What is NIST CSF 2.0?

The NIST Cybersecurity Framework is a voluntary framework from the US National Institute of Standards and Technology for managing cybersecurity risk. Version 2.0, released in 2024, organizes the work into 6 functions: Govern, Identify, Protect, Detect, Respond, and Recover. The functions break down into 22 categories and 106 subcategories, the controls on this page.

How do the starter prompts work?

Each prompt describes an automation end to end: where the data comes from, what decisions get made, and where results go. Paste one into a coding assistant connected to Tracecat MCP, like Claude Code, Microsoft Copilot, or Codex. The agent explains the control, asks about your environment, and builds the workflow, agent, or skill with you in Tracecat.

Where do the SP 800-53 mappings come from?

The mappings are NIST's own. We use the official OLIR informative reference from NIST CPRT that maps every CSF 2.0 subcategory to SP 800-53 Rev 5 controls. Nothing on this page is our interpretation of the framework: control text, structure, and mappings come from the official NIST CSF 2.0 export.

Does automating these controls make us NIST CSF compliant?

No. The CSF is a risk management framework, not a certification, and many controls require human judgment, policy decisions, and governance that no tool provides. What automation does is run the operational work behind the controls: monitoring, triage, evidence gathering, reviews, and response. Coverage of the work is not the same as managing the risk.

Automate NIST CSF 2.0 controls with AI

Every control in the NIST Cybersecurity Framework, mapped to security tools and starter prompts. Paste a prompt into Claude Code, Microsoft Copilot, or Codex and build the automation together with Tracecat MCP.

Explore Tracecat MCP

6
functions: 22
categories: 106
controls: 39
tools: 85
prompts

Detect

10 prompts

Possible cybersecurity attacks and compromises are found and analyzed

Continuous Monitoring

DE.CM

Assets are monitored to find anomalies, indicators of compromise, and other potentially adverse events

Microsoft Defender XDR

SentinelOne Purple

Datadog

Jamf

Triage CrowdStrike detections
Hunt for beaconing in network logs
Watch sign-ins and risky consent grants

View 5 prompts

Adverse Event Analysis

DE.AE

Anomalies, indicators of compromise, and other potentially adverse events are analyzed to characterize the events and detect cybersecurity incidents

Correlate alerts across SIEM and EDR
Enrich alerts with threat intel
Estimate alert impact and scope

View 5 prompts

Respond

13 prompts

Actions regarding a detected cybersecurity incident are taken

Incident Management

RS.MA

Responses to detected cybersecurity incidents are managed

Triage and validate incident reports
Categorize and prioritize incidents
Escalate incidents on clear criteria

View 4 prompts

Incident Analysis

RS.AN

Investigations are conducted to ensure effective response and support forensics and recovery activities

Build incident timelines automatically
Preserve investigation records and evidence
Estimate and validate incident magnitude

View 3 prompts

Incident Response Reporting and Communication

RS.CO

Response activities are coordinated with internal and external stakeholders as required by laws, regulations, or policies

Notify stakeholders when incidents declare
Draft regulator and customer notices
Share indicators with trusted partners

View 3 prompts

Incident Mitigation

RS.MI

Activities are performed to prevent expansion of an event and mitigate its effects

CrowdStrike Falcon

Microsoft Defender XDR

Contain compromised endpoints
Eradicate attacker footholds
Block attacker infrastructure

View 3 prompts

Identify

12 prompts

The organization's current cybersecurity risks are understood

Asset Management

ID.AM

Assets (e.g., data, hardware, software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategy

Reconcile asset inventories across tools
Maintain a living software inventory
Prioritize assets by criticality

View 4 prompts

Risk Assessment

ID.RA

The cybersecurity risk to the organization, assets, and individuals is understood by the organization

Triage new vulnerability findings
Operationalize threat intel feeds
Record and score threat scenarios

View 5 prompts

Improvement

ID.IM

Improvements to organizational cybersecurity risk management processes, procedures and activities are identified across all CSF Functions

Turn case retros into tracked improvements
Keep the incident response plan current
Mine test and exercise results for fixes

View 3 prompts

Protect

20 prompts

Safeguards to manage the organization's cybersecurity risks are used

Identity Management, Authentication, and Access Control

PR.AA

Access to physical and logical assets is limited to authorized users, services, and hardware and managed commensurate with the assessed risk of unauthorized access

Review privileged access on a schedule
Catch dormant and orphaned accounts
Respond to risky sign-ins

View 4 prompts

Awareness and Training

PR.AT

The organization's personnel are provided with cybersecurity awareness and training so that they can perform their cybersecurity-related tasks

Follow up phishing simulations with training
Track role-based training coverage
Send context-aware security nudges

View 3 prompts

Data Security

PR.DS

Data are managed consistent with the organization's risk strategy to protect the confidentiality, integrity, and availability of information

Microsoft Defender XDR

Okta

Jira / Atlassian

ServiceNow

Audit encryption at rest in the cloud
Track backup jobs and restore tests
Verify disk encryption on laptops

View 4 prompts

Platform Security

PR.PS

The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organization's risk strategy to protect their confidentiality, integrity, and availability

Jamf

Microsoft Defender XDR

Detect drift from hardened baselines
Enforce patch SLAs from your vuln plan
Find systems not sending logs

View 5 prompts

Technology Infrastructure Resilience

PR.IR

Security architectures are managed with the organization's risk strategy to protect asset confidentiality, integrity, and availability, and organizational resilience

Audit network segmentation weekly
Find single points of failure
Monitor and forecast resource capacity

View 4 prompts

Recover

7 prompts

Assets and operations affected by a cybersecurity incident are restored

Incident Recovery Plan Execution

RC.RP

Restoration activities are performed to ensure operational availability of systems and services affected by cybersecurity incidents

Run recovery as tracked tasks
Verify backups before restoring
Confirm restored systems are clean

View 4 prompts

Incident Recovery Communication

RC.CO

Restoration activities are coordinated with internal and external parties

Post recovery status on a drumbeat
Coordinate approved public updates
Keep affected customers informed

View 3 prompts

Govern

23 prompts

The organization's cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored

Organizational Context

GV.OC

The circumstances - mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements - surrounding the organization's cybersecurity risk management decisions are understood

Build a compliance obligations register
Map critical services and dependencies
Track customer security commitments

View 3 prompts

Risk Management Strategy

GV.RM

The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions

Stand up a living risk register
Enforce risk appetite in triage
Feed security risks into enterprise ERM

View 4 prompts

Roles, Responsibilities, and Authorities

GV.RR

Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated

Generate a security RACI from reality
Track security workload and resourcing
Wire security into HR lifecycle events

View 3 prompts

Policy

GV.PO

Organizational cybersecurity policy is established, communicated, and enforced

Chase policy acknowledgments
Detect drift between policy and reality
Keep policy reviews on schedule

View 3 prompts

Oversight

GV.OV

Results of organization-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy