// Labs · Control Testing
Control Testing
Automation Theatre
Every CIS Benchmark control mapped to its regulatory obligation, delivered as a tested Python script that produces audit-ready evidence. Not documentation — working programmes you run against live infrastructure.
20
CIS Checks
10
Regulations
5
Platforms
∞
Audit hours saved
// How it works
01
Pick a platform
Choose AWS, GCP, Linux, Windows, or Network. Each has its own programme of controls built around what matters most in audit engagements.
02
Run the script
Each check is a standalone Python script with a CONNECT, CHECK, EVIDENCE, and REPORT function. Run it against your environment. Get PASS, FAIL, or WARN with a timestamped finding.
03
Drop it in the workpaper
Output is JSON + human-readable terminal. The regulation reference line, finding detail, and remediation are already formatted for audit evidence. No manual translation needed.
// Platforms
Choose your infrastructure
Live
Amazon Web Services
IAM & Identity hardening — the attack surface that appears in every breach post-mortem. Five controls, one boto3 session, one workpaper-ready evidence package.
Root account MFA status
AWS-01
Root account access keys
AWS-02
IAM password policy
AWS-03
Inactive IAM users (>90 days)
AWS-04
MFA enforcement — all console users
AWS-05
Coming soon
Google Cloud Platform
Corporate login enforcement, Audit Logs coverage, firewall defaults, and database logging — mapped to ISO 27001, SOX, and DORA.
Corporate credentials onlyGCP-01
Cloud Audit Logs enabledGCP-02
Default firewall rulesGCP-03
PostgreSQL log connectionsGCP-04
Coming soon
Linux / Unix
Filesystem hardening, SSH configuration, audit log permissions, password policy, and remote syslog — RHEL/CentOS/Ubuntu via paramiko.
Filesystem partition separationLNX-01
SSH MaxAuthTries ≤ 4LNX-02
Audit log permissions 640LNX-03
Password complexity enforcedLNX-04
rsyslog remote loggingLNX-05
Coming soon
Windows Server
Local admin controls, firewall profile enforcement, audit policy, and SMBv1 — via WinRM and pypsexec. CIS Windows Server benchmark.
Local admin account disabledWIN-01
Windows Firewall — domain profileWIN-02
Audit logon events enabledWIN-03
SMBv1 disabledWIN-04
Coming soon
Network
NTP synchronisation across all systems and SNMP community string hardening — cross-platform, relevant to every PCI DSS and SOX scope.
NTP synchronised — all systemsNET-01
SNMP community strings non-defaultNET-02
// Regulatory anchors
Every check maps to a regulation
The ten frameworks this theatre covers — in order of audit programme frequency.
| # | Regulation | Primary scope | Audience |
|---|---|---|---|
| 01 | NIST CSF 2.0 | All platforms | US Federal, Financial |
| 02 | ISO 27001:2022 | All platforms | Global Enterprise |
| 03 | SOX ITGC | Cloud + On-prem | Listed Companies |
| 04 | PCI DSS v4.0 | Cloud + Network | Payments |
| 05 | FFIEC CAT | Cloud + On-prem | US Banking |
| 06 | CIS Controls v8 | All platforms | Baseline |
| 07 | DORA (EU) | Cloud + SaaS | EU Financial |
| 08 | SEBI CSCRF | Cloud + On-prem | India Listed |
| 09 | RBI IT Framework | On-prem + Cloud | India Banking |
| 10 | HIPAA Security Rule | Cloud + On-prem | Healthcare |
// Start here
The AWS IAM programme is live first — five controls, one cohesive evidence package, every finding mapped to its regulation. Root account MFA is check one.
▶ AWS-01 — Root Account MFA →