REST API · MCP · Continuously refreshed

The compliance database your auditors and your AI agents can both trust.

RulesGraph turns NIST 800-53, ISO/IEC 27001, SOC 2, PCI DSS, HITRUST, NIS2, the EU AI Act, and many more frameworks into a live, typed graph. Relationships between standards are typed, not guessed. Revisions are captured as the sources change. Source-checked claims carry the exact passage and its URL, and everything else is graded so you can see how it was derived. Query it from your GRC tooling over REST, or hand it to your AI agents over MCP, against the same source of truth.

Get an API key Explore the graph Read the docs
523
In the graph
438
Frameworks
162
Cross-mappings
7
Layers
Live
GET /v1/methodologies/hitrust-csf/dependencies 
{
  "id": "hitrust-csf",
  "name": "HITRUST CSF (Common Security Framework)",
  "version": "11.8",
  "dependencies": [
    {
      "to": "nist-sp800-53-r5",
      "relationship": "builds on",
      "kind_label": "Framework",
      "grounding": "Source-checked",
      "confidence": 0.92,
      "evidence_source_url": "https://hitrustalliance.net/..."
    },
    {
      "to": "nist-csf-2-0",
      "relationship": "references",
      "kind_label": "Framework",
      "grounding": "Source-checked",
      "confidence": 0.85,
      "evidence_phrase": "Assessment and certification to the latest NIST specification"
    }
  ]
}
TOOL get_dependencies 
// MCP tool call from your AI agent
{
  "tool": "get_dependencies",
  "arguments": { "id": "hitrust-csf" }
}

// Response: typed, with grounding on each edge
{
  "dependencies": [
    { "to": "nist-sp800-53-r5", "relationship": "builds on",
      "grounding": "Source-checked", "confidence": 0.92 },
    { "to": "nist-csf-2-0", "relationship": "references",
      "grounding": "Source-checked", "confidence": 0.85 }
  ]
}
Always live. Graded provenance on every edge. Try it in the explorer →
What it is

Compliance, structured as data.

Most compliance tools treat each framework as a flat checklist. RulesGraph treats them as a connected graph: HITRUST CSF builds on NIST SP 800-53 and references NIST Cybersecurity Framework 2.0, which supersedes CSF 1.1. Each relationship is typed, revisions are captured as sources change, and source-checked claims point back to a primary source with the exact passage.

Typed, not flat

Frameworks, controls, certifications, registries, and regulators are first-class nodes. maps_to, supersedes, imports, recognized_by are typed edges. Query the graph the way auditors actually think about controls.

Versioned to the byte

Every fetched source is hashed and snapshotted. When NIST publishes a Rev 6 draft, when the EU AI Act gets an Annex revision, when an ISO standard rolls to a new edition. RulesGraph captures the diff, types it as supersedes, and notifies dependents.

Audit-grade provenance

Every node carries its source URL, fetch timestamp, content hash, and the classifier's confidence trace. Cite a source-checked claim in an audit or an attestation, and the chain back to the primary source is one query deep.

The architecture

Seven layers of compliance.

RulesGraph organises every source into a seven-layer stack, modelled on how compliance frameworks actually compose in practice. Constitutional standards at the top, sector-specific controls in the middle, regulatory enforcement at the bottom.

L1

Constitutional standards

The top of the stack. ISO/IEC 27001, NIST CSF, NIST SP 800-53, ISO/IEC 27002.

L2

Disclosure and governance

SOX ITGC, DORA governance, NIS2 governance obligations, ISO/IEC 27014.

L3

Sector and activity controls

PCI DSS, HIPAA Security Rule, CJIS, TISAX, FERPA, GLBA Safeguards.

L4

Certification and attestation

AICPA SOC 1/2/3, ISO/IEC 27001 certification bodies, FedRAMP PMO, BSI C5, ENS.

L5

Integrity and meta-standards

CIS Controls, CMMC, ISO/IEC 27007, CSA STAR, HITRUST CSF.

L6

Demand-side buyer frameworks

Shared Assessments SIG, CAIQ, vendor risk questionnaires, third-party DDQs.

L7

Compliance regimes

GDPR, EU AI Act, CCPA/CPRA, NIS2 enforcement, DORA enforcement, China DSL, India DPDP, Brazil LGPD.

NIST 800-53 ISO/IEC 27001 ISO/IEC 27002 SOC 2 PCI DSS v4 HIPAA FedRAMP DORA NIS2 EU AI Act GDPR CIS Controls CMMC HITRUST CSA STAR BSI C5 ENISA + more
How it works

The pipeline behind every node.

RulesGraph is fully autonomous. A continuous pipeline crawls publication channels, classifies what it finds, extracts structured control data, and lands every change in the live graph. Four stages, every stage cryptographically traced.

1

Collect

Continuous polling of standards bodies, regulators, and certification registries. PDFs, HTML, OSCAL feeds, RSS, GitHub repos. Every fetch hashed and snapshotted.

2

Classify

Each change is typed by an LLM-assisted classifier: new control, revised control, deprecation, cross-mapping update, certification grant. Confidence scored, ambiguous cases queued for review.

3

Map

Controls are projected into the graph and linked to their dependents and cross-mapped equivalents in other frameworks. New edges proposed automatically; weak edges flagged for human approval.

4

Validate

Cascade engine recomputes downstream impact, notifies API subscribers of breaking changes, publishes the new revision with a signed plan CID. Every change is auditable end-to-end.

Three ways in

REST, MCP, or the viewer.

Build against the live graph with whatever tool fits. The REST API is the workhorse. The MCP server gives Claude, Cursor, and other AI agents direct access. The viewer is for humans who want to navigate the graph visually.

REST API

Public read API at api.rulesgraph.com. Free tier is 600 req/min. Every endpoint returns typed JSON with full provenance metadata.

curl
# Fetch every control in NIST 800-53 Rev 5
curl -H "Authorization: Bearer $RG_KEY" \
  "https://api.rulesgraph.com/v1/controls" \
  -d "framework=nist-sp-800-53-r5"

# Walk the cross-mapping graph from a SOC 2 control
curl "https://api.rulesgraph.com/v1/controls/soc2-cc6.1/maps_to"

MCP server

Plug RulesGraph into Claude, Cursor, Windsurf, or any MCP-compatible agent. Paid tier at mcp.rulesgraph.com. Agents can query the graph, propose mappings, and cite primary sources back.

claude_desktop_config.json
{
  "mcpServers": {
    "rulesgraph": {
      "url": "https://mcp.rulesgraph.com",
      "auth": { "bearer": "$RG_MCP_KEY" }
    }
  }
}

The viewer

A visual graph explorer at rulesgraph.com/viewer. Six tabs, each answering one specific question: what is in the graph, which frameworks overlap, what does this control look like across the landscape, what gap do I have to a target framework, what changed recently. No API key required for read access.

Overview Coverage matrix Control deep-dive Compliance calculator Frameworks Activity
Open the viewer
Built for

Whoever touches a control.

CISOs map their own frameworks faster. GRC platforms power their crosswalk engines. Auditors cite primary sources without leaving their workflow. Regulators see how their text actually propagates downstream.

CISOs and security teams

Map once, comply everywhere

You're already SOC 2. The board wants ISO 27001. Sales wants HITRUST. Run a single query against RulesGraph and see exactly which of your existing controls satisfy the new framework, where the gaps are, and what evidence each gap needs.

  • Auto-crosswalk your control catalog
  • Track framework revisions as they ship
  • Cite primary sources in audit responses
GRC platforms

Stop maintaining mapping tables

Replace your hand-maintained spreadsheet of framework crosswalks with a live graph API. RulesGraph keeps the mappings versioned, surfaces breaking changes, and gives you the provenance trail your customers' auditors will eventually ask for.

  • Drop-in REST integration
  • Webhook on every framework revision
  • Cryptographically signed plan CIDs
Auditors and assessors

One graph, every framework

Whether you're scoping SOC 2, attesting FedRAMP, or assessing CMMC, RulesGraph gives you the current text of each framework, its revision history, and its cross-mappings, without leaving your workpapers. Cite the source, not a screenshot.

  • Current framework language
  • Built-in revision diffs
  • Provenance to the primary publisher
Regulators

See how your text travels

When DORA publishes a new RTS, when ENISA updates a baseline, when the AI Act gains a new Annex, RulesGraph captures it and shows which downstream frameworks recognise, import, or supersede it. Track the propagation of your own regulatory text in days, not years.

  • Cross-jurisdiction propagation
  • Supersession tracking
  • Public read access for transparency
AI agents and dev tools

Compliance, callable from code

Build agents that can answer "is this Terraform module HIPAA-compliant?" or "which SOC 2 trust services criteria does this finding violate?" The MCP server gives any LLM agent direct, typed access to the live compliance graph.

  • MCP-native, works with Claude/Cursor
  • Structured outputs, no scraping
  • Source-checked claims include their citation
Researchers and journalists

Track the rules in motion

Compliance is a moving target and the moving is rarely transparent. RulesGraph publishes revisions, cross-mapping changes, and certification grants as public, time-stamped records. Free tier covers most research workflows.

  • Public revision history
  • Diff frameworks over time
  • 600 req/min free tier
Ask

Ask the graph, and see the grounding.

Ask is a chat surface that answers from the live graph and nothing else. Each answer is assembled from typed records the agent retrieved, every relationship carries its grounding band, and source-checked claims show the exact passage and its URL. When the graph does not hold grounded evidence for a question, Ask says so rather than guessing.

How does HITRUST CSF relate to NIST, and what does it build on?

HITRUST CSF v11.8 is built on two NIST frameworks. Both relationships are held as source-checked edges, each pinned to HITRUST's own published material.

HITRUST CSF builds on NIST SP 800-53 r5 Source-checked 0.92
HITRUST CSF references NIST CSF 2.0 Source-checked 0.85
"Assessment and certification to the latest NIST specification"
hitrustalliance.net
typedgroundedcited to source
Preview of a sample RulesGraph Ask conversation export
A real two-turn export: a grounded answer with the typed relationships, confidence and evidence, then a question Ask declines because the graph holds no source-checked edge for it.
Download sample conversation export (PDF)

Request access to Ask

Ask runs on the live graph and is granted by request, not self-serve, so every account is known and the grounding stays accountable. Tell us who you are and what you would use it for, and we will reply by email.

We reply by email. The address you give is the one we contact.