The Reporting Engine Is Out

The reporting engine is out, and we are genuinely happy with it.

Most GRC platforms hand you a folder of separate exports at the end of a quarter. The board gets one document, the auditor gets another, the risk team gets a third, and somebody on the team spends a weekend reconciling them. That is not reporting. That is unpaid work.

So we built something different. A single engine that pulls from every module on the platform and produces one unified report.

Pulls from every module

ISO 27001, SOC 2, DORA, HIPAA, CMMC, NCA ECC, SAMA CSF, GDPR, and every other framework on the platform. The risk register. Threat monitoring. Attack surface. Vendor management. HR personnel security. The engine reaches all of it.

90 reporting facts in total. Each fact is a structured statement resolved from live data: annualised loss expectancy, framework readiness, open critical risks, vendor concentration by tier, training completion by role, attack surface trend, control effectiveness by domain. The report assembles the facts that matter for the audience.

Three tones

A board director and a risk analyst are not reading the same document even when the organisation is identical.

One wants annualised loss exposure and CVSS distributions. The other wants peer comparison and a number to put next to a budget line. The third wants the regulatory framing for a supervisory conversation. The engine handles all three. Same underlying data, three legitimate readings of it.

Three formats

PDF for the version that gets signed and circulated. DOCX for the version that gets edited. XLSX for the underlying numbers when somebody wants to interrogate the model.

Three languages

English, Spanish, Arabic. Each language is native, not bolted on. The data layer, the formatting layer, and the typography layer carry the locale through. Arabic includes full RTL rendering across prose, tables, and headers.

2,430 execution permutations

90 facts, three tones, three formats, three languages. The engine has to handle every combination cleanly.

Getting there was not straightforward. The first full run surfaced the kind of issues you only catch by testing every combination: Arabic tables that rendered correctly in Word but not in PDF, language settings that dropped out in one corner of the system, numbers that formatted as text in one template but not another. We worked through each one. The engine now runs cleanly across all 2,430 combinations and is in production.

Enterprise-tier only

This is built for organisations running multiple frameworks, multiple jurisdictions, and multiple audiences who all need to see the same operational reality through different lenses.

Where this lands

RateYourCyber now supports ISO 27001, SOC 2, GDPR, DORA, NIS2, NCA ECC, SACS-002, SAMA CSF, HIPAA, CMMC, LFPDPPP, ESG Reporting, and NIST CSF within a single platform.

One assessment platform. One risk register. One Policy Centre. One reporting engine that brings all of it together for whoever needs to read it, in whatever language, at whatever level of technical depth.