VERIFICATION

verify

Verify any Certificate of Proof of Operational Effectiveness. Ed25519-signed W3C Verifiable Credentials. Signature verified via DID:web. No account needed.

First time? Click “Try with Sample” below to see a live CPOE verification in action.

OVERVIEW

What is a CPOE?

A CPOE (Certificate of Proof of Operational Effectiveness) is a cryptographically signed credential that proves security controls were assessed and the results are tamper-proof. Each CPOE carries provenance metadata identifying who produced the underlying evidence (self, tool, or auditor), plus a summary of controls tested and passed.

PROVENANCE

Evidence Provenance

Every CPOE records where the evidence came from. Corsair does not judge — it records provenance and lets the buyer decide what's sufficient.

selfSelf-AssessedOrganization self-attests without automated evidence

toolTool-GeneratedSecurity tooling produced the evidence (scanner output, API export)

auditorAuditor-VerifiedIndependent third party reviewed and verified the assessment

FLOW

How verification works

VERIFICATION FLOW

1.Organization runs security tools (scanners, CI checks, API exports) and signs evidence into a CPOE via corsair sign — JWT-VC with Ed25519.
2.Organization publishes DID document at .well-known/did.json with their public key.
3.Anyone pastes the CPOE here. DID:web resolved, Ed25519 signature verified via Corsair API.
4.Result: signature validity, provenance, controls summary, pass rate — plus optional policy checks (source identity, receipts, SCITT, evidence chain, dependency proofs). Math replaces trust.

STANDARDS

Standards

W3C Verifiable Credentials 2.0

CPOEs as interoperable, standards-compliant attestations

DID:web

Decentralized identity for issuer key discovery

OpenID SSF / CAEP

Real-time compliance change notifications via FLAGSHIP

IETF SCITT

Transparency log for CPOE registration and auditable history

IETF SD-JWT

Selective disclosure — prove claims without revealing the full CPOE

DISRUPTION

Why this replaces questionnaires

Traditional vendor risk reviews rely on self-attested questionnaires — 300+ questions answered by vendors who have every incentive to overstate their security posture. Trust Centers store compliance data but can't share it interoperably — Vanta's Trust Center can't verify Drata's output, and vice versa. CPOE is the universal format. A CPOE replaces trust with verification: the evidence was assessed, the results were recorded with provenance metadata, and the credential is cryptographically signed. Policy artifacts let buyers encode deterministic acceptance criteria. You don't have to trust the vendor or the platform. You verify the proof.

ED25519JWT-VCDID:WEBSCITT

SIX PRIMITIVES

Verification is one of six primitives

Corsair gives you six operations for compliance trust — like git for security attestations.

corsair sign

Sign tool output into a CPOE with Ed25519

corsair diff

Compare two CPOEs — see regressions and improvements

corsair log

Browse the SCITT transparency log for any issuer

corsair trust-txt generate

Generate your trust.txt discovery file

corsair signal generate

Generate FLAGSHIP signals (protocol format for real-time notifications)

See how it works →