HATS Market Positioning

The compliance and security standards landscape is populated by frameworks that were designed for a world where annual audits were the best available mechanism for verifying security posture. SOC 2, ISO 27001, NIST Cybersecurity Framework, and their peers serve important functions. They establish common vocabularies, define control categories, and create accountability structures. But they share a structural limitation: they verify security posture at a point in time and assume that posture persists until the next audit. HATS occupies a fundamentally different position in this landscape because it operates on continuous, cryptographically attested verification rather than periodic assessment.

Where SOC 2 Stops

SOC 2 Type II is the gold standard for SaaS vendor security assessment. A Type II report covers a period (typically 6-12 months) and provides an auditor's opinion on whether the organization's controls were suitably designed and operated effectively throughout that period. This is valuable. It is also structurally limited in three ways that HATS addresses.

First, SOC 2 is retrospective. The audit report describes what happened during the audit period. It is published weeks or months after the period ends. By the time a prospective customer or insurer reads a SOC 2 report, they are reading about control state that existed three to nine months ago. Controls may have changed since then. New systems may have been deployed. Configuration drift may have occurred. The SOC 2 report cannot speak to the current state of anything.

Second, SOC 2 relies on sampling. Auditors do not verify every control at every moment during the audit period. They select samples of evidence, test those samples, and form an opinion. This is a reasonable methodology given the constraints of human auditing, but it means that control failures between sample points may go undetected. An organization might have had a 48-hour period where MFA was disabled due to a configuration error, and if the auditor's sample did not include that period, it would not appear in the report.

Third, SOC 2 reports are not independently verifiable. The reader must trust the auditor's methodology, sampling, and judgment. There is no mechanism for a third party to independently verify the claims in a SOC 2 report without conducting their own audit. The report is an assertion by a trusted intermediary, not a verifiable proof.

HATS addresses all three limitations. HATS attestation is continuous, not retrospective; it reflects the current state of controls with latency measured in minutes, not months. HATS verification is exhaustive, not sampled; every check runs at every interval, and every result is recorded. HATS attestation is independently verifiable; any party with access to the attestation chain can verify any historical control state claim using only mathematics, not trust in an intermediary.

Where ISO 27001 Stops

ISO 27001 establishes an Information Security Management System (ISMS) framework. It focuses on organizational processes: risk assessment, control selection, management commitment, internal audit, and continuous improvement. An ISO 27001 certification means that an accredited certification body has assessed the organization's ISMS and found it conformant with the standard's requirements.

ISO 27001 operates at a higher level of abstraction than SOC 2. It specifies that an organization must have controls, must assess their effectiveness, and must improve them over time, but it does not prescribe specific technical controls or verification frequencies. An organization with ISO 27001 certification might check its firewall rules annually, quarterly, or never between audits, and still maintain certification as long as it can demonstrate a process for doing so.

HATS complements ISO 27001 by providing the continuous technical evidence that ISO 27001's process framework lacks. An organization that maintains ISO 27001 for management system governance and HATS for continuous technical verification has a significantly stronger overall security posture than either framework alone. The ISMS provides the management structure. HATS provides the machine-verified proof that the structure is producing results.

Where NIST CSF Stops

The NIST Cybersecurity Framework (CSF) provides a taxonomy of cybersecurity activities organized into functions (Identify, Protect, Detect, Respond, Recover), categories, and subcategories. It is a framework for thinking about cybersecurity, not a compliance standard with specific verification requirements. Organizations map their controls to the CSF categories and assess their maturity level in each area.

NIST CSF is intentionally flexible. It applies to organizations of any size, in any sector, at any maturity level. This flexibility is its strength and its limitation. Because CSF does not specify how controls should be verified or how often, two organizations claiming the same CSF maturity level might have vastly different actual security postures.

HATS provides the verification substrate that NIST CSF lacks. Each of the 20 HATS checks maps to specific CSF subcategories. An organization that maps its HATS attestation data to the CSF taxonomy can demonstrate not just that it has identified and implemented controls for specific CSF subcategories, but that those controls are continuously verified and the verification is cryptographically attested.

What HATS Adds That Frameworks Cannot

Three capabilities distinguish HATS from all periodic assessment frameworks: continuous attestation, replay verification, and post-quantum signatures.

Continuous attestation means that control state is verified and recorded at regular intervals measured in minutes, not months. The attestation chain provides a time series of verified control state that covers the entire operational history of the system. There are no gaps between annual audits. There is no reliance on sampling. Every check, at every interval, produces a verifiable record.

Replay verification means that any historical claim about control state can be independently verified. If an insurer needs to know whether MFA was enforced on a specific system at 2:17 PM on March 14th, they can query the attestation chain and receive a cryptographically verified answer. This capability does not exist in any other compliance framework. SOC 2, ISO 27001, and NIST CSF can assert what was generally true during a period; HATS can prove what was specifically true at a moment.

Post-quantum signatures mean that HATS attestation records will remain verifiable after quantum computers become capable of breaking classical cryptographic schemes. Every attestation in a HATS chain is signed with at least one NIST-approved post-quantum signature scheme. This ensures that the attestation chain maintains its integrity guarantees over the long term, which is critical for industries where audit trails must be retained for decades.

Complementary, Not Competitive

HATS does not replace SOC 2, ISO 27001, or NIST CSF. These frameworks serve different purposes at different levels of abstraction. SOC 2 provides third-party assurance for vendor assessment. ISO 27001 provides management system governance. NIST CSF provides a common taxonomy for cybersecurity activities.

HATS provides continuous, machine-verified, cryptographically attested evidence that technical controls are operating as intended. It fills the gap between periodic assessments. It provides the data that enables more precise risk assessment. It creates the verifiable proof that other frameworks assert but cannot independently demonstrate.

The strongest security posture combines all applicable frameworks: ISO 27001 for management governance, SOC 2 for independent assessment, NIST CSF for taxonomic rigor, and HATS for continuous cryptographic verification. Each layer addresses a different dimension of security assurance.

Market Context

The cyber insurance market is projected to exceed $30 billion in annual premiums by 2028. Insurers are increasingly dissatisfied with the quality of underwriting data they receive. Self-reported questionnaires produce unreliable data. Annual compliance certifications provide stale data. The market needs a mechanism for continuous, verifiable security posture data.

HATS is designed to serve this need. The Attested Risk Addendum describes how HATS data integrates into underwriting models. The Technical Specification describes the verification architecture. The Conformance Suite provides tools for implementing and validating HATS deployments.

For organizations evaluating HATS adoption, the key question is not whether HATS replaces their existing compliance programs. It does not. The question is whether continuous, cryptographically verified control evidence provides value beyond what their existing programs deliver. For organizations with cyber insurance, the answer is measurable in premium reductions. For organizations serving regulated industries, the answer is measurable in audit preparation time and audit finding rates. For organizations competing for enterprise customers, the answer is measurable in the speed and confidence of vendor security assessments.