Skip to main content
Evidence is how you prove to SecurAtlas — and to auditors — that your security controls are actually in place. This page covers what counts as evidence, how the expiry system works, how evidence confidence affects your risk score, and how to obtain evidence certificates.

What evidence is and why it matters

Marking a control as implemented signals your intent, but it does not by itself raise your compliance score. Evidence is the supporting documentation or data that validates your claim. Without evidence, controls — especially required severity 5 controls — receive limited or no credit toward your risk score and framework readiness percentages. Evidence is attached directly to individual controls. Each control can hold multiple evidence items, and together they form the documented proof of your security program.

Evidence types

SecurAtlas accepts the following types of evidence:
TypeExamples
PoliciesWritten security policies, procedures, and standards
ScreenshotsCaptured configurations, system settings, or tool outputs
CertificatesCompliance certificates, vendor attestations, or third-party assessments
Audit reportsInternal or external audit findings and remediation records
Automated findingsData pulled automatically from connected integrations (such as AWS Security Hub or Microsoft Defender)
Automated findings from integrations are particularly valuable because they are collected directly from your environment, which gives them higher evidence confidence scores than manually uploaded documents.

Evidence expiry

Every evidence item has an expiry date. When evidence expires, it stops contributing to your compliance score and framework readiness percentages — as though the evidence were never there.
  • The default expiry window is 365 days from upload.
  • Your workspace administrator can configure a different expiry window in workspace settings.
  • Evidence approaching its expiry date is labeled expiring soon (within 30 days of expiry).
  • Expired evidence is labeled expired and no longer counts toward your score.
SecurAtlas displays a banner warning on the dashboard when any evidence items are expiring within the next 30 days. Renew or replace expiring evidence promptly to maintain your score and avoid gaps in framework compliance.

Evidence statuses

StatusMeaning
ActiveEvidence is current and contributing to your score
Expiring soonEvidence expires within 30 days; action recommended
ExpiredEvidence has passed its expiry date and no longer contributes

Evidence confidence

Each evidence item carries a confidence score — a measure of how strongly the evidence proves that the control is implemented. The confidence score influences how much credit the associated control receives toward your risk score. High-confidence evidence (for example, an automated finding directly from your cloud environment) contributes more to your score than low-confidence evidence (for example, a brief policy document with no supporting data). When a control has multiple evidence items, their confidence scores are combined to produce an overall confidence level for the control. For a detailed breakdown of confidence thresholds, see Risk Scoring.

Downloading evidence certificates

SecurAtlas can generate an evidence certificate for each control. The certificate summarizes the control, its current status, and the evidence on file. You can download it directly from the control detail view. Evidence certificates are useful when sharing proof of compliance with customers, partners, or auditors outside of the SecurAtlas platform. They provide a timestamped, portable record of your implementation status. For step-by-step instructions on uploading evidence and managing expiry, see the Evidence guide.