Skip to main content
Platform Features

Everything you need for continuous compliance.

22 CIS benchmarks. 3,928 security controls. Four compliance frameworks. One platform that keeps you audit-ready, continuously.

Quick Facts
CIS benchmarks supported
22 covering Windows, Linux, Azure, AWS, M365, Kubernetes, Docker, browsers, SQL Server, IIS
Security controls evaluated
3,928 across all 22 benchmarks
Compliance frameworks mapped
NIST 800-53 Rev. 5, ISO 27001:2022, SOC 2 Type II, CIS Controls v8
Scan modes
Agent-based (Windows/Linux/Docker) + agentless API (Azure/AWS/M365/Kubernetes)
Drift detection
Every scan compared to previous baseline; regression vs improvement categorized automatically
Deployment
On-premises, air-gapped, private cloud, hybrid, with no SaaS dependency
Enterprise integrations
Syslog, CEF, JSON/HTTPS · SAML 2.0, Azure Entra ID, LDAP · Teams, Slack, ServiceNow, Webhook
Dashboard & Visibility

See Your Entire Compliance Posture

Real-time dashboards with drill-down from organization to individual control level. Know exactly where you stand, always.

Compliance Overview

7-metric KPI strip showing overall compliance, passing, failing, critical, high-severity, agents online, and expiring exceptions at a glance.

Benchmark Scorecard

All 22 benchmarks with pass/fail/total counts, compliance percentage, and last-scanned timestamps. Scrollable with full visibility.

Compliance Trends

Historical trend charts across 7/30/90/180/365-day periods. Per-benchmark and overall compliance tracking with direction indicators.

Per-Asset Compliance

Click any agent to see its compliance posture: benchmark scores, severity distribution bar, failing controls, and recent scan history.

Scanning Engine

Purpose-Built Scanning Engine

Specialized scanning for every platform and check type. Windows, Linux, cloud, containers, browsers, and databases, all covered with intelligent change detection.

Automated CIS Scanning

Purpose-built scanning engine with specialized runners for every platform and check type. Covers registry settings, security policies, service states, shell commands, database configurations, file permissions, and more.

Drift Detection

Every scan compares against the previous. Regressions and improvements are categorized automatically. Alert on new critical failures only.

Delta Scanning

Intelligent change-only scanning stores only what changed since the last scan. Full compliance scores maintained with minimal overhead.

Scan Scheduling

Flexible scheduling with blackout windows for change-freeze periods. Define scan frequency per benchmark across your fleet.

Controls & Remediation

Triage, Fix, and Track

Filter thousands of controls by severity, status, benchmark, and host. Get OS-aware remediation commands with one-click copy. Manage exceptions with formal approval workflow.

Table & Card Views

Toggle between dense table view (Control ID, Title, Severity, Status, Benchmark, Host, Current vs Expected) and detailed card view with remediation steps.

Severity Filtering

Filter by CRITICAL, HIGH, MEDIUM, LOW severity and by status (Fail, Pass, Manual Review, Error, Exception). Hostname attribution shows which asset is affected.

Remediation Guidance

Step-by-step fix instructions with OS-detected commands (PowerShell or Bash). One-click copy to clipboard for instant remediation.

Exception Management

Formal waiver workflow: submit justification and compensating controls, approve/revoke with audit trail, auto-expiry with compliance recalculation.

Framework Compliance

One Scan, Four Frameworks

Map CIS benchmark results to NIST 800-53, ISO 27001, SOC 2, and CIS Controls v8 automatically. No duplicate scanning or manual mapping.

NIST SP 800-53 Rev. 5

50 controls mapped across 20 control families. Coverage percentage per family with drill-down to individual CIS control pass/fail status.

ISO/IEC 27001:2022

36 Annex A controls mapped. Satisfied/Partially Satisfied/Not Met status with methodology explanation for auditors.

SOC 2 Type II

26 Trust Services Criteria mapped. Continuous evidence generation eliminates manual audit prep.

CIS Controls v8

22 benchmarks covering 3,928 security controls. Automated scanning with pass/fail determination per control.

Platform Coverage

22 benchmarks across 5 categories.

From Windows desktops to Kubernetes clusters, from browsers to databases. Agent-based for on-host scanning, agentless for cloud APIs.

Endpoints

  • Windows 11 Enterprise
  • Windows 10 Enterprise
  • Windows Server 2022
  • Ubuntu 24.04 LTS
  • RHEL 9
  • Azure Linux 2
  • Azure Linux 3

Cloud

  • Microsoft Azure Foundation
  • Amazon Web Services
  • Microsoft 365
  • Azure Compute

Containers

  • Kubernetes
  • Docker
  • Azure AKS (3 variants)
  • Amazon EKS
  • Red Hat OpenShift

Browsers

  • Google Chrome
  • Microsoft Edge
  • Firefox ESR
  • Internet Explorer 11

Database & Web

  • SQL Server 2022
  • IIS 10
Integrations

Connects to your existing stack.

Notifications

Microsoft Teams, Email (SMTP), Webhook, ServiceNow

SIEM

Syslog (RFC 5424), CEF, JSON/HTTPS with HMAC-SHA256

Identity

Azure Entra ID SSO, SAML 2.0, LDAP/Active Directory

Cloud APIs

Azure Resource Manager, Microsoft Graph, AWS IAM/CloudTrail/S3/VPC

Deployment

Deploy your way.

On-premises, air-gapped, or hybrid. Your data never leaves your infrastructure. No SaaS dependency.

On-Premises

Single-file installer on your server. Agents deployed to Windows, Linux, and container hosts. All data stays in your data center.

  • CISGuard Server
  • Windows Agents
  • Linux Agents
  • Cloud API Scanner
  • Your Database

Air-Gapped

Fully offline operation for classified networks. No internet connectivity required. Agent updates via secure file transfer.

  • Isolated Server
  • Classified Endpoints
  • Offline Agent Updates
  • Local Report Generation
  • No External Access

Hybrid

Central server with agents across multiple sites, cloud environments, and container orchestrators. Unified dashboard for all.

  • Central Server
  • Site A Agents
  • Site B Agents
  • Azure / AWS APIs
  • K8s Clusters
Enterprise Authentication

Identity & access for the enterprise.

Azure Entra ID SSO

MSAL v5 redirect flow with tenant validation and token refresh.

SAML 2.0

Okta, AD FS, PingIdentity, OneLogin. One-time auth code exchange.

LDAP / Active Directory

Two-step bind+search with JIT provisioning. AD group to role mapping.

MFA / TOTP

Time-based one-time passwords with recovery codes. Per-role MFA enforcement.

Ready to see it in action?

A 45-minute Executive Briefing with a live scan against your environment, our compliance engineers, and your security team in the room.

Request Executive BriefingCompare with alternatives →