Engineering
One Connector, One Compliance Test: How We Built 428 Integrations
July 7, 2026 · 5 min read
Most compliance tools treat integrations as a logo wall. We made each connector run a test. Here’s the engineering behind 428 vendor integrations — grounded in exactly what shipped.
Most compliance tools treat “integrations” as a logo wall: connect a vendor, pull some evidence, show a green checkmark. We took a different path. Last week we shipped 428 connectable vendor integrations — and the point of each one isn’t to collect a screenshot. It’s to run a test.
What actually shipped
Over a few days we brought our evidence-vendor catalog to 428 connectable integrations — parity with the 454-integration catalog buyers expect from tools like Vanta — and added first-class connectors across every layer of a modern stack:
- Identity & access: Auth0 (alongside our existing Okta path)
- Endpoint / MDM: Jamf Pro, Microsoft Intune, Kandji
- Cloud & infrastructure: AWS (multi-region), DigitalOcean, Kubernetes, Snowflake
- Observability & response: Datadog, New Relic, Splunk, Sentry, PagerDuty
- Security & edge: CrowdStrike Falcon, Cloudflare
- Dev & change management: Bitbucket, ServiceNow
The engineering idea: a connector lights up a test
In CATAAM, connecting a vendor does one specific thing beyond sync — it activates an automated compliance test against that vendor’s real configuration. A connector isn’t a data pipe; it’s a control check that now runs continuously. A few concrete examples from last week:
- Snowflake → MFA enforced on database access
- PagerDuty → on-call / incident-response coverage exists
- Jamf, Intune, Kandji → disk / device encryption (e.g. FileVault) enforced
- Kubernetes → RBAC and network-policy isolation
- CrowdStrike Falcon → endpoint sensor health
- DigitalOcean → VPC network isolation
- Datadog, New Relic → monitoring / alert policies configured
- ServiceNow → change-management process in force
Because the check is tied to the live vendor, this is continuous compliance rather than a point-in-time screenshot: the test re-runs, and if a control drifts the finding surfaces — and via our continuous security testing engine it latches back into the audit as evidence.
Why this is easier for customers
Connect a vendor once and the relevant tests light up automatically — no manual evidence gathering per control. Discovered assets flow into a single source-of-truth inventory, so the same connection feeds both your asset inventory and your control tests.
Honest scope
To be precise: 428 vendors are connectable in the catalog today, and the connectors above ship with live compliance tests now; we’re lighting up tests across the rest of the catalog on a rolling basis. This is an engineering direction we’re proud of, not a finished destination — and we’d rather tell you exactly where the line is.
If you’re evaluating compliance automation, that’s the difference worth testing: not how many logos a tool lists, but how many of them actually check something. See how it maps to a framework in SOC 2 or ISO 27001.
See continuous compliance in action
Explore continuous security testing →Frequently asked questions
- How many integrations does CATAAM have?
- CATAAM’s evidence-vendor catalog is 428 connectable integrations — parity with the 454-integration catalog buyers expect from tools like Vanta. The difference is what a connection does: each supported connector activates an automated compliance test against the vendor’s live configuration, not just an evidence pull.
- What does “a connector lights up a test” mean?
- Connecting a vendor activates a specific automated control check tied to that vendor — e.g. Snowflake checks MFA on database access, Jamf/Intune/Kandji check device encryption, Kubernetes checks RBAC and network-policy isolation. The test re-runs continuously, so control drift is caught and latched into the audit as evidence.
- Is this continuous compliance or point-in-time?
- Continuous. Because each test is tied to the live vendor configuration rather than a one-time screenshot, it re-runs and surfaces findings when a control drifts — turning every connected vendor into an ongoing control check.