ore context: ESP was built explicitly as a replacement for SCAP/XCCDF-style policy systems, which tightly couple intent, checks, and tooling. That coupling makes reuse, extension, and continuous verification hard.

ESP treats policy as data and compiles it into constrained contracts. Those contracts can be mapped to external frameworks (NIST 800-53/171, CIS, MITRE ATT&CK, etc.) without embedding framework logic into execution. The mapping lives at the policy layer; execution stays generic.

Its strength is in Zero Trust–style architectures: policies define what state is allowed, execution verifies it continuously, and evidence is emitted as attestations rather than one-off reports. That makes it easier to reason about drift, enforcement, and trust boundaries over time.

It’s not a scanner replacement by itself — it’s a substrate for expressing and enforcing policy intent consistently across environments.