HOW IT WORKS

proof, not PDFs

Corsair turns compliance evidence into a signed proof anyone can verify. No portals. No trust centers. Just cryptography.

Ed25519 SignedW3C Verifiable CredentialDID:web Identity

Verify a CPOE Publish trust.txt

THE OLD WAY

PDFs and trust centers

Compliance is shared as static PDFs. You can read them, but you can't verify them. Every exchange relies on trust.

THE NEW WAY

Signed, verifiable proof

Corsair signs evidence as a cryptographic proof (CPOE). Anyone can verify the signature and provenance.

THE FLOW

Evidence in. Proof out.

Collect evidence

Run your security tools (scanners, CI checks, API exports) and export JSON output.

Sign a CPOE

Corsair signs the evidence as a JWT-VC with Ed25519 and records provenance.

Verify anywhere

Anyone can verify the CPOE with a DID:web lookup. No account needed.

THREE ACTIONS

The launch-ready surface

trust.txt

A public discovery file that points to SCITT and a catalog. Like security.txt, but for CPOEs.

Publish →

4-line verification

Verify any CPOE with standard JWT libraries. No account required.

Verify →

Diff over time

Compare two CPOEs to see regressions and improvements.

See example →

TRANSPARENCY LOG

What the log looks like in practice

Every signed CPOE can be registered in an append-only log. It's the audit trail you can actually verify.

Demo transparency log

Sample entries

cloudbank.ioAWS Production - Cloud Infrastructure Controls

Tool-Signed6710d ago

retailcorp.comPCI DSS - Payment Infrastructure Hardening

Tool-Signed7011d ago

devshipco.devContainer Security - Production Images

Tool-Signed2512d ago

View the full log →

Ready to try it?

Verify a real CPOE, generate trust.txt, or sign your first proof in minutes.

Verify Publish Sign