CIS Hardening

CIS Hardening evaluates managed devices against Center for Internet Security benchmarks, generating compliance scores, detailed findings, and remediation recommendations. Every remediation action passes through a two-step approval workflow before reaching the endpoint, preventing accidental configuration changes on production systems.

Unlike bolt-on compliance tools that require separate licensing or external scanning infrastructure, CIS Hardening is built into Breeze. Benchmarks, scoring, remediation, and reporting operate on the same agent and platform you already use for device management. No additional agents, no third-party portals, no per-scan fees.

Benchmark Coverage

Breeze ships with CIS benchmark support across Windows, macOS, and Linux. Each benchmark includes Level 1 checks for essential security hygiene and Level 2 checks for defense-in-depth hardening. Organizations can also define custom baselines when CIS defaults need adjustment for specific environments or compliance requirements.

Level 1 benchmarks cover the controls most organizations should apply universally — password policies, audit logging, firewall configuration, and service hardening.

Level 2 benchmarks layer stricter policies suited for high-security environments where tighter lockdown is acceptable: restricted network protocols, advanced audit categories, and granular permission controls.

Selecting the right profile is a per-organization decision. Breeze makes it straightforward to assign baselines to device groups, switch between security levels, and maintain different profiles for different customer environments.

Custom baselines let teams override specific checks when a CIS recommendation conflicts with a business requirement. The override is tracked, so auditors can see what was excluded and why.

Compliance Scoring

Every scan produces per-check results categorized as pass, fail, not-applicable, or error. These individual results roll up into a compliance score for each device, giving technicians an immediate read on hardening posture.

Fleet-wide views aggregate device scores across the organization, surfacing the devices and check categories that need the most attention. Operators can quickly identify which benchmarks have the lowest pass rates and which devices are dragging down the fleet average.

Filtering by compliance score range, device status, and baseline profile makes it straightforward to isolate problem areas without scrolling through hundreds of endpoints. Sort by score to find the worst offenders, or filter by baseline to compare hardening across different customer environments.

Scores update after each scan, so compliance trends are visible over time. A device that was 60% compliant last week and 85% this week tells a clear hardening story without requiring manual tracking.

Remediation Workflow

When a check fails, Breeze generates a remediation recommendation tied to the specific finding. Remediation follows a two-step approval process: the action is proposed, then an operator explicitly approves it before execution. This prevents automated fixes from making unreviewed changes to endpoint configurations.

The approval gate is intentional. CIS remediation can change registry keys, group policy settings, service configurations, and firewall rules. Applying these without review creates risk.

The two-step model keeps hardening practical for production environments where uptime matters. Operators review each proposed change, understand what it will modify, and approve it with full context.

Both apply and rollback operations are supported. If a remediation introduces an issue, the rollback path is tracked through the same approval workflow. Status tracking follows each remediation action from proposal through completion, giving operators full visibility into what changed and when.

Remediation status is visible at both the device level and the fleet level. Operators can see how many actions are pending approval, how many have been applied, and whether any rollbacks are outstanding.

Scan Management

Scans can be scheduled on intervals from 1 to 168 hours, keeping compliance data fresh without manual intervention. On-demand scanning is available for immediate assessment, supporting up to 500 devices per request.

Scheduled scans run against the assigned baseline and security level, producing results that feed directly into the compliance dashboard. On-demand scans use the same evaluation pipeline, so results are consistent regardless of trigger method.

Scan scheduling integrates with the broader Breeze policy system. Set a weekly cadence for routine compliance checks, or trigger an immediate scan after a remediation batch to verify the changes took effect.

For large environments, batch scanning up to 500 devices per request keeps assessment practical. Scan results stream back as devices complete, so operators do not have to wait for the entire batch to finish before reviewing findings.

Reporting and Monitoring

The organization-wide compliance dashboard aggregates device scores, baseline assignments, and scan history into a single view. Operators can see which devices are compliant, which are drifting, and which have never been scanned.

Dashboard summaries include device counts by compliance band, recent scan activity, and remediation queue depth. This gives operations leads a quick health check without drilling into individual endpoints.

Device-level views provide complete scan history with per-finding details, including the specific check ID, result, and remediation status. Each finding links back to the relevant CIS benchmark section for reference during investigation.

Filtering by compliance score, device status, and baseline makes it practical to generate compliance evidence for audits or customer-facing reporting without exporting raw data. For MSPs, this means producing hardening reports per customer without building separate tooling or spreadsheets.

Compliance data is scoped per organization, so multi-tenant MSP deployments maintain isolation between customer environments. Each organization sees only its own devices, scores, and remediation history.