RESOURCES

The Field Notes.

Long-form writing from our GRC content team and field engineers. Mostly about how compliance frameworks actually behave in practice — the edge cases, the regulatory consultations no one is reading, and the engineering patterns that make audits boring.

AllField guidesFramework deep-divesRegulatory watchEngineeringCustomer storiesWhitepapers

/ Featured

FIELD GUIDE · 042

Reading DORA like
an engineer.

Forty pages, twenty-eight worked examples, and a decision tree for the ICT third-party register. Written by our financial-services content lead and reviewed by two ECB-supervised banks.

Read the guide →42 PP · 18 MIN READ · 2026·04·22

/ Recent writing

041

Engineering

Why we model controls as a graph, not a tree.

A trade-off post on the data structure underneath the cross-mapping engine.

JOAQUIM ROCHA · 9 MIN · 2026·04·14

040

Regulatory

EU AI Act, Annex III: a working interpretation.

The high-risk classification questions our customers actually got from notified bodies.

ANAÏS BEAUMONT · 14 MIN · 2026·04·02

039

Field guide

The HIPAA risk analysis no one is doing right.

§164.308(a)(1)(ii)(A), in practice. With a worked example for a 12-hospital system.

M. CHEN · 11 MIN · 2026·03·19

038

Framework

PCI DSS 4.0 customised approach: who actually qualifies.

A reading of Appendix E, with five real customer scenarios and what their QSAs said.

L. VASQUEZ · 8 MIN · 2026·03·05

037

Customer

Inside Northwind Bank's DORA program.

A long-form interview with their VP, INFOSEC on the architectural choices that paid off.

EDITORIAL · 21 MIN · 2026·02·26

036

Whitepaper

A reference architecture for cross-framework evidence.

26 pages. The data model, the storage tier, and the integrity proofs we ship.

WHITEPAPER · 26 PP · 2026·02·12

See all 41 entries

/ Subscribe

The Field Notes, in your inbox.

One long-form piece every two weeks. No product news, no “state of GRC” reports, no webinars.