Framework — CIS Benchmarks

Configuration compliance, automated

CIS Benchmarks are the industry standard for secure configuration. Sudory runs them automatically against your cloud platforms and SaaS tools — on schedule, mapped to your frameworks.

Benchmarks

What we scan

Each integration runs its platform-specific CIS benchmark. Live benchmarks are scanning today. Planned ones are in development.

CIS Google Workspace

live

Admin settings, OAuth app grants, MFA enforcement, user permissions, and email routing. Scanned via service account with read-only access.

MFA enforcementOAuth app grantsAdmin privilegesEmail routingThird-party apps

CIS Slack

live

Installed apps and bots, OAuth scopes, workspace settings, and integration logs. Scanned via OAuth with read-only permissions.

Installed appsOAuth scopesWorkspace settingsIntegration logsUser authorisations

CIS AWS Foundations

planned

IAM policies, S3 bucket configurations, security group rules, CloudTrail logging, and encryption settings. The most widely adopted CIS benchmark.

IAM policiesS3 bucket configSecurity groupsCloudTrailEncryption at rest

CIS Azure / Entra ID

planned

Conditional access policies, MFA enforcement, guest user settings, identity protection, and network security groups across your Azure tenant.

Conditional accessMFA enforcementGuest policiesNSG rulesKey Vault

CIS GitHub

planned

Repository security settings, branch protection rules, secret scanning, Dependabot status, and CODEOWNERS coverage across your organisation.

Branch protectionSecret scanningDependabotCODEOWNERSSSO enforcement

How it works

Connect, scan, map

Connect your platform, run the benchmark, map results to your frameworks. The whole pipeline runs on schedule — no infrastructure to manage.

Connect

OAuth or service account — one-time setup. Credentials are stored in Vault, never in the database. Scoped to read-only access only.

Scan

Sudory queries your live configuration against CIS benchmark controls. Each check produces a pass/fail result with remediation guidance.

Reconcile

Results are normalised into the compliance ledger as timestamped transactions. Controls are credits, findings are debits. Your posture is a running balance.

Framework mapping

Each CIS check maps to controls in ISO 27001, NIS2, SOC 2, and DORA. One benchmark scan produces evidence across all your frameworks.

Terminology

CIS vocabulary

CIS Benchmarks have their own terminology — levels, controls, and result types. Here's what matters for compliance.

CIS Benchmark

A consensus-based configuration guideline developed by the Center for Internet Security. Benchmarks exist for operating systems, cloud providers, SaaS platforms, and network devices.

CIS Controls

A prioritised set of 18 cybersecurity actions (formerly the SANS Top 20). The strategic framework that CIS Benchmarks operationalise at the configuration level.

Level 1 (L1)

Baseline recommendations that can be implemented without significant performance impact. The minimum standard — every organisation should meet Level 1.

Level 2 (L2)

Defence-in-depth recommendations for security-sensitive environments. May reduce functionality or require more effort to implement.

Pass / Fail / Skip

Each CIS check produces one of three results. Pass means the configuration meets the benchmark. Fail means remediation is needed. Skip means the check doesn't apply to your environment.

Remediation guidance

Each failed check includes step-by-step remediation instructions from the CIS benchmark. Sudory surfaces these alongside findings so your team knows exactly what to fix.

How Sudory helps

CIS Benchmarks in your compliance stack

CIS Benchmarks are the operational layer. Sudory connects them to your compliance frameworks — so one scan produces evidence for ISO 27001, NIS2, SOC 2, and DORA.

Automated CIS scanning

Sudory runs CIS benchmark scans on schedule via pg_cron. Scanners auto-start on Fly.io, run the benchmark, and stop when idle. No infrastructure to manage.

Multi-platform coverage

One scanning engine, multiple platforms. Google Workspace, Slack, AWS, Azure, GitHub — each scanned against its specific CIS benchmark with the same pipeline.

Compliance ledger integration

Every CIS check result enters the compliance ledger as a timestamped transaction. Controls are credits, findings are debits. Your compliance posture is a running balance.

Cross-framework evidence

CIS checks map to ISO 27001 Annex A, NIS2 Article 21, SOC 2 Trust Criteria, and DORA. One benchmark scan produces evidence for every framework you need.

Policy enforcement

Sudory policies enforce CIS compliance thresholds. Balance policies require zero critical findings. Freshness policies ensure benchmarks run regularly. Temporal policies catch stale evidence.

Remediation tracking

Failed CIS checks become findings in the ledger. Flow policies enforce a review → remediation → verification workflow. Role policies ensure the right people approve fixes.

For MSPs

Benchmarks across your portfolio

Run the same CIS benchmarks for every client. Compare results, spot patterns, and deliver configuration compliance as a managed service.

Same benchmarks, every client

CIS benchmarks run identically across your portfolio. Compare Google Workspace hygiene between clients, not just within one. Spot systemic misconfigurations.

Progressive integration depth

Start with DNS scanning — no credentials needed. Add OAuth integrations as clients see value. Each new integration triggers its CIS benchmark automatically.

Benchmark reports as deliverables

CIS benchmark results are a tangible deliverable. Show clients their configuration posture, track improvement over time, and tie it to the frameworks they care about.

Run your first benchmark

Connect Slack or Google Workspace and get CIS benchmark results in minutes. See exactly where your configuration meets the standard — and where it doesn't.

Start free See integrations