CAAMS — Compliance and Auditing Made Simple
Open Source · Self-Hosted · No Vendor Lock-in

Compliance coverage
in seconds, not weeks

CAAMS maps your existing security tool stack against CIS, NIST, SOC 2, PCI DSS, and HIPAA — then hands you an auditor-ready gap analysis with evidence links and exportable reports. No consultants. No SaaS fees. Just answers.

Self-host in 3 commands View on GitHub
5
Frameworks
80+
Tools supported
0
SaaS fees
< 5 min
To first report
CAAMS — Q1 2026 CIS Review
Framework
CIS Controls v8
Coverage score 83%
12 Covered 3 Partial 3 Not Covered
CIS-1 Inventory and Control of Enterprise Assets Covered
CIS-3 Data Protection Partial
CIS-7 Continuous Vulnerability Management Covered
CIS-12 Network Infrastructure Management Not Covered
CIS-16 Application Software Security Covered

Live preview of the CAAMS coverage UI — run locally in minutes

Five frameworks, out of the box

Pick the framework that matches your audit, and CAAMS does the mapping. Need a custom framework? Drop a JSON file and re-seed.

CIS
CIS Controls
v8 · 18 controls

The de facto standard for practical security hygiene. Maps your tool stack across all 18 safeguard categories.

NIST
NIST CSF
v2.0 · 6 functions · 22 categories

Govern, Identify, Protect, Detect, Respond, Recover — full function coverage with category-level detail.

SOC
SOC 2 TSC
2017 · 9 trust criteria

Trust Services Criteria for SaaS and cloud providers. Know exactly which CC controls your stack satisfies.

PCI
PCI DSS
v4.0 · 12 requirements

Payment card security requirements, updated for v4.0. Identify gaps before your QSA does.

HIP
HIPAA Security Rule
45 CFR Part 164 · 16 standards

Administrative, physical, and technical safeguards for electronic protected health information (ePHI).

+
Bring your own framework

Drop a JSON file in app/data/ and re-run seed.py. Any custom or internal framework works.

Everything an auditor expects

Not just a checklist — CAAMS gives you evidence management, ownership tracking, and exportable artifacts that hold up in a real audit.

Automatic gap analysis

Select your deployed tools and get an instant, per-control coverage map. Green, amber, and red — no guesswork.

Tool configuration

Toggle MFA enforcement, log retention days, backup testing, and hardening per tool to unlock additional coverage tags.

Evidence links

Paste a URL per control — SharePoint, Google Drive, Confluence, anything — and open it directly from the detail drawer.

Compensating control overrides

Manually set a control status with a justification and optional expiry date. Overrides revert automatically when they expire.

Ownership tracking

Assign owner, team, and evidence owner per control — editable inline directly in the table. No separate spreadsheets needed.

Tool recommendations

Ranked list of tools you don't yet have that would close the most gaps. Prioritize your security investments intelligently.

Assessment history & cloning

Load any past assessment without leaving the page. Clone for quarterly snapshots or side-by-side framework comparisons.

Full REST API

FastAPI backend with interactive Swagger docs at /docs. Automate assessments, pipe data into your own tooling.

Role-based access control

Admin, contributor, and viewer roles with JWT auth and rate limiting. Safe to deploy on your internal network or VPN.

From zero to gap analysis in minutes

No agents. No cloud sync. Just a self-hosted Python server and a browser.

1

Name your assessment & pick a framework

Give it a meaningful name (e.g. Q1 2026 SOC 2 Review), select the framework you're being audited against, and hit go.

2

Check off your tools

Browse the 80+ tool catalog (CrowdStrike, Okta, Splunk, AWS, and more). Expand each tool to configure options like MFA enforcement, log retention, and hardening to unlock extra coverage tags.

CrowdStrike Falcon Okta Microsoft Sentinel Qualys Palo Alto NGFW Microsoft Intune Wiz +75 more →
3

Analyze coverage

Click Analyze Coverage →. CAAMS' mapping engine computes per-control status in milliseconds. Covered, Partial, or Not Covered — with the exact missing capability tags called out.

4

Add notes, evidence, and overrides

Click any control row to open the detail drawer. Paste evidence URLs, write audit notes, assign owners, or enter a compensating control override with justification and expiry date.

5

Export and hand to your auditor

One click for XLSX (four-sheet workbook) or PDF (branded cover + executive summary + control table). Hand it directly to your auditor, QSA, or compliance committee.

Auditor-ready exports, one click

No copy-pasting into spreadsheets. No reformatting for leadership. CAAMS generates the artifacts your stakeholders actually need.

XLSX Workbook
Four-sheet workbook · openpyxl
  • Summary — assessment name, framework, and aggregate metrics
  • Coverage Report — all controls with status, owners, covered-by tools, missing tags, notes, evidence links, and override details. Overridden rows highlighted.
  • Evidence Checklist — one row per evidence item, pre-populated with owners and notes. Hand directly to your auditor.
  • Recommendations — top tool suggestions ranked by controls improved (omitted if fully covered)
PDF Report
Branded document · ReportLab
  • Branded cover page — assessment name, date, framework, and your organization
  • Executive summary — overall score, covered / partial / not-covered counts at a glance
  • Color-coded control table — per-control status with notes and override indicators
  • Ready to hand to a board, compliance committee, or external auditor without further editing

80+ tools across 20+ categories — and growing

SentinelOne CrowdStrike Falcon Microsoft Defender Palo Alto NGFW Cisco Firewall Okta Microsoft Entra ID JumpCloud Duo Security CyberArk Splunk Microsoft Sentinel Qualys Tenable / Nessus Wiz Prisma Cloud KnowBe4 Veeam AWS Microsoft Azure Google Cloud Cisco Umbrella Zscaler Darktrace Snyk Cloudflare WAF Microsoft Intune Jamf HashiCorp Vault ServiceNow GRC Drata Varonis Recorded Future PagerDuty Rubrik Aqua Security Cortex XDR + dozens more
🔓

Fully open source

CAAMS is MIT-licensed and lives entirely on your infrastructure. No telemetry. No phone-home. No per-seat pricing. Your compliance data never leaves your network.

Self-hosted

Runs on any machine with Python 3.11+. SQLite database — zero configuration. Works fully air-gapped.

Extensible

Add frameworks with a JSON file. Add tools in the catalog. No code changes required for most customizations.

Contributions welcome

Missing a framework or tool? Open a PR. The community makes CAAMS better for everyone.

Star on GitHub

Up and running in 3 commands

Python 3.11+ required. SQLite is included — no database server needed.

1 — Clone & install
# Clone the repo
git clone https://github.com/naterohrer/caams.git && cd caams
# Install dependencies
pip install -r requirements.txt
2 — Seed the database
# Loads all frameworks + 80+ tool catalog (safe to re-run)
python seed.py
3 — Start the server
uvicorn app.main:app --reload
# Then open http://localhost:8000 in your browser
# Swagger API docs: http://localhost:8000/docs
Try the demo locally

After seeding, CAAMS ships with all frameworks and the full tool catalog pre-loaded. Create your first assessment, select a handful of tools, and click Analyze Coverage to see live results immediately — no sample data import required. The interactive Swagger UI at /docs lets you explore the full REST API.

View on GitHub Report an issue