scorer is open source. An auditor or counterparty can re-run the open scorer over the evidence and get the same number; the pack stands up because it's checkable, not because we said so. The CAI standard → cai.canine.dev · Reproduce a survey →

Stop signing compliance you can't evidence. Measure it.

Sign in with GitHub · No card · We measure; you declare; we never certify.