Gap Hunter

AI-assisted policy gap analysis that turns an existing policy into an explainable assessment, a revised draft, and a remediation roadmap.

Gap Hunter helps teams transform existing security policies into framework-aligned, explainable outputs: structured gap analysis, revised policy drafts, and practical remediation roadmaps.

Explore the workflowRead technical Q&A
What the system delivers
A focused workflow for organizations that already have policy documents but need framework alignment and clearer remediation.
  • Structured extracted sections
  • Master section list with summaries
  • Per-function gap analysis reports
  • Consolidated gap analysis report
  • Machine-readable assessments for each subcategory
Framework-aligned gap analysis
Gap Hunter compares an uploaded security policy against the CIS MS-ISAC NIST Cybersecurity Framework Policy Template Guide (2024) and identifies what is addressed, partially addressed, missing, or out of scope.
Explainable output, not just a score
Every major finding is tied to evidence, a specific gap statement, and a recommendation. The goal is not just to label a policy weak, but to show why and what to do next.
From diagnosis to revision
The system does not stop at reporting. It uses the structured findings to generate a revised NIST-style policy draft and a prioritized improvement roadmap.

How It Works

A three-phase pipeline, not a single prompt over a document.

The implementation is designed around reliability, structure, and explainability. It uses deterministic processing where possible and LLM reasoning where semantic interpretation is actually needed.

Phase 1
PDF extraction and section structuring
A policy PDF is converted into markdown, section boundaries are identified, validated, corrected if needed, and then stored as structured sections.
The extractor first tries rule-based heading detection for speed and precision. If the document is messy, it falls back to a sliding-window multi-agent flow with an extractor, validator, and corrector. Final section content is pulled directly from source lines once the boundaries are known, which reduces hallucination risk.
Phase 2
NIST CSF gap analysis
The policy is analyzed against the six NIST CSF functions and their subcategories using structured assessments.
The analysis layer classifies which functions are relevant, filters subcategories by scope, evaluates the policy against framework requirements, and stores each finding with status, evidence, gap, and recommendation. This creates machine-readable outputs that can be reviewed by humans and reused downstream.
Phase 3
Policy revision and roadmap generation
Actionable gaps are targeted to existing sections or new sections, then merged into a revised policy draft along with a remediation roadmap.
The revision stage uses the original sections and structured assessments together. It writes focused addition blocks per gap, validates whether those additions actually cover the requirement, integrates them into a coherent revised document, and generates an improvement roadmap with priorities, dependencies, and success criteria.
Who this page is for
This QR destination is intentionally useful to two groups at once.

For Jury Members

  • Understand the business problem, why the workflow matters, and how the product is more than a one-shot prompt.
  • See the full system story: extraction, gap analysis, explainability, revision, and roadmap generation.
  • Evaluate the product on trust, reliability, privacy posture, and startup potential.

For Contestants

  • See how the architecture combines deterministic processing with LLM reasoning instead of overusing generation.
  • Understand the role of structured schemas, validation loops, and intermediate artifacts.
  • Learn how the project handles scope filtering, evidence grounding, and revision targeting.
What makes the architecture strong
The project treats policy work as a document intelligence pipeline instead of a generic content-generation task.
  • It preserves intermediate artifacts like extracted sections, master lists, structured assessments, and consolidated reports.
  • It uses Pydantic-based structured outputs to reduce parsing fragility and improve downstream control.
  • It classifies what is actually in scope so the tool does not confuse “belongs in another policy” with “this policy is weak.”
  • It uses validation loops in extraction, summarization, and revision instead of trusting the first generation blindly.
  • It produces reviewable outputs so a human can validate the policy changes rather than treating the model as the final authority.

Technical Deep Dive

The technical working, condensed for web.

The detailed repo documentation goes much deeper, but these are the main technical layers a judge or builder usually wants to understand on one page.

Key Outputs And Why They Matter
Gap Hunter produces outputs for both human review and downstream workflow reuse.
Structured extracted sections
Master section list with summaries
Per-function gap analysis reports
Consolidated gap analysis report
Machine-readable assessments for each subcategory
Revised policy draft in a NIST-style format
Improvement roadmap for remediation planning

Q&A

Common questions from judges and technical reviewers

What exact problem does Gap Hunter solve?
Gap Hunter solves the gap between having an existing security policy and having a framework-aligned, review-ready policy. Many organizations already have documents, but those documents are inconsistent, incomplete, or written in ways that are hard to compare against modern cybersecurity frameworks. The tool compresses the manual workflow of reading, mapping, identifying gaps, and rewriting into a structured pipeline.
What makes this different from using a single prompt in ChatGPT?
This product is not just text generation over a document. It has a staged workflow with extraction, scope classification, structured subcategory assessments, consolidated reporting, policy revision, and roadmap generation. The pipeline preserves intermediate artifacts so findings can be traced and reused instead of disappearing inside one long prompt.
Why should anyone trust an AI to rewrite policy?
The system should be trusted as an accelerator for expert review, not as an autonomous authority. Its outputs are grounded in evidence from the uploaded policy and in framework-specific guidance, and the resulting revised draft is meant to be reviewed and approved by a human policy owner. The strength of the product is that it produces explainable first drafts and remediation structure, not that it replaces governance accountability.
What is the hardest technical part of the system?
The hardest technical challenge is balancing semantic flexibility with reliability. Policies vary enormously in structure and wording, so the system needs LLM reasoning. But policy work also needs traceability and precision, so the architecture adds line-based extraction, structured schemas, validation loops, scope filtering, deterministic aggregation, and revision targeting to keep the workflow defensible.