Skip to content

Pillar · Hardening

Baselines that don't live in a PDF.

Run the standards you already trust — CIS, STIG, Microsoft baselines, vendor guides — as first-class, executable policies. Drift re-asserts itself.

Baselines included

Industry standards, ready to run.

Windows Server

CIS 2019 / 2022 / 2025 (L1 + L2), Microsoft Security Baselines

Linux

CIS Ubuntu LTS, RHEL / Rocky / Alma, SUSE

VMware & Proxmox

Vendor hardening guides, vSphere security config

Databases

MSSQL, MySQL, PostgreSQL security hardening

Mail

TLS, SPF / DKIM / DMARC, authentication, rate limits, relay hygiene

Containers

Docker daemon, runtime security

Azure Stack Hub & Cloud

Vendor and Microsoft baselines, Defender for Cloud controls

Hosting panels

cPanel / Plesk security hardening guides

FortiMail

Admin access, TLS, AS/AV policy hygiene

Per check

Every finding is actionable.

Hardening check yaml 
hardening_check:
  id: WIN-SMB-SIGNING-REQ
  baseline: [cis_windows_2022_l1, ms_baseline_2022]
  title: Require SMB packet signing (server)
  rationale: Prevents SMB relay and MITM against file servers
  detection:
    type: registry
    path: HKLM\System\CurrentControlSet\Services\LanManServer\Parameters
    value: RequireSecuritySignature
    expected: 1
  severity: high
  impact_warning: May break legacy clients that can't sign
  remediation:
    safe_mode:
      action_ref: win.hardening.smb.enable_signing
      rollback_snapshot: registry_backup
  compensating_controls: [network_segmentation]
  references: [CIS_2.3.8.1]

Workflow

Assess → score → remediate → re-assert.

  1. STEP 01

    Assess

    Non-intrusive, read-only baseline scan across target set.

  2. STEP 02

    Score

    Per-host and per-customer scores, trend over time, executive roll-up.

  3. STEP 03

    Plan

    Pick findings, simulate impact, preview affected services.

  4. STEP 04

    Remediate

    Staged rollout. Automatic snapshot. Safe-mode rollback.

  5. STEP 05

    Re-assert

    Scheduled re-scan. Drift detection. Auto-repair policy-controlled.

Beyond the baseline

Operational hygiene, built in.

Attack-surface inventory

Internal + egress-probed port inventory per host. Find the Internet-exposed RDP nobody remembered.

Certificate hygiene

Weak ciphers, self-signed in prod, expiring, SHA-1, non-compliant SANs — all visible, all fixable.

Credential hygiene

Local-admin password rotation for non-AD hosts, service account audit, Kerberoasting risk, SPN duplication.

Privilege audit

Who has Domain Admin, SQL sysadmin, vCenter full admin, cloud Owner — and who actually uses it. Prune stale.

Backup validity check

Not just "backup ran" — periodic test-restore into sandbox with automated verification.

Change attestation

Every hardening change is tied to an engineer, a ticket, a rollback snapshot, and an evidence artifact.

See a sample hardening report.

Request a sample Back to features