Built in Germany Windows · Linux · macOS

Know exactly
where your endpoints
fail the benchmark.

CIS Auditor runs on each endpoint and checks it against the CIS Benchmark — control by control. You see what passed, what failed, what value was found, what was expected, and how to fix it.

No scripting required. No cloud dependency for the scan. Results go to your dashboard.

See the product Start free
225
CIS controls, Win 11 L1 benchmark
~10MB
Agent binary, no runtime
<60s
Typical scan time
cis-auditor scan — WORKSTATION-07
$ cis-auditor scan --profile cis-win11-l1 --agent WS-07
Benchmark : CIS Windows 11 L1 v3.0
Agent : WORKSTATION-07 (online)
Controls : 184
────────────────────────────────────────
PASS CIS-W11-1.1.1 Password history enforced (24)
PASS CIS-W11-1.1.2 Max password age: 60 days
PASS CIS-W11-1.2.1 Account lockout threshold: 5
FAIL CIS-W11-2.2.1 Guest account must be disabled
found : enabled
expected: disabled
fix : Computer Config → Local Policies →
Security Options → Accounts: Guest
PASS CIS-W11-2.3.1 Audit policy: account logon
PASS CIS-W11-5.1.1 WinRM service disabled
FAIL CIS-W11-9.1.1 Firewall: domain profile off
FAIL CIS-W11-18.3.1 LAPS not configured
────────────────────────────────────────
Score : 87 / 100 (164 pass, 20 fail)
Time : 42s
Results synced to dashboard.

How it works

01

Deploy the agent

Run the installer on any endpoint. One-liner for Windows, a shell script for Linux and macOS. The agent enrolls itself and starts reporting.

iwr corvus-security.net/install | iex
02

Run a scan

Trigger scans from the dashboard or schedule them via policy. Pick your benchmark profile (CIS L1 or L2) and optionally scope to specific control categories.

WORKSTATION-07 · CIS L1 · 184 controls
LAPTOP-DEV-03 · CIS L2 · running…
03

Review and fix

Every failing control shows the actual value found, what the benchmark requires, and a concrete remediation step. Export as JSON, CSV, or HTML for your audit trail.

20 failing 164 passing 87%

What gets checked

CIS control coverage

CIS Auditor covers the full CIS Benchmark control taxonomy. Checks run directly on the endpoint using native OS APIs — not PowerShell scripts that can be bypassed.

Account Policies
User Rights Assignment
Security Options
Windows Defender Firewall
Advanced Audit Policy
Administrative Templates
System Services
LAPS

Supported: Windows 10, 11, Server 2019/2022 · Ubuntu 22.04 · RHEL/CentOS 9 · macOS 14 Sonoma

Finding detail FAIL

Control

CIS-W11-L1-18.3.1 — LAPS configuration

Local Administrator Password Solution must be enabled. Prevents lateral movement via shared admin credentials.

Found

not configured

Expected

enabled + 30d rotation

Remediation

Deploy Windows LAPS via Group Policy or Intune. Set BackupDirectory = 1 (Azure AD) or 2 (on-prem AD). Set PasswordAge max to 30 days.

Affected: WORKSTATION-07, LAPTOP-DEV-03, DC-PROD-01

Products

● Available

CIS Auditor

Endpoint compliance scanning against CIS Benchmarks. Deploy the agent, run scans on demand or via schedule, get per-control pass/fail with actual vs. expected values and fix instructions.

180+ controls per benchmark
CIS L1+L2 profiles
Win / Linux / macOS
JSON/CSV/HTML export
~4MB single binary
Offline scan capable
View product →
In development

More in progress

We're building more endpoint tooling. Nothing to show yet — we don't announce things before they work.

Follow releases for updates.

What we care about

01 /

Accuracy over coverage

We'd rather have 180 checks that are always correct than 500 that are sometimes wrong. Every control result is verifiable. If you disagree with a result, open a ticket — we'll look at it.

02 /

Minimal footprint

Single Go binary, no installer dependencies, no agent framework. The service runs a scan and stops. It doesn't persist a connection, doesn't run scripts, and doesn't touch files outside its own directory.

03 /

Self-hosted or hosted

The backend is open to self-host if you need scan results to stay on your infrastructure. The agent works with both. We run the SaaS instance ourselves on EU servers.

Run your first scan today.

Free plan: 3 endpoints, unlimited scans, full CIS L1 results. No credit card.

Enroll takes about 2 minutes. First scan result in under a minute.

Create free account Ask us something