Auditors prefer system-generated exports over screenshots because they're harder to fake and easier to corroborate. Cyvex generates evidence packages that bundle findings, scan runs, and remediation timelines into a single PDF or JSON archive.

What goes into a package

A time-windowed list of scans (start, end, scope, status).
Findings opened and closed in the window, with SLA metrics.
Exceptions and accepted risks, with reasons and owners.
Integrity metadata (scan run IDs, timestamps, user who exported).

Choose the right time window

For SOC 2 Type II, match the audit observation window (usually 3–12 months). For ISO 27001 surveillance, match the period since last review. For Cyber Essentials Plus, a rolling 90-day window is usually enough.

Archive the package

Export packages aren't automatically retained. Download, timestamp, and store them in your compliance evidence folder (alongside policies, ticket exports, access reviews). See retention guidance.