CISGuard is a continuous compliance automation platform built by GR IT Services. It scans infrastructure against 22 CIS benchmarks covering 3,910+ security controls, with real-time drift detection and multi-framework mapping for NIST 800-53, ISO 27001, and SOC 2. It deploys fully on-premises with air-gapped support and requires no SaaS dependency.

What is CIS benchmark compliance automation?

CIS benchmark compliance automation uses software agents to continuously scan your infrastructure against Center for Internet Security (CIS) benchmarks. Instead of manual audits, CISGuard automatically evaluates 3,910+ security controls across Windows, Linux, cloud, and container platforms, providing real-time compliance posture with drift detection.

What is drift detection in compliance?

Drift detection is the process of identifying configuration changes that cause an endpoint to deviate from its hardened baseline. CISGuard compares every scan against the previous result and alerts your team within minutes when a configuration regresses, such as a Group Policy change, a firewall rule modification, or an audit policy being disabled.

How does continuous compliance monitoring work?

Continuous compliance monitoring replaces point-in-time audits with automated, scheduled scans. CISGuard agents detect your platform, run the matching CIS benchmark, and stream results to a real-time dashboard. Every scan is compared against the previous baseline to detect regressions, improvements, and new controls.

Can CISGuard be deployed on-premises and air-gapped?

Yes. CISGuard is designed for on-premises deployment. All scan data stays within your network perimeter. It supports fully air-gapped environments for classified and regulated industries, with no SaaS dependency, no cloud data transfer, and no internet connectivity required during operation.

What compliance frameworks does CISGuard support?

CISGuard maps scan results across four frameworks: CIS Benchmarks v8 (3,910+ controls), NIST SP 800-53 Rev. 5 (50 mapped controls across 20 control families), ISO/IEC 27001:2022 (36 mapped controls), and SOC 2 Type II (26 mapped criteria). A single scan satisfies multiple compliance requirements simultaneously.

What platforms and operating systems does CISGuard support?

CISGuard supports 22 security benchmarks across: Windows (10, 11, Server 2022), Linux (Ubuntu 24.04, RHEL 9, Debian 12, Azure Linux), cloud (Microsoft Azure, AWS, Microsoft 365), containers (Kubernetes, Docker, AKS, EKS, OpenShift), browsers (Chrome, Edge, Firefox), and server applications (SQL Server 2022, IIS 10).

How quickly can CISGuard be deployed?

CISGuard can be deployed and scanning your environment in under one hour for standard deployments. GR IT Services provides fully managed onboarding, including server setup, agent deployment, SSO integration, and SIEM configuration. Enterprise deployments with thousands of endpoints typically complete within 1-2 weeks in phased rollouts.

How is CISGuard different from Tenable, Qualys, or Rapid7?

Unlike Tenable Nessus, Qualys, and Rapid7, CISGuard is purpose-built for CIS benchmark compliance rather than vulnerability scanning. Key differentiators include: fully on-premises and air-gapped deployment (no SaaS dependency), continuous drift detection between scans, multi-framework mapping (CIS + NIST + ISO + SOC 2 from a single scan), and Kubernetes/Docker container benchmark support. See the full feature comparison at cisguard.ae/compare.

How much does CISGuard cost?

CISGuard offers three plans: Starter (up to 50 endpoints), Professional (up to 500 endpoints, most popular), and Enterprise (unlimited endpoints). Pricing is per-deployment with no per-endpoint fees or hidden modules. All plans include on-premises deployment, managed onboarding, and data sovereignty. Contact sales@cisguard.ae for a quote.

What is multi-framework compliance mapping?

Multi-framework compliance mapping is the ability to run a single CIS benchmark scan and automatically map the results to multiple regulatory frameworks (NIST 800-53, ISO 27001, SOC 2) simultaneously. This eliminates the need to run separate assessments for each framework and reduces duplicate evidence collection by up to 3x.

Does CISGuard support HIPAA, GDPR, or regional regulations?

CISGuard's CIS benchmark scans and NIST 800-53 mapping directly support the technical safeguard requirements of HIPAA, GDPR, UAE PDPL, APRA CPS 234 (Australia), ENS (Spain), TISAX (Germany automotive), and other regulations that reference CIS or NIST controls. Organizations in healthcare, finance, government, and telecommunications across the UAE, USA, Germany, Australia, India, and Spain use CISGuard for regulatory compliance.

Platform Features

Everything You Need for Continuous Compliance

22 CIS benchmarks. 3,928 security controls. Four compliance frameworks. One platform that keeps you audit-ready, continuously.

Dashboard & Visibility

See Your Entire Compliance Posture

Real-time dashboards with drill-down from organization to individual control level. Know exactly where you stand, always.

Compliance Overview

7-metric KPI strip showing overall compliance, passing, failing, critical, high-severity, agents online, and expiring exceptions at a glance.

Benchmark Scorecard

All 22 benchmarks with pass/fail/total counts, compliance percentage, and last-scanned timestamps. Scrollable with full visibility.

Compliance Trends

Historical trend charts across 7/30/90/180/365-day periods. Per-benchmark and overall compliance tracking with direction indicators.

Per-Asset Compliance

Click any agent to see its compliance posture: benchmark scores, severity distribution bar, failing controls, and recent scan history.

Scanning Engine

Purpose-Built Scanning Engine

Specialized scanning for every platform and check type. Windows, Linux, cloud, containers, browsers, and databases — all covered with intelligent change detection.

Automated CIS Scanning

Purpose-built scanning engine with specialized runners for every platform and check type. Covers registry settings, security policies, service states, shell commands, database configurations, file permissions, and more.

Drift Detection

Every scan compares against the previous. Regressions and improvements are categorized automatically. Alert on new critical failures only.

Delta Scanning

Intelligent change-only scanning stores only what changed since the last scan. Full compliance scores maintained with minimal overhead.

Scan Scheduling

Flexible scheduling with blackout windows for change-freeze periods. Define scan frequency per benchmark across your fleet.

Controls & Remediation

Triage, Fix, and Track

Filter thousands of controls by severity, status, benchmark, and host. Get OS-aware remediation commands with one-click copy. Manage exceptions with formal approval workflow.

Table & Card Views

Toggle between dense table view (Control ID, Title, Severity, Status, Benchmark, Host, Current vs Expected) and detailed card view with remediation steps.

Severity Filtering

Filter by CRITICAL, HIGH, MEDIUM, LOW severity and by status (Fail, Pass, Manual Review, Error, Exception). Hostname attribution shows which asset is affected.

Remediation Guidance

Step-by-step fix instructions with OS-detected commands (PowerShell or Bash). One-click copy to clipboard for instant remediation.

Exception Management

Formal waiver workflow: submit justification and compensating controls, approve/revoke with audit trail, auto-expiry with compliance recalculation.

Framework Compliance

One Scan, Four Frameworks

Map CIS benchmark results to NIST 800-53, ISO 27001, SOC 2, and CIS Controls v8 automatically. No duplicate scanning or manual mapping.

NIST SP 800-53 Rev. 5

50 controls mapped across 18 control families. Coverage percentage per family with drill-down to individual CIS control pass/fail status.

ISO/IEC 27001:2022

36 Annex A controls mapped. Satisfied/Partially Satisfied/Not Met status with methodology explanation for auditors.

SOC 2 Type II

26 Trust Services Criteria mapped. Continuous evidence generation eliminates manual audit prep.

CIS Controls v8

22 benchmarks covering 3,928 security controls. Automated scanning with pass/fail determination per control.

Platform Coverage

22 Benchmarks Across 5 Categories

From Windows desktops to Kubernetes clusters, from browsers to databases. Agent-based for on-host scanning, agentless for cloud APIs.

Endpoints

Windows 11 Enterprise
Windows 10 Enterprise
Windows Server 2022
Ubuntu 24.04 LTS
RHEL 9
Azure Linux 2
Azure Linux 3

Cloud

Microsoft Azure Foundation
Amazon Web Services
Microsoft 365
Azure Compute

Containers

Kubernetes
Docker
Azure AKS (3 variants)
Amazon EKS
Red Hat OpenShift

Browsers

Google Chrome
Microsoft Edge
Firefox ESR
Internet Explorer 11

Database & Web

SQL Server 2022
IIS 10

Integrations

Connects to Your Existing Stack

Notifications

Microsoft Teams, Email (SMTP), Webhook, ServiceNow

SIEM

Syslog (RFC 5424), CEF, JSON/HTTPS with HMAC-SHA256

Identity

Azure Entra ID SSO, SAML 2.0, LDAP/Active Directory

Cloud APIs

Azure Resource Manager, Microsoft Graph, AWS IAM/CloudTrail/S3/VPC

Deployment

Deploy Your Way

On-premises, air-gapped, or hybrid. Your data never leaves your infrastructure. No SaaS dependency.

On-Premises

Single-file installer on your server. Agents deployed to Windows, Linux, and container hosts. All data stays in your data center.

CISGuard Server

Windows Agents

Linux Agents

Cloud API Scanner

Your Database

Air-Gapped

Fully offline operation for classified networks. No internet connectivity required. Agent updates via secure file transfer.

Isolated Server

Classified Endpoints

Offline Agent Updates

Local Report Generation

No External Access

Hybrid

Central server with agents across multiple sites, cloud environments, and container orchestrators. Unified dashboard for all.

Central Server

Site A Agents

Site B Agents

Azure / AWS APIs

K8s Clusters

Enterprise Authentication

Identity & Access for the Enterprise

Azure Entra ID SSO

MSAL v5 redirect flow with tenant validation and token refresh.

SAML 2.0

Okta, AD FS, PingIdentity, OneLogin. One-time auth code exchange.

LDAP / Active Directory

Two-step bind+search with JIT provisioning. AD group to role mapping.

MFA / TOTP

Time-based one-time passwords with recovery codes. Per-role MFA enforcement.

Ready to See It in Action?

Schedule a personalized demo with our team. We'll walk you through every feature with your infrastructure in mind.

Request Demo Compare with Alternatives