Evidence kitevidence-folder-template/_filled-example/README.md
Filled example

Filled example

A worked example of five populated control files for a fictional Series B SaaS — what the blank templates look like once they're actually filled in with real exports and numbers.

The blank templates tell you what to gather. This folder shows you what they look like once they're filled in. Everything here is for a fictional company, Acme Analytics (a Series B B2B SaaS on AWS + GCP + GitHub) — the names, dates, and numbers are illustrative, not real.

Use these as a reference for the level of concreteness auditors and buyers accept. Notice the pattern in every file:

  • Specific artifacts named, with dated filenames (mfa-policy-2026-06-12.json), not "we have a policy."
  • Real numbers — row counts, wall-clock times, alert counts, dollar caps.
  • A named owner and a real last-refreshed date.
  • Exceptions disclosed, not hidden — auditors find them anyway.
File Control What it demonstrates
01-mfa-enforcement.md 1.1 IdP policy export + status report + exceptions
03-branch-protection.md 3.1 Org ruleset export + CODEOWNERS
04-secret-scanning.md 4.3 Scanning enabled + a real remediation example
05-restore-test.md 5.2 A completed quarterly restore test with metrics
06-spend-caps.md 6.3 AI workload spend caps + alert routing

When you populate your own evidence folder, aim for this. If you'd rather an engineer produce a folder like this from your actual stack, that's a Controls Review.

Book fit call