Feature · Controls

Continuous Controls

One card per control. Pass, fail, and the evidence behind it.

Controls is the engine the whole platform is built around. Every NIST 800-53 control shows up as a card with its current status, the evidence behind it, how it maps across frameworks, who's responsible, and exactly how to remediate. Remediation routes right back into it.

Four control tiers

Not every control is a technical setting. ATAC sorts each one into the right tier so you assess it the right way.

Automated technical

Evaluated by live checks against your AWS environment. You set the configuration; ATAC verifies it.

Policy & training

Documented policy controls, satisfied by an attestation with an uploaded evidence artifact.

Inherited

Satisfied by the cloud provider under their authorization — referenced, not re-tested.

Process deliverables

Operational procedures (incident response, training) attested on a cadence.

One scan, every finding

Click scan and ATAC evaluates every control at once, then assembles a single, current picture of your posture.

  • Every check runs in parallel — and each is isolated, so one bad check never fails the whole scan.
  • Findings carry a clear status: pass, warn, fail, or error (a re-evaluating framework reads as evaluating, never as a false pass).
  • A POA&M-hygiene pass runs last against the live findings — confirming every open item has a scheduled, not-past-due completion date.
  • Manual overrides apply uniformly across every tier in one pass.
  • Re-run any single control on its own right after you fix or attest it.

See the real failure — never a screenshot

When a control fails, ATAC shows you the truth, not just a red flag. Each failed control opens onto the actual cause — pulled live from your environment, right inside ATAC. When you're ready to fix it, ATAC walks you through remediation step by step.

  • Every failed control surfaced in one place — no hunting through services.
  • The actual misconfiguration, or the CloudTrail event behind it, shown live — not a trip to the console.
  • A plain-English explanation of why it failed and what "good" looks like.
  • Evidence captured and hashed straight from the source — never a screenshot that's stale the moment it's taken.

AWS Config Conformance Packs, crosswalked

The durable, AWS-native replacement for Audit Manager — and the source ATAC was built around.

  • Per-rule compliance status from your Conformance Packs is crosswalked onto NIST control IDs using each pack's authoritative SourceIdentifier — no hand-maintained mapping table.
  • Drill from a non-compliant pack rule straight to the sample non-compliant resources, with a plain-English summary written by our trained AI model — what the rule means and how to close it.
  • Pack name auto-detects the framework (NIST, FedRAMP, etc.); unmapped rules are surfaced explicitly so coverage gaps are visible, not silent.

Your Security Hub findings, folded in

ATAC doesn't reimplement what AWS already does — it consumes your Security Hub results and normalizes them alongside its own checks.

  • Security Hub's NIST 800-53 findings are pulled in and mapped to the same finding shape as ATAC's native checks.
  • Everything reads as one posture, so the AI remediation flow works on Security Hub findings the same as ATAC's own.
  • When an organization-wide aggregator is available, findings are read org-wide; otherwise they're read locally.

One source of truth, every framework

On top of the control catalog, ATAC derives a multi-framework view so you can report against whatever your program requires.

Per-framework posture

Live posture for FedRAMP, CIS, AWS FSBP, and NIST 800-171 — with an evaluating flag while a framework re-computes.

Responsibility model

Each control is classified configurable, inherited, shared, or organizational — driving the chips and remediation strip on every card.

Framework crosswalk

See control equivalence across frameworks, so one piece of evidence satisfies many standards.

Framework pills

Toggle to see everything at once, or zoom into a single framework.

Evidence, built in

For the controls that aren't automated, capturing proof is a drag-and-drop away.

  • Upload attestation evidence for policy and process controls; files are encrypted and versioned.
  • Bulk upload auto-matches each file to its control by the leading control-ID in the filename.
  • Filter the whole board instantly by status, tier, or text — entirely client-side.

See it on your own environment.

Install ATAC, click scan, and watch your controls come to life — agentless, serverless, and free until you run it.

Request a demo