COMPLIANCE-READINESS REVIEW · SOURCE-BASED · ASYNC

Your controls are documented.
Are they effective?

The expensive finding is never the missing control — it's the one that's documented as present and doesn't actually hold. Faultline reads your source and configuration and proves which is which, control by control, before an auditor, a regulator, or an incident does.

Written report · one system · fixed price. No calls. No live system access. NDA-first.

MAPPED TO YOUR FRAMEWORK — SOC 2 · ISO 42001 · GAMP 5 · 21 CFR Part 11 · PCI DSS
what a verdict looks like

Documented vs. effective, side by side.

CONTROL REVIEW — excerpt, illustrativeevery claim cited · every boundary named
Access to customer data is restricted to authorized roles
SOC 2 · CC6.1
DOCUMENTED
Present — access-control policy v3.2, attested in the current report.
EFFECTIVE
DOES NOT HOLD
The configured rule grants read access to every authenticated user — broader than the documented restriction.evidence: config/access-policy.yaml:42
Audit trail is protected from modification once written
21 CFR Part 11 · §11.10(e)
DOCUMENTED
Present — data-integrity SOP, section 4.
EFFECTIVE
HOLDS
Write path is append-only and the constraint is enforced at the schema level, matching the SOP.evidence: db/schema/audit_log.sql:17
AI-generated outputs affecting decisions are logged for human review
ISO 42001 · A.6.2
DOCUMENTED
Present — AI governance policy, revision 2.
EFFECTIVE
NOT VERIFIABLE
No evidence of the logging path was found in the reviewed scope. Named as a gap — not silently passed.evidence: none found in reviewed scope — stated explicitly

Illustrative excerpt — structure and verdict discipline are exactly what the real report delivers, on your system, against your framework. Three verdicts exist: holds, does not hold, and not verifiable. The third one is the honesty you're buying.

the gap

Everyone checks the paperwork. No one checks the gap.

Fast-moving regulated teams don't lack controls on paper. What drifts — quietly, release by release — is the gap between the documented control and the effective one: what your evidence claims the system does vs. what the source and configuration actually do. AI-assisted development widens that gap faster than any audit cycle closes it.

YOUR AUDIT FIRM

Verifies the documentation set is complete and consistent. Takes system behavior largely on attestation.

YOUR COMPLIANCE PLATFORM

Watches checklist items and integration signals. A green dashboard is not an effective control.

YOUR SCANNERS

Emit hundreds of flags with no verdict, no ranking, no framework mapping. Noise isn't assurance.

YOUR PENTEST

Tests whether the perimeter survives an attack — not whether your evidence matches your frameworks.

The square left empty: a written verdict on documented vs. effective, cited to the exact line of evidence. That square is what Faultline does. Only that.

how it works · async by design

Your calendar never hears from us.

01

You share the material

A repo, an export, or the config set you choose — under NDA, through your channel of choice. No live access, no agents installed, no credentials exchanged.

02

We read it

Control by control, we rebuild what the system actually does from source and configuration — and set it against what your compliance documentation says it does, mapped to the framework you answer to.

03

You get the report

One written document per system: every claim cited to its evidence line, every gap named, every reviewed-vs-not-reviewed boundary stated explicitly. Yours to hand to your team, your auditor, or your board.

Turnaround is fixed per scope sheet, agreed before we start. You always know what's in scope, what isn't, and what it costs — in writing, up front.

proof

Don't trust the pitch. Read a report.

The fastest way to judge a written deliverable is to read one. Our anonymized sample report shows the exact shape of what you'd receive: findings cited to file and line, an effective-vs-documented comparison table, and an explicit list of what was not reviewed.

Every claim carries its evidence

Nothing is asserted that isn't shown; anything unverified is named as unverified. The report contains no silent gaps — by construction.

Boundaries are part of the deliverable

Each report states plainly what was out of scope. You'll never wonder what we didn't look at.

The first engagement is small on purpose

One system, fixed scope, fixed price. The report either proves the value or it doesn't — no retainer, no land-and-expand.

the offer

The first step is a teardown, not a relationship.

Readiness teardown of one system

FIXED PRICE — QUOTED ON THE SCOPE SHEET, IN WRITING, BEFORE WE START

A written review of one system's source and configuration against the framework you name: which documented controls hold at the effective boundary, which don't, and where the evidence for each claim lives. Delivered async as a single report.

WHAT'S INCLUDED
  • Control-by-control documented vs. effective verdict — mapped to SOC 2, ISO 42001, GAMP 5, 21 CFR Part 11 or PCI DSS
  • Every finding cited to its exact evidence line
  • Explicit statement of reviewed and not-reviewed scope
  • A prioritized gap list your team can act on — written for engineers and legible to your auditor
WHAT IT'S NOT
  • Not a scanner run. Not a checklist. Not a sales wedge for a platform subscription.
  • No live access to your systems, ever.
  • No calls required — questions are answered in writing.
fair questions

Asked by every buyer. Answered in writing.

"We already have SOC 2."
So does everyone who later failed at the effective boundary. Your report says the controls are documented; ours says whether they hold.
"We don't share code with outsiders."
You choose what to share, under NDA, with no live access. A document exchange, not a vendor onboarding.
"How is this different from our scanner?"
Your scanner gives you flags. We give you a verdict — ranked, evidence-cited, in your framework's language.
"Why now?"
Because the gap is found either by you, on your schedule and in private — or by your auditor, your regulator, or your incident, on theirs.
start · async, like everything else

Know which of your controls actually hold.

Send us the framework you answer to and one system you'd want read. You'll get a scope sheet and a fixed price in writing — and you can read the sample report first.