Trust CentreHow SIFTR Works

How SIFTR works

This page explains how SIFTR processes documents and maps explicit, quoted evidence to UK Cyber Assessment Framework (CAF) outcomes.

The approach is designed to be accurate, repeatable and defensible, while ensuring that final judgement remains with the organisation.

Overview

At a high level, SIFTR:

  1. Ingests selected organisational documents
  2. Extracts and prepares text for analysis
  3. Applies privacy and sanitisation controls
  4. Uses a two-stage analysis process to avoid inference and hallucination
  5. Maps explicit statements to CAF outcomes
  6. Aggregates evidence across documents
  7. Presents quote-backed results for human review

Each stage is designed to minimise assumption and maximise traceability.

Step 1: Document ingestion

Users upload existing governance and assurance artefacts relevant to CAF assessment.

At this stage, SIFTR supports PDF documents only.

This constraint is intentional. PDF files preserve document integrity, pagination and structure, which supports accurate evidence quoting and traceability during CAF review.

Only documents explicitly selected by the user are included in scope.

Step 2: Text extraction and preparation

Uploaded PDFs are processed to extract text content for analysis.

During this stage:

  • Document structure is normalised
  • Headers, footers and layout artefacts are reduced
  • Non-text elements (such as images or diagrams) are ignored
  • Original wording and meaning are preserved

No content is added, rewritten or enhanced.

Step 3: Privacy and PII handling

SIFTR is designed to support data minimisation and purpose limitation.

Where documents contain personal or identifying information, sanitisation controls are applied so that analysis focuses on governance-relevant content only.

This may include:

  • Masking or removing direct personal identifiers
  • Removing incidental personal detail not relevant to CAF evidence
  • Preserving role-based accountability (for example job titles or committees)

Step 4: Two-stage analysis (sanitise → map)

To reduce the risk of hallucination, bias or misattribution, SIFTR uses a two-stage analysis approach.

Stage 1 — Sanitisation

The first stage produces a clean, governance-focused representation of the document by:

  • Reducing irrelevant contextual noise
  • Removing non-essential personal information
  • Preserving only content relevant to CAF evidence mapping

Stage 2 — CAF evidence mapping

The second stage evaluates the sanitised text against the wording and intent of the relevant CAF outcomes.

For each outcome, SIFTR looks only for explicit statements relating to:

  • Roles, responsibilities and accountability
  • Governance structures and oversight
  • Risk management approaches
  • Decision-making and escalation arrangements

SIFTR does not infer intent or fill gaps where evidence is not stated.

Step 5: Evidence identification and quoting

Where relevant evidence is found, SIFTR:

  • Extracts the minimum necessary quotation
  • Preserves the original wording
  • Records the source document and, where available, page reference

If no explicit evidence is found in a document, no quote is generated.

Step 6: Evidence aggregation and coverage classification

Evidence is identified at document level and assessed across all uploaded documents.

For each CAF outcome:

  • If any document provides Strong evidence, the outcome is reported as Strong
  • If no Strong evidence exists but one or more documents provide Partial evidence, the outcome is reported as Partial
  • If no document provides relevant evidence, the outcome is reported as None

Coverage labels are defined as:

  • Strong — clear, explicit evidence directly supports the outcome
  • Partial — some relevant evidence exists, but gaps or ambiguity remain
  • None — no explicit evidence was identified

These labels reflect evidence presence only. They do not represent maturity, effectiveness or compliance.

Step 7: Output and review

Results are presented in a structured table showing:

  • CAF outcomes in scope
  • Evidence coverage classification
  • Primary supporting quote
  • Source document reference
  • A short rationale explaining the classification
  • For Partial outcomes, what key aspects appear to be missing

Outputs are intended to be reviewed, challenged and supplemented as part of normal governance and assurance activity.

Human judgement remains essential

SIFTR is a decision-support tool.

Users remain responsible for:

  • Interpreting evidence in organisational context
  • Weighing proportionality and risk
  • Making CAF judgements and assertions
  • Deciding what additional evidence or action is required

SIFTR does not make compliance or assurance decisions.

Transparency and repeatability

For each analysis, SIFTR records:

  • The CAF version used
  • The outcomes included in scope
  • The documents analysed
  • The date and time of analysis

This supports consistent reassessment as documentation or governance arrangements change.

Last updated: January 2026

Scope & LimitationsSecurity & Data Protection
© 2026 SIFTR PBC. All rights reserved.