Platform

Compliance Infrastructure, Not Just Software

Four integrated components that form a closed-loop compliance system. Each layer is independently scalable and standards-native.

Credential Registry Rules Engine Compliance Evaluator Audit Layer Architecture
01 Credential Registry

The Source Record for Every Credential

The Credential Registry is a tamper-evident store of verifiable credentials anchored to issuer DIDs. When Palo Alto Networks issues a PCNSA certification, that credential lives in the registry with cryptographic proof of its origin. No manual entry. No self-reported data.

W3C Verifiable Credentials 2.0Open standard credential format with cryptographic signatures and DID anchoring.
Issuer-Direct PublishingCertified authorities publish credentials directly. Third-party aggregation is not the data source.
Revocation PropagationIssuer revocations are reflected immediately. No stale credential window.
Multi-Issuer ArchitectureA single registry serves credentials from all connected issuers. One query surface, unlimited issuers.
credential-registry / query Live
PCNSA v2024 did:certcor:issuer:paloalto
Valid
CISSP — 2023 Cycle did:certcor:issuer:isc2
Valid
CISM — Enterprise Track did:certcor:issuer:isaca
Expiring 47d
AWS-SAA-C03 did:certcor:issuer:aws
Valid
Security+ CE 2022 did:certcor:issuer:comptia
Revoked
02 Rules Engine

Compliance Logic That Leaves No Room for Interpretation

Compliance rules are expressed as a JSON Abstract Syntax Tree DSL. Logic is explicit, versioned, and machine-executable. An LLM-to-DSL pipeline allows rule authoring in plain language and compiles to the canonical AST. No ambiguity survives the compilation step.

JSON AST DSLRules are data structures, not scripts. Fully auditable, versionable, and diff-able.
LLM-to-DSL AuthoringExpress rules in plain language. The pipeline compiles to canonical AST with human review before publish.
Rule VersioningEvery rule change is a new version. Historical evaluations can be replayed against any rule version.
Composable LogicRules compose via AND, OR, NOT, and threshold operators. Complex requirements map to clean AST trees.
rules / PCNSA-REQUIRED.json v3.1.0
"rule": "PCNSA-REQUIRED",
"version": "3.1.0",
"logic": {
"op": "AND",
"conditions": [
{
  "credential_type": "PCNSA",
  "issuer_did": "did:certcor:issuer:paloalto",
  "not_expired": true,
  "not_revoked": true
},
{
  "op": "OR",
  "min_score": 700
}
]
},
"on_fail": "NON_COMPLIANT"
03 Compliance Evaluator

Continuous Evaluation. No Polling Windows.

The Evaluator executes rules against the Credential Registry on a continuous basis. Every credential event triggers a re-evaluation cascade. Compliance state is never stale. An organization's posture is always current.

Event-Driven ArchitectureCredential issuance, expiry, and revocation events all trigger immediate re-evaluation.
Sub-200ms LatencyEvaluation results returned in under 200 milliseconds at scale.
Org Graph TraversalEvaluate compliance at individual, team, department, or full organization scope.
Multi-Rule EvaluationSubjects are evaluated against all applicable rules simultaneously. One request, full posture.
evaluator / org-posture Real-time
Subject Score Status
J. Kowalski — Engineering 1.000 Compliant
M. Okonkwo — Security 1.000 Compliant
R. Patel — Cloud Ops 0.720 Partial
S. Andreev — DevSecOps 0.000 Non-Compliant
T. Nakamura — Architecture 1.000 Compliant
04 Audit Layer

Complete Provenance. Every Evaluation. Always.

Every compliance evaluation is recorded as an immutable audit event. The full chain from credential issuance to compliance determination is traceable. When an auditor asks "what was the compliance state of the cloud team on March 3rd at 14:22," the answer is available without reconstruction.

Immutable Event LogAll compliance events are append-only with cryptographic chaining. No retroactive modification.
Point-in-Time QueriesRetrieve authoritative compliance state for any subject at any historical moment.
Audit ExportExport complete audit packages in standard formats for regulatory submission or internal review.
Alerting IntegrationRoute compliance state changes to SIEM, ticketing, or webhook endpoints.
audit / event-stream append-only
14:22:31Z
CREDENTIAL_REVOKED — PCNSA v2022 for did:certcor:user:s_andreev revoked by issuer
14:22:31Z
EVAL_TRIGGERED — Re-evaluation cascade for 14 subjects in org:devsecops
14:22:32Z
STATUS_CHANGED — s_andreev: COMPLIANT → NON_COMPLIANT on rule PCNSA-REQUIRED
14:22:32Z
ALERT_DISPATCHED — Webhook delivered to org:acme-corp / security-team channel
14:22:32Z
AUDIT_SEALED — evt_01HZ9K3XP chain link committed. hash: 9f3a2c...
Architecture

Designed for Production From Day One

Each layer is independently deployable, horizontally scalable, and built on open standards.

System Stack
L4 API + Auth Surface REST and webhook endpoints secured via Passcore IAM. OIDC, OAuth 2.0, and API key authentication supported.
L3 Compliance Evaluator Stateless evaluation workers. Horizontally scalable. Event-driven trigger via credential event bus.
L2 Rules Engine + Registry Rules stored as versioned JSON AST. Registry backed by PostgreSQL with Redis read cache.
L1 Issuer Integration Layer DID-authenticated issuer API surface. Credentials published via signed W3C VC 2.0 payloads.
L0 Audit + Event Store Immutable append-only event log. Cryptographically chained. Exportable at any time for regulatory review.