CISGuard is a continuous compliance automation platform built by GR IT Services. It scans infrastructure against 22 CIS benchmarks covering 3,910+ security controls, with real-time drift detection and multi-framework mapping for NIST 800-53, ISO 27001, and SOC 2. It deploys fully on-premises with air-gapped support and requires no SaaS dependency.

What is CIS benchmark compliance automation?

CIS benchmark compliance automation uses software agents to continuously scan your infrastructure against Center for Internet Security (CIS) benchmarks. Instead of manual audits, CISGuard automatically evaluates 3,910+ security controls across Windows, Linux, cloud, and container platforms, providing real-time compliance posture with drift detection.

What is drift detection in compliance?

Drift detection is the process of identifying configuration changes that cause an endpoint to deviate from its hardened baseline. CISGuard compares every scan against the previous result and alerts your team within minutes when a configuration regresses, such as a Group Policy change, a firewall rule modification, or an audit policy being disabled.

How does continuous compliance monitoring work?

Continuous compliance monitoring replaces point-in-time audits with automated, scheduled scans. CISGuard agents detect your platform, run the matching CIS benchmark, and stream results to a real-time dashboard. Every scan is compared against the previous baseline to detect regressions, improvements, and new controls.

Can CISGuard be deployed on-premises and air-gapped?

Yes. CISGuard is designed for on-premises deployment. All scan data stays within your network perimeter. It supports fully air-gapped environments for classified and regulated industries, with no SaaS dependency, no cloud data transfer, and no internet connectivity required during operation.

What compliance frameworks does CISGuard support?

CISGuard maps scan results across four frameworks: CIS Benchmarks v8 (3,910+ controls), NIST SP 800-53 Rev. 5 (50 mapped controls across 20 control families), ISO/IEC 27001:2022 (36 mapped controls), and SOC 2 Type II (26 mapped criteria). A single scan satisfies multiple compliance requirements simultaneously.

What platforms and operating systems does CISGuard support?

CISGuard supports 22 security benchmarks across: Windows (10, 11, Server 2022), Linux (Ubuntu 24.04, RHEL 9, Debian 12, Azure Linux), cloud (Microsoft Azure, AWS, Microsoft 365), containers (Kubernetes, Docker, AKS, EKS, OpenShift), browsers (Chrome, Edge, Firefox), and server applications (SQL Server 2022, IIS 10).

How quickly can CISGuard be deployed?

CISGuard can be deployed and scanning your environment in under one hour for standard deployments. GR IT Services provides fully managed onboarding, including server setup, agent deployment, SSO integration, and SIEM configuration. Enterprise deployments with thousands of endpoints typically complete within 1-2 weeks in phased rollouts.

How is CISGuard different from Tenable, Qualys, or Rapid7?

Unlike Tenable Nessus, Qualys, and Rapid7, CISGuard is purpose-built for CIS benchmark compliance rather than vulnerability scanning. Key differentiators include: fully on-premises and air-gapped deployment (no SaaS dependency), continuous drift detection between scans, multi-framework mapping (CIS + NIST + ISO + SOC 2 from a single scan), and Kubernetes/Docker container benchmark support. See the full feature comparison at cisguard.ae/compare.

How much does CISGuard cost?

CISGuard offers three plans: Starter (up to 50 endpoints), Professional (up to 500 endpoints, most popular), and Enterprise (unlimited endpoints). Pricing is per-deployment with no per-endpoint fees or hidden modules. All plans include on-premises deployment, managed onboarding, and data sovereignty. Contact sales@cisguard.ae for a quote.

What is multi-framework compliance mapping?

Multi-framework compliance mapping is the ability to run a single CIS benchmark scan and automatically map the results to multiple regulatory frameworks (NIST 800-53, ISO 27001, SOC 2) simultaneously. This eliminates the need to run separate assessments for each framework and reduces duplicate evidence collection by up to 3x.

Does CISGuard support HIPAA, GDPR, or regional regulations?

CISGuard's CIS benchmark scans and NIST 800-53 mapping directly support the technical safeguard requirements of HIPAA, GDPR, UAE PDPL, APRA CPS 234 (Australia), ENS (Spain), TISAX (Germany automotive), and other regulations that reference CIS or NIST controls. Organizations in healthcare, finance, government, and telecommunications across the UAE, USA, Germany, Australia, India, and Spain use CISGuard for regulatory compliance.

Integrations

Connects to Your Existing Stack

SIEM, SSO, notifications, and cloud APIs. CISGuard fits into your infrastructure — you don't adapt to ours.

SIEM & Security Operations

Forward compliance events to your SIEM for unified security monitoring.

Syslog (RFC 5424)

Professional+

UDP, TCP, and TLS transport. Compatible with Splunk, Sentinel, QRadar, ArcSight, Graylog.

CEF (Common Event Format)

Enterprise

ArcSight-standard CEF format over Syslog. Maps CIS controls to CEF severity/name fields.

JSON/HTTPS with HMAC-SHA256

Enterprise

REST webhook with cryptographic signature verification. Post events to any HTTPS endpoint.

Identity & Access

Single sign-on and directory integration for enterprise identity management.

Azure Entra ID (Azure AD)

Professional+

MSAL v5 redirect flow with tenant validation, token refresh, and automatic user provisioning.

SAML 2.0

Enterprise

Works with Okta, AD FS, PingIdentity, OneLogin, and any SAML 2.0 IdP. One-time auth code exchange.

LDAP / Active Directory

Enterprise

Two-step bind+search with JIT provisioning. Map AD security groups to CISGuard roles automatically.

MFA / TOTP

All plans

Time-based one-time passwords with recovery codes. Per-role MFA enforcement policy.

Notifications & Alerting

Get notified the moment compliance drifts. Route alerts by severity and benchmark.

Microsoft Teams

Professional+

Adaptive card notifications with compliance score, benchmark name, and direct link to dashboard.

Email (SMTP)

All plans

HTML email alerts via any SMTP server. Office 365, Gmail, SendGrid, or on-premises Exchange.

Webhook

Professional+

JSON POST to any endpoint. Includes HMAC-SHA256 signature for payload verification.

ServiceNow

Enterprise

Create incidents automatically when critical compliance failures are detected.

Cloud & Infrastructure

Agentless scanning of cloud resources via native APIs.

Microsoft Azure

Professional+

Azure Resource Manager API for Foundation, Compute, and AKS benchmark scanning. OAuth2 client credentials.

Amazon Web Services

Professional+

IAM, CloudTrail, S3, VPC, RDS, EBS, EKS scanning via access key or assumed role.

Microsoft 365

Professional+

Microsoft Graph API for Exchange Online, SharePoint, Teams, and Entra ID policy scanning.

Kubernetes / OpenShift

Professional+

K8s API server scanning via bearer token. Supports AKS, EKS, self-hosted, and OpenShift.

Need a Custom Integration?

Our webhook and REST API support any integration. Enterprise customers get dedicated engineering support for custom connectors.

Request Demo