Baseline Features

Strengthens Active Directory against modern attack techniques like Kerberoasting, DCSync, and Golden Ticket.

Validates cloud VM images against published checksums and signatures before launching instances.

Locks package sources to specific repositories and versions, preventing supply chain confusion attacks.

Restricts who can access cloud Mac instances and what actions they can perform.

Plugs directly into Ansible playbooks for infrastructure-as-code driven compliance enforcement at scale.

Pushes approved applications to devices silently, ensuring the right software is installed from day one.

Configures application control to allow only approved software to execute on servers.

Learn how Apple Silicon native strengthens your OS security baseline.

Only permits approved executables to run, blocking unknown or malicious binaries at launch.

Configures automated signing of build artifacts with securely managed code signing identities.

Validates build outputs against expected hashes and signatures before they leave the build pipeline.

Logs what would be blocked without actually enforcing, letting you test policies before going live.

Checks Windows Authenticode digital signatures to confirm software publisher identity and integrity.

Automatically restores the device to its approved state if settings are tampered with or corrupted.

Continuously evaluates and remediates security settings without manual intervention.

Keeps systems current by automatically downloading, testing, and applying security patches.

Applies fixes to failing checks automatically, turning audit findings into corrective action without manual steps.

Shell scripts that fix non-compliant settings automatically after a baseline assessment.

Scheduled, repeatable scans that check your system against known security benchmarks without manual intervention.

Integrates identity and access management through Microsoft Entra for cloud-first authentication.

Uses Trusted Platform Module attestation during Azure Device Provisioning to verify device identity.

Hardens the Azure IoT Edge runtime and its module deployment pipeline against supply chain threats.

Enforces security configurations through Azure Policy for automated compliance across cloud resources.

Ready-to-import group policy objects that implement security baselines with a single deployment step.

Generates reports showing how each machine in your fleet measures against your security baseline.

Records every hardening decision so your security posture is auditable and reproducible.

Controls which executables can run based on certificate, hash, or path rules at the kernel level.

Compares binary file hashes against published checksums to detect tampering or corruption.

Enables full-disk encryption with TPM-backed key management to protect data at rest.

Encrypts the full device storage with TPM-backed keys to protect data if the hardware is stolen.

Verifies every link in the boot process from first instruction to userspace, catching early-stage attacks.

Digitally signs every artifact produced by the build process to prove its provenance downstream.

Runs each build in a clean, ephemeral environment to prevent state leakage between jobs.

Securely injects credentials into build processes without persisting them in images or scripts.

Secures CI/CD build machines with minimal services, restricted access, and monitored file integrity.

Runs each CI job in an isolated environment to prevent cross-contamination between builds.

Choose between Level 1 (broad compatibility) and Level 2 (maximum security) hardening profiles.

Meets the stricter CIS Level 2 benchmark profile designed for security-sensitive environments.

Validates system configurations against the Center for Internet Security hardening standards used by enterprises worldwide.

Machine images built and verified against CIS benchmarks, serving as your fleet's trusted starting point.

Pre-built configuration profiles aligned to CIS, NIST 800-171, and DISA STIG standards for macOS.

Deploys CIS or DISA STIG benchmark settings via Group Policy across your Windows domain.

Meets both CIS and DISA STIG benchmarks, covering the two most widely adopted hardening frameworks.

Scans every package in your build against known vulnerability databases before the image ships.

Routes all system logs to a central collector for correlation, alerting, and long-term retention.

Audits and cleans the certificate trust store to remove unnecessary or suspicious root CAs.

Trusts or blocks software based on its code signing certificate rather than individual file hashes.

Applies security baselines to macOS cloud instances used for CI/CD and development workloads.

Evaluates marketplace offerings for security risks before deploying them in your cloud environment.

Applies security baselines using cloud-native tools rather than traditional on-premises methods.

Sets up and protects code signing identities so build artifacts carry trusted digital signatures.

Safeguards code signing keys and certificates from extraction, misuse, or unauthorized access.

Ships with documentation mapping each hardening setting to its compliance framework control.

Continuously checks device configurations against your security policies and flags non-compliance.

Produces evidence-grade documentation showing which controls pass, fail, or require manual review.

Scans container base images for vulnerabilities before they enter your build pipeline.

Isolates credential storage in a virtualization-based security container, blocking pass-the-hash attacks.

Uses strong hash algorithms to prove files have not been altered since their last verified state.

Assembles minimal, purpose-built Linux distributions with only the components your IoT device needs.

Tailor security scans to your environment with configurable rule sets that match your compliance requirements.

Replaces the default Windows boot screens with branded visuals for a polished kiosk or signage experience.

Creates tailored configuration profiles that match your organization's specific compliance requirements.

Write detection rules in a flexible YAML syntax tailored to your application's expected behavior.

Defines which files, directories, and attributes to monitor, focusing attention where it matters most.

Secures the Automated Device Enrollment pipeline to prevent unauthorized devices from joining your fleet.

Locks dependency versions to exact releases, preventing unexpected or malicious version upgrades.

Maps the full dependency graph of installed software to identify hidden or transitive risk.

Shows exactly what changed (content, permissions, ownership, timestamps) in a human-readable format.

Combines code integrity policies and credential isolation to create a hardware-backed trust boundary.

Pre-configured device profiles that define every setting for consistent, repeatable Apple device deployments.

Specialized security settings for domain controllers, the most security-sensitive servers in any Windows environment.

Continuously compares current system state against the approved baseline, flagging any deviations.

Deploys and maintains Microsoft's recommended list of known-vulnerable drivers to block.

Confirms kernel-mode drivers carry valid Microsoft-approved signatures before allowing them to load.

Protects identity federation endpoints and monitors for unauthorized configuration changes.

Routes Windows event logs to a central collector for correlation, alerting, and long-term retention.

Records every execution decision (allow/deny) with full context for audit trails and incident response.

Streams endpoint events to your SIEM or data lake for centralized analysis and threat hunting.

Restricts which VM extensions can be installed to prevent malicious or unnecessary code execution.

Learn how Fast VM cloning strengthens your OS security baseline.

Computes and compares cryptographic hashes of system files to detect tampering or corruption.

Detects unauthorized changes to critical system files by comparing current state against a known-good baseline.

Sets and manages firmware-level passwords that prevent unauthorized boot modifications.

Checks firmware images against vendor-published hashes before flashing to detect supply chain tampering.

Maintains a real-time inventory of every device, its configuration state, and installed software.

Applies security controls mapped directly to your chosen compliance framework's control objectives.

Verifies package authenticity by checking GNU Privacy Guard signatures against trusted publisher keys.

Monitors Group Policy Objects for unauthorized changes that could weaken your security posture.

Pre-built Group Policy Objects ready to import into Active Directory for immediate baseline deployment.

Enforces macOS Gatekeeper policies to ensure only signed and notarized software can execute.

Learn how GitHub Actions integration strengthens your OS security baseline.

Builds a verified, hardened base image that serves as the starting point for every new deployment.

Generates structured compliance reports in standard formats suitable for auditors and management review.

Verifies Apple device serial numbers and identifiers against Apple's records to detect counterfeits.

Confirms physical components match expected specifications to detect counterfeit or substituted parts.

Learn how Headless operation strengthens your OS security baseline.

Confirms the authenticity of Homebrew taps and formulas before installing packages on servers.

Secures the trust boundary between on-premises Active Directory and cloud identity services.

Requires the more secure Instance Metadata Service v2 to block SSRF-based credential theft on AWS.

Automates the build, harden, scan, and publish cycle for golden VM images using CI/CD pipelines.

Signs golden VM images using Azure-managed keys to verify integrity during deployment.

Locks down cloud instance metadata endpoints to prevent credential theft via SSRF attacks.

Hardens the provisioning pipeline so new instances start from a verified, trusted configuration.

Deploys file integrity monitoring agents across your fleet with consistent policy enforcement.

Leverages Microsoft's cloud intelligence to automatically trust known-good software.

Grants temporary, audited access to VM management ports only when needed, reducing exposure.

Tunes kernel parameters, disables unnecessary modules, and enforces memory protections at the OS core.

Inspects kernel parameters, modules, and sysctls to ensure the OS core is locked down against privilege escalation.

Blocks unauthorized code at the kernel level before it can execute, not just after detection.

Blocks specific key combinations that could allow users to escape a locked-down kiosk environment.

Locks down Windows kiosk configurations beyond the default settings to prevent escape and tampering.

Deploys as a DaemonSet with container-aware rules that understand pod, namespace, and image context.

Deploys Local Administrator Password Solution to rotate and secure local admin passwords across servers.

Applies local group policy settings in bulk across machines that are not domain-joined.

Validates each Yocto layer's authenticity and version to prevent compromised build components.

Audits open-source license obligations across your embedded software stack to prevent legal exposure.

Switches to a deny-by-default execution policy where only explicitly approved binaries can run.

Deploys security profiles through mobile device management for zero-touch fleet hardening.

Pushes hardening configurations to managed devices automatically through your MDM platform.

Learn how Machine Configuration extension strengthens your OS security baseline.

Trusts software deployed through approved management tools like SCCM or Intune.

Validates cloud marketplace VM images against publisher checksums before deployment.

Provisions hundreds of devices simultaneously through Apple Business Manager and DEP integration.

Baseline security configurations for domain-joined servers that balance security with workload compatibility.

Applies Microsoft's official security baselines to your Windows Server fleet via Group Policy.

Strips the OS to essential components only, eliminating unnecessary services, libraries, and tools.

Captures system events, access logs, and performance metrics for security analysis and compliance.

Available across AWS, Azure, and GCP marketplaces for consistent security regardless of cloud provider.

Works across AWS, Azure, and GCP with consistent tooling and policies regardless of provider.

Evaluates system state against NIST, CIS, and DISA STIG frameworks in a single automated scan pass.

Limits network connectivity to approved endpoints and protocols, reducing exposure to external threats.

Requires Apple notarization for all executables, blocking software that has not passed Apple's malware checks.

Learn how OCI image support strengthens your OS security baseline.

Validates Windows IoT images against Microsoft's published checksums before deployment.

Protects the entire over-the-air update pipeline from package signing through secure delivery and rollback.

Disables USB, Bluetooth, AirDrop, and other interfaces to prevent data exfiltration and unauthorized access.

Alerts when file or directory permissions shift from their baseline, catching privilege creep early.

Configures firmware passwords, activation lock, and erase-on-failed-unlock policies for deployed devices.

Monitors for signs of physical device tampering using hardware sensors and software integrity checks.

Applies monitoring rules based on file criticality, reducing noise from expected changes.

Compares your current group policies against Microsoft's recommended baselines to find configuration drift.

Enforces code signing requirements for PowerShell scripts to prevent unauthorized script execution.

Virtual machine images that ship with security baselines already applied, ready to deploy.

Creates, deploys, and updates configuration profiles that enforce security and feature settings.

Mounts the root partition read-only so attackers cannot persist changes to the operating system.

Sends immediate notifications through Slack, PagerDuty, or webhooks when suspicious activity is detected.

Fires notifications the moment a monitored file changes, shrinking the detection window to seconds.

Images are refreshed frequently with the latest patches and benchmark revisions.

Automated workflows that fix non-compliant resources when drift is detected.

Summarizes detected changes with timestamps, file paths, and diff details for investigation.

Runs private package mirrors so you control exactly which versions reach your cloud instances.

Confirms that software can be rebuilt from source to produce identical binaries, proving no tampering occurred.

Ensures identical source inputs produce identical binary outputs, making supply chain injection detectable.

Security configurations tuned for each Windows Server role (DC, member server, DNS, DHCP, etc.).

Continuously proves the device is running authorized firmware by checking against a trusted reference.

Deploys and configures runtime security agents that watch for post-deployment compromise indicators.

Generates Software Bills of Materials for firmware images, documenting every component in the build.

Creates Software Bills of Materials using Syft, cataloging every component in your software supply chain.

Processes Security Content Automation Protocol data to assess compliance against federal and industry standards.

Configures mandatory access control policies that confine processes to their minimum required privileges.

Manages Santa binary authorization rules from a central server for fleet-wide application control.

Runs file verification on a timer so changes between scans are caught before they cause damage.

Periodic full-system sweeps that catch modifications missed between real-time monitoring intervals.

Enables UEFI Secure Boot on IoT hardware to verify firmware and OS integrity at every power-on.

Ensures all servers boot with UEFI Secure Boot enabled to prevent firmware-level attacks.

Configures the boot chain to cryptographically verify each stage, blocking unauthorized firmware.

Provisions cloud Mac instances from verified images with hardened configurations applied at launch.

Configures encrypted, authenticated update delivery paths that resist man-in-the-middle interference.

Microsoft-curated GPO templates that implement recommended security settings for each Windows version.

Utilities that diff your current settings against recommended baselines to identify gaps.

Removes or disables every non-essential service to shrink the attack surface to what is strictly needed.

Replaces the default Windows shell with a custom application for single-purpose device deployments.

Requires cryptographic signatures on over-the-air updates, rejecting any package that fails verification.

Digitally signs application control policies so they cannot be tampered with or bypassed.

Locks the device to a single application, preventing users from accessing any other functionality.

Enables maximum management control over Apple devices, including restricting features and locking profiles.

Connects to a central management server for coordinated policy updates across your Mac fleet.

Monitors system calls in real time to detect anomalous process behavior indicative of compromise.

Leverages Apple silicon security capabilities including Secure Enclave, secure boot, and encrypted storage.

Configures the Unified Write Filter to protect specific volumes while allowing controlled write-through exceptions.

Redirects disk writes to an overlay, making the OS partition effectively immutable against persistent attacks.

Orchestrates patch deployment across cloud VM fleets with scheduling, testing, and rollback capabilities.

Stages updates through testing rings before broad deployment, catching issues before they reach production.

Strips and secures virtual machine images before they enter the cloud deployment pipeline.

Tailors Windows Defender Application Control policies for the limited application set on IoT devices.

Creates Windows Defender Application Control policies tailored to your application inventory.

Step-by-step guidance for creating and deploying Windows Defender Application Control policies.

Secures Windows Server Update Services with SSL enforcement and signature verification.

Verifies that Windows Update communications are authentic and update packages are properly signed.

Configures Xcode build settings for security including hardened runtime, library validation, and sandboxing.

Uses extended Berkeley Packet Filter for high-performance kernel-level observability without kernel modules.

Leverages osquery's SQL-based endpoint visibility for powerful ad-hoc investigation and monitoring.