Three weeks before a QSA assessment, ask the team a simple question — are we 60% ready or 95%? — and you'll usually get a shrug. Not because anyone is slacking, but because the answer is scattered across a Google Drive folder, a Jira board, and three people's heads. Nobody can see the whole picture, so nobody can size what's left.
The expensive part of PCI isn't fixing problems. It's finding out where you stand — and most teams don't find out until they're deep in the assessment, re-collecting a CloudTrail screenshot at 11pm the night before it's due.
It doesn't have to take three weeks. A large slice of your evidence already exists as facts in your cloud account — you just have to read it. Here's how to go from "no idea" to a clear, organized, integrity-verified map of where your evidence stands, in a single afternoon, with the free Ankos CLI.
Start with what's already true: your cloud
Install the CLI — one line, no account:
curl -sSL https://get.ankos.dev | shEverything below runs locally. Your evidence stays on your machine unless you explicitly choose to upload it.
1. Map what's actually in scope
Before scanning anything, get a high-level read on your estate — which accounts hold cardholder-data-adjacent resources, and which obviously don't:
ankos accounts discoverIn a few seconds you get a per-account inventory, the obvious risk flags (public buckets, users without MFA, missing audit logging), and a scope recommendation — so you spend the afternoon on the accounts that matter, not the ones that don't.
2. Collect the evidence
ankos scan -o ./evidenceThe CLI reads across your in-scope services — IAM, S3, KMS, VPC, CloudTrail, GuardDuty, RDS, and more — and writes structured evidence: one JSON file per collector, plus a SHA-256 manifest so the package can be verified independently later. This is the step that usually eats days of screenshotting; here it's a few minutes of API calls.
3. See where you actually stand
ankos report ./evidence --format html -o ./pci-report.htmlOpen the report and you finally have the answer to the 60%-or-95% question: a single PCI Score, per-requirement rollups, a coverage line ("evidence collected for N of 12 requirements"), and the specific items to address first — each tagged to the PCI DSS sub-requirement it maps to.
The score is an evidence-readiness signal, not a compliance grade. It tells you how much of the expected evidence is collected and clean, so you can plan the remaining work — your QSA still makes the determination.
4. Close the gaps
ankos remediate ./evidenceEvery item that needs attention comes back with something actionable — the exact AWS CLI command to fix it, Terraform, or a prioritized sprint plan with effort estimates. Re-scan and watch the items clear.
5. Verify integrity and hand off
ankos verify ./evidence
ankos export ./evidence --format qsa-packageverify re-checks every file against the manifest — flagging anything altered, missing, or planted — using nothing but shasum, so Ankos can be removed from the trust path entirely. export bundles the package the way an assessor expects to receive it: organized by category, consistently named, indexed.
What an afternoon does — and doesn't — get you
By the end of the afternoon you've turned "we have no idea" into a concrete, integrity-verified map of your infrastructure evidence and a ranked list of what's left. That's the foundation the rest of the assessment builds on.
It's a head start, not the finish line. A scan covers the mechanical, infrastructure slice of PCI. The rest — policies, procedures, on-call contacts, signed attestations — is manual evidence that has to come from your team, and the final compliance determination is your QSA's. The point of the afternoon is that you now know what's left, early enough to do something about it.
Where it goes from here
The CLI is the free front door. When you're ready to turn that map into a finished assessment — assign owners, attach the manual evidence, sign off each item, and have your QSA review and accept it — the Ankos Ledger picks up exactly where the CLI leaves off. Your scan results flow straight into the right entries with one --upload flag, and because it's a ledger, every cycle's work compounds on the last.
But that's later. The afternoon is free, and it's the fastest way to stop guessing.