TRACT assigns security framework controls to positions in the OpenCRE hierarchy using a fine-tuned bi-encoder, creating transitive crosswalks between any pair of frameworks automatically.
Security frameworks define overlapping requirements independently. NIST 800-53, MITRE ATLAS, OWASP, CSA, and the EU AI Act each describe AI security controls in their own terminology. Practitioners manually crosswalk between them — a process that is slow, error-prone, and breaks every time a framework updates.
TRACT treats crosswalk construction as a hub assignment problem: each control is independently mapped to a CRE hub — a node in OpenCRE's universal security taxonomy. Controls from different frameworks that map to the same hub are crosswalked transitively.
g(control_text) → CRE_hub_position # NOT pairwise f(A, B) → similarity
This scales linearly (not quadratically) with the number of controls, and adding a new framework automatically crosswalks it with every existing framework.
flowchart LR
A["Raw framework<br/>(PDF, CSV, JSON)"] --> B["tract prepare"]
B --> C["Standardized JSON"]
C --> D["tract validate"]
D --> E["tract ingest"]
E --> F["CRE hub<br/>assignment"]
F --> G["Crosswalk DB"]
G --> H["tract export"]
style A fill:#f9f,stroke:#333
style G fill:#9f9,stroke:#333
What is OpenCRE? The Open Common Requirement Enumeration is a community-maintained taxonomy that organizes security requirements into a hierarchy of 400+ hubs. It links controls from NIST, OWASP, CWE, ISO 27001, and dozens of other frameworks. TRACT uses it as the universal coordinate system for security controls.
| Metric | Value |
|---|---|
| Assignment accuracy (hit@1) | 0.537 [0.463, 0.612] |
| Improvement over zero-shot | +0.139 (baseline: 0.399) |
| Crosswalk assignments | 5,238 across 31 frameworks |
| Assignment breakdown | 4,390 ground truth · 528 expert-reviewed · 320 model predictions |
| AI↔traditional bridges | 46 accepted (of 63 candidates) |
| Evaluation | LOFO cross-validation with hub firewall |
All metrics use 95% bootstrap confidence intervals (10,000 resamples). Full experiment narrative in tract_experimental_narrative.ipynb.
Explore without model artifacts (works immediately after install):
git clone https://github.com/rocklambros/TRACT.git
cd TRACT
pip install -e ".[dev]"
tract prepare --file examples/sample_framework.csv --framework-id demo --name "Demo Framework"
tract validate --file demo_prepared.jsonFull assignment workflow (requires trained model artifacts):
pip install -e ".[phase0]"
tract tutorial # Guided walkthrough (checks prerequisites)
tract assign "Implement input validation for AI model training data"Note:
tract assignandtract tutorialrequire model artifacts from the training pipeline.tract prepareandtract validatework immediately after install.
TRACT processes 31 frameworks with 2,802 controls total.
| Framework | ID | Controls |
|---|---|---|
| CSA AI Controls Matrix | csa_aicm |
243 |
| MITRE ATLAS | mitre_atlas |
202 |
| AIUC-1 Standard | aiuc_1 |
132 |
| EU AI Act | eu_ai_act |
126 |
| NIST AI Risk Management Framework | nist_ai_rmf |
72 |
| CoSAI AI Security Risk Map | cosai |
55 |
| OWASP AI Exchange | owasp_ai_exchange |
54 |
| EU GPAI Code of Practice | eu_gpai_cop |
40 |
| OWASP GenAI Data Security | owasp_dsgai |
21 |
| NIST AI 600-1 GenAI Profile | nist_ai_600_1 |
12 |
| OWASP Top 10 for LLM | owasp_llm_top10 |
10 |
| OWASP Top 10 for Agentic Apps | owasp_agentic_top10 |
10 |
| Framework | ID | Controls |
|---|---|---|
| CAPEC | capec |
349 |
| NIST 800-53 | nist_800_53 |
300 |
| ASVS | asvs |
277 |
| CWE | cwe |
246 |
| DSOMM | dsomm |
183 |
| ISO 27001 | iso_27001 |
93 |
| WSTG | wstg |
59 |
| OWASP Cheat Sheets | owasp_cheat_sheets |
50 |
| NIST SSDF | nist_ssdf |
44 |
| ENISA | enisa |
38 |
| SAMM | samm |
30 |
| CSA Cloud Controls Matrix | csa_ccm |
29 |
| NIST AI 100-2 | nist_ai_100_2 |
28 |
| ETSI | etsi |
27 |
| NIST 800-63 | nist_800_63 |
25 |
| BIML | biml |
20 |
| OWASP Top 10 2021 | owasp_top10_2021 |
10 |
| OWASP Proactive Controls | owasp_proactive_controls |
10 |
| OWASP Top 10 for ML | owasp_ml_top10 |
7 |
All 19 subcommands grouped by workflow stage:
| Stage | Commands | Description |
|---|---|---|
| Explore | tutorial hierarchy compare |
Learn TRACT, inspect hubs, compare frameworks |
| Prepare | prepare validate |
Extract and validate framework controls |
| Assign | assign ingest accept |
Map controls to CRE hubs |
| Review | review-export review-validate review-import review-proposals |
Expert review workflow |
| Analyze | bridge propose-hubs import-ground-truth |
Discover connections, suggest new hubs |
| Export | export export-canonical |
Output assignments (CSV, JSON, OpenCRE, canonical snapshot) |
| Publish | publish-hf publish-dataset |
Release model and dataset to HuggingFace |
See docs/cli-reference.md for full options and examples.
flowchart TD
subgraph INPUT["Input"]
RAW["data/raw/<br/>Immutable source files"]
API["OpenCRE API"]
end
subgraph PARSE["Parse"]
P["parsers/<br/>12 framework parsers"]
PREP["tract prepare<br/>LLM-assisted extraction"]
end
subgraph CORE["Core"]
PROC["data/processed/<br/>Standardized JSON"]
TRAIN["data/training/<br/>Hub links"]
T["tract/<br/>Core library"]
end
subgraph OUTPUT["Output"]
RES["results/<br/>Metrics, reviews"]
BUILD["build/<br/>HF staging"]
DB["crosswalk.db"]
end
RAW --> P
RAW --> PREP
API --> TRAIN
P --> PROC
PREP --> PROC
PROC --> T
TRAIN --> T
T --> RES
T --> BUILD
T --> DB
| I want to... | Go to... |
|---|---|
| Add a new framework | Framework Guide |
| Understand the model and methodology | Architecture |
| Look up a command | CLI Reference |
| Look up a term | Glossary |
| Understand canonical export schema | Architecture § Canonical Export |
| Review hub descriptions for quality | Hub Description Review Guide |
| Contribute code | Contributing |
| Report a security issue | Security Policy |
- Model: rockCO78/tract-cre-assignment on HuggingFace
- Dataset: rockCO78/tract-crosswalk-dataset on HuggingFace
- Experimental narrative:
tract_experimental_narrative.ipynb— 14-section Jupyter notebook covering the complete research journey
TRACT produces per-framework canonical JSON snapshots designed for OpenCRE's incremental import RFC. Each framework export contains:
snapshot.json— AStandardSnapshotwith all controls, CRE mappings, filter policy, and a SHA-256 content hash for integrity verificationchangeset.json— A keyed diff against the prior export with 6 operation types (ADD/UPDATE/DELETE for controls and mappings), impact analysis, and scope classificationembeddings.npz(optional) — Per-framework embedding slice from the deployment model
| Field | Type | Description |
|---|---|---|
schema_version |
string | Always "1.0" |
framework_id |
string | Framework identifier (e.g., csa_aicm) |
framework_name |
string | Human-readable name |
export_date |
string | ISO 8601 UTC timestamp |
content_hash |
string | SHA-256 of all non-volatile fields |
tract_version |
string | Git SHA of TRACT at export time |
model_adapter_hash |
string | SHA-256 of the LoRA adapter weights |
filter_policy |
object | Confidence floor, OOD/ground-truth exclusion rules |
controls |
array | CanonicalControl objects (id, title, description, hyperlink) |
mappings |
array | CREMapping objects (control→hub with confidence, rank, provenance) |
| Operation | Description |
|---|---|
ADD_CONTROL |
New control added to framework export |
UPDATE_CONTROL |
Control title, description, or hyperlink changed |
DELETE_CONTROL |
Control removed from export |
ADD_MAPPING |
New control→hub mapping added |
UPDATE_MAPPING |
Mapping confidence, rank, or provenance changed |
DELETE_MAPPING |
Mapping removed |
# Preview canonical export
tract export-canonical --dry-run
# Export a single framework with embeddings
tract export-canonical --framework csa_aicm --with-embeddings
# Export all eligible frameworks
tract export-canonicalSee docs/cli-reference.md for full options.
CC0 1.0 Universal — dedicated to the public domain.