Use the fabric: what to adopt, in what order.
An enterprise-facing decision-support view over the live corpus: which external frameworks to combine, how mandatory each area is, the fewest control-groups to implement, and where the authoritative sourcing lives.
Framework combination
You may already align to one or more external frameworks. Apeiris maps each framework to the controls it touches, then shows the fewest frameworks to combine for the widest control coverage — and, for any framework you hold, which others add the most new ground and which are largely redundant. An adoption decision aid, not a statement about corpus completeness.
Pick your anchor framework
You may already align to a framework — or want to anchor a rollout on one. Pick it once: both views below react to the same choice — the fewest frameworks to combine starting from it, and which others best complement it.
Combine for coverage · the fewest frameworks, widest reach
The fewest external frameworks to align to for the widest control coverage, starting from your selected anchor — each step names the framework that adds the most not-yet-covered controls next.
Loading framework combinations…
What complements what
Which other frameworks add the most new controls at low overlap to your selected anchor — and which are largely redundant, so you can skip them.
Method: each framework touches the controls it maps to; combine-for-coverage is a greedy set-cover picking the framework that adds the most not-yet-covered controls next, and complementarity is the Jaccard overlap of two frameworks’ control sets. Apeiris defines these mappings; the platform layer evaluates action context against them at runtime.
Obligation-level proof coverage
Coverage isn’t one percentage. For each anchored framework this reads the Evidence Proof Map: how many obligations Apeiris controls address directly vs only partially, how many controls are involved, and the framework’s current edition. Open the proof chains for the exact evidence each obligation needs — mapped is not satisfied.
Loading proof coverage…
Method: verdicts come from the human-curated coverage manifests (supported = addressed directly, partial = partial with a stated gap), recomputed on every rehash from proofmap.json.
Regulatory posture
How mandatory is the backing behind each domain? For every control Apeiris takes the strongest normative force among its mapped sources — binding law, regulation, or supervisory guidance reads as binding-backed; certification and voluntary standards read as voluntary-only. This view shows, per domain, how much of its backing rests on binding law versus voluntary standards, and which jurisdictions supply that binding force. It is descriptive, not a verdict.
Binding-backed vs voluntary-only · by domain
Each bar shows its binding percentage and counts as text; the voluntary-only segment also carries a diagonal-stripe pattern so it reads without relying on color.
Where the binding force comes from
Jurisdictions supplying the binding law and regulation behind mapped controls.
Method: per control, the strongest normative_force among its mapped sources sets binding-backed vs voluntary-only; jurisdictions are counted from the binding sources. Apeiris defines these mappings; the platform layer evaluates action context against them at runtime.
Implementation planner (what-if)
A planning aid, not a scorecard: pick a framework and Apeiris shows the fewest control-groups to implement, in order, to cover the most of it. Each framework's obligations are matched to Apeiris controls, then a greedy set-cover picks the domain that covers the most not-yet-covered obligations first — so you can see "implement X, add Y, and what the Apeiris corpus has not mapped to a control yet."
Loading implementation plans…
Method: obligations are matched to Apeiris controls from the per-framework coverage manifests; implement-order is a greedy set-cover over control-groups by domain, and not-yet-mapped obligations are those the Apeiris corpus has not mapped to a control yet — an Apeiris coverage note, not a task for you. Apeiris defines these mappings; the platform layer evaluates action context against them at runtime.
Coverage heat map
Which sources most strongly ground each domain, and how deeply each control is corroborated. Every source family we ingest maps into the 12 domains at a graded fit; this view renders that live — the strongest voices behind each domain, and where corroboration is lightest and most open to deepen.
Each cell's number is its mapped control count and its shade shows fit-weighted strength — the number keeps magnitude legible without relying on shade. Domain columns are labeled by name; colors are paired with labels and numbers for accessibility.
Each cell is a source family scored against a domain by fit-weighted strength (direct 1.0, partial 0.6, adjacent/supporting 0.3). Darker means the source grounds more of that domain more strongly. Empty means that source does not map into the domain today.
Each square is a control, shaded by how many distinct source families corroborate it — paler squares are the lightest-corroborated and the clearest opportunities to deepen. Apeiris defines these domains so every control names the sources that ground it; the platform layer evaluates them at runtime.
Source value & recommendations
Not every source counts equally. Apeiris scores each source family by leverage — how deeply it grounds controls, across how many domains, at what volume — so a broad-but-shallow source reads as lower value than a focused, deep one. This is the prescriptive view: which sources carry the most weight, and what each strong source would need to approach functional completeness. Family names link out to every control that cites them.
Value leaderboard
| # | Source family | Tier | Leverage | Controls | Domains | Depth |
|---|
Sorted by leverage. Volume alone does not win: a source with many controls but a short depth bar grounds each control only loosely, so it ranks below a focused source that grounds fewer controls deeply. Names in blue open every citing control, grouped by domain, on the references page.
Flagship sources · augment to complete
Light-coverage · low leverage today
Focused sources with few, mostly adjacent controls — or not confirmed current. Framed neutrally: low leverage today, candidates to deepen, extend, or set aside as the corpus matures.
Strengths & opportunities
Value is not volume. A narrow specialist that grounds one domain deeply is a strength, not a weakness — and a domain with a short bench is an invitation to deepen, not a flaw. Apeiris reads every source for what it is strong at, and every domain for where it is strongest and where it can grow next. Focused excellence counts; only redundant-and-shallow reads as light.
Grouped by role in the corpus. Backbone sources ground many domains; distinctive sources — including narrow specialists and the deepest voice in a domain — bring depth or coverage others do not; context and light sources corroborate coverage others also provide. Names in blue open every citing control on the references page.
Each domain's strongest sources, its depth rank across the 12, and its constructive focus areas. Where a domain has no cross-domain links authored yet, that is a roadmap signal — federation mapping still being explored — not a shortfall. Apeiris defines these domains; the platform layer evaluates action context against them at runtime.
Threat landscape & coverage
Apeiris maps each control to the threat categories and MITRE ATLAS techniques it addresses. This view reads that live: which threats the corpus covers most today, the ATLAS techniques mapped, and which meaningful threats are addressed by only a few controls so far — honest signal about where to deepen, not a verdict.
Threat → controls
Each threat category with the controls that address it. Search to narrow the list, then expand a threat to see every control — each links to its domain. Domain chips are colored and name-labeled so they read without relying on color.
Loading threat coverage…
MITRE ATLAS techniques mapped
Adversarial-ML techniques and mitigations from MITRE ATLAS that Apeiris controls address. Technique ids link to ATLAS; each control links to its domain.
Thinly-covered threats · attention areas
Meaningful threat categories addressed by only two or three controls today — candidate areas to deepen as the corpus matures, framed as signal rather than shortfall.
Method: threat categories are descriptive tags (with four or more controls) carried on each control; ATLAS entries are explicit control-to-technique mappings; thinly-covered threats are meaningful categories addressed by two or three controls today. Apeiris defines these mappings; the platform layer evaluates action context against them at runtime.
For adopters · framework combination, regulatory posture, implementation planning, sourcing & threat coverage · part of the analysis hub