Evidence Export
Export your cycle as a QSA-ready ZIP package — organized by DRL category with standard naming, a summary PDF, and integrity hashes.
When your cycle is ready for QSA review, export an evidence package. The export is a ZIP file organized exactly the way your QSA expects: one folder per DRL category, standard file naming, a summary PDF, and an integrity manifest.
Evidence export is available on the Team plan and above. The free CLI produces local reports, but not packaged QSA exports.
How to export
From the cycle detail page, click Export Evidence Package. The export runs as a background job (seconds to a few minutes depending on cycle size); when it finishes you'll get a download link and an email.
You can trigger an export any time, as often as you need. Each export is a snapshot at the moment you clicked — re-run it after uploading more evidence to get a fresh package.
What's in the ZIP
ankos-export-<cycle-id>-<timestamp>.zip
├── summary.pdf
├── manifest.json
├── README.txt
├── APP/
│ ├── APP-01-applications-inventory.pdf
│ └── ...
├── AS/
│ └── AS-02.3-incident-response-plan.pdf
├── CHD/
├── KM/
├── LOG/
├── MFA/
├── POL/
│ ├── POL-01-information-security-policy.pdf
│ ├── POL-02-access-control-policy.pdf
│ └── carry-forward.txt
└── ...Summary PDF
A generated PDF that opens with:
- Your organization name, cycle ID, and date range
- A table of contents matching the category folders
- Per-entry summaries with the state, owner, sign-off status, and any carry-forward attestations
- The standard "Ankos prepares the case; your QSA makes the final compliance determination" disclaimer
Category folders
One folder per DRL category your cycle uses. Each entry's evidence file
keeps its original format (PDF, PNG, DOCX, JSON, etc.) and gets a
standardized name of the form <DRL-ID>-<slug>.<ext>.
For carried-forward entries, a carry-forward.txt in the folder lists the
source cycle, original upload, and every attestation in the chain.
Manifest
manifest.json contains:
- A SHA-256 hash for every file in the ZIP
- The export timestamp and the exporting user
- The full list of entries with their states, sign-off info, and owners
- The cycle metadata
Your QSA can verify nothing has been tampered with by recomputing the hashes.
README.txt
A plain-text guide for the QSA explaining how the archive is organized, how to cross-reference it against the DRL, and how to verify integrity.
What's not in the export
- Entries in
not_startedstate (no evidence to export) - Entries explicitly marked as draft / unshared
- API keys, user PII, or system-internal metadata
- Previous cycles (one export = one cycle)
Regenerating after changes
If you upload new evidence or change sign-off status after exporting, the old ZIP is out of date. Re-run the export — each export is independent and timestamped. Old exports remain downloadable from the Exports tab for audit history.
Ankos prepares the case
The export is the case you hand to your QSA. The package is organized and annotated to make their review as fast as possible, but the final compliance determination is made by your QSA. Ankos never declares an entry, a cycle, or a company "compliant."