Mondoo
Docs
2026

Mondoo Release Highlights March 2026

·By Tim Smith

Back to releases

Introduction

March was a landmark month for Mondoo. We shipped Mondoo 13.0, which unified cnspec and cnquery into a single CLI, delivered a ground-up rewrite of the Kubernetes Operator, and included a massive initial wave of cloud resource expansion. But the momentum didn't stop there. Throughout March we continued to ship major capabilities across the platform. From new network device scanning and hundreds of additional cloud resources to IaC scanning variants, expanded remediation content, and new CIS benchmarks, there's a lot to cover. Let's dive in!

Expanded Network Security

Mondoo's network device support expanded significantly this month with three entirely new providers and major expansions to PAN-OS and Arista EOS capabilities.

New network platforms

  • F5 BIG-IP: Scan and secure BIG-IP load balancers with a new dedicated provider and out-of-the-box security policy.
  • Juniper Junos: Scan Junos devices with a new provider and security policy covering core device hardening.
  • Ubiquiti UniFi: Scan UniFi Controller infrastructure with a new provider and security policy.

Major PAN-OS expansion

The PAN-OS provider and out-of-the-box policy both received major expansions, giving you deeper visibility into your Palo Alto infrastructure and more security coverage out of the gate.

New provider resources:

  • Network interfaces, zones, and security rules
  • Routing, BGP, and policy-based forwarding rules
  • IKE, IPsec, NAT, and decryption resources
  • Device settings, authentication profiles, and logging
  • Services and service groups

The Mondoo PAN-OS security policy now includes 22 new checks powered by these resources.

Expanded Arista EOS capabilities

The Arista EOS provider gained new resources for deeper network visibility:

  • BGP neighbors and configuration
  • MLAG status and configuration
  • ACL rules and filtering
  • Hardware environment and inventory resources

Post-quantum cryptography detection

The network provider can now detect post-quantum cryptography (PQC) hybrid key exchange algorithms and inspect certificates for PQC readiness, helping you prepare for the transition to quantum-resistant cryptography.

Expanded Resources and Security Checks

This month saw a massive expansion of resource coverage, with new resource types, hundreds of new fields on existing resources, and new security checks across every major platform.

AWS: Our largest expansion ever

March represents our largest-ever increase in AWS capabilities, nearly doubling our total number of AWS resources. Mondoo now covers a huge number of new AWS services, and our out-of-the-box security checks, IaC scanning, and remediation content have all expanded to match.

New resources across 30+ services:

No matter what AWS services you rely on, Mondoo now has you covered. New resources span Cognito, DocumentDB, MemoryDB, Kinesis, Firehose, EventBridge, EventBridge Pipes and Scheduler, Athena, WAF, Glue, Elastic Beanstalk, WorkSpaces, WorkDocs, AppStream, Directory Service, Shield Advanced, Network Firewall, MSK, MQ, Timestream InfluxDB, Route 53 domains, SageMaker, Inspector findings, EC2 launch configs and templates, Config aggregators, ECR repo policies, Batch, Lightsail, and CloudFormation. Dozens of new security-relevant fields were also added across existing resources. Where other tools leave blind spots across your AWS environment, Mondoo covers it all.

Massive policy expansion:

Over 100 new security checks were added to our out-of-the-box AWS policies, covering services like Elasticsearch, EMR, DAX, SQS, Lambda, Cognito, Kinesis, Network Firewall, Shield Advanced, and more. We also added 9 new checks to the CIS AWS Foundations and Compute benchmarks, plus entirely new CIS benchmarks for AWS Database Services (v2.0.0) and AWS End User Compute Services (v1.2.0).

IaC scanning:

Terraform and CloudFormation variant checks now cover all checks in our Mondoo AWS security policy, letting you catch misconfigurations in your infrastructure-as-code before they ever reach production. Whether you scan live AWS environments or evaluate Terraform HCL and CloudFormation templates, you get the same comprehensive coverage.

Improved remediation content:

Remediation steps were expanded and reworked so you can fix issues any way you want. New Terraform and CloudFormation remediation steps give you copy-paste IaC fixes, alongside reworked console and CLI steps.

Azure: Deeper coverage and actionable fixes

Azure received significant expansion across resources, policy, and remediation this month.

New resources and fields:

New resources for Data Factory, Synapse Analytics, and virtual network peerings. Over 60 new fields across compute, storage, and networking resources, giving you the data you need to write the best possible policies for securing your critical infrastructure. Lazy-loading for network, AKS, IAM, and Redis sub-resources improves scan performance.

Policy and IaC scanning:

New security checks cover the expanded Azure resource set. Terraform variant checks let you scan Azure Terraform files against the same policies used for live infrastructure.

Improved remediation content:

Remediation steps were reworked with Bicep (Azure's native IaC language) steps added to all 135 Azure security checks, Terraform steps added across Azure checks, and reworked console and CLI steps so you can fix issues any way you prefer.

GCP: Broad new service coverage

GCP saw a major expansion in both resources and security checks.

New resources:

Artifact Registry (9 new resource types), Filestore, Cloud Tasks, Cloud Scheduler, App Engine, Backup & DR, Vertex AI, Cloud Armor enhancements, custom IAM roles, instance groups, network firewall policies, health checks, URL maps, target proxies, and network peerings.

Policy and IaC scanning:

New security checks cover GCP Backup & DR, Vertex AI, Cloud Armor, and more. Terraform variant checks were added across GCP security policies and CIS benchmarks, letting you scan your GCP Terraform files for misconfigurations before deployment.

Improved remediation content:

Terraform remediation steps were added to GCP checks alongside reworked console and CLI steps, giving you actionable fixes no matter how you manage your infrastructure.

New Linux System Resources

Writing policies against Linux system state just got a lot easier. New purpose-built MQL resources let you query key subsystems with simple, readable queries and get clear, structured output. No more parsing config files or command output in your policies.

  • firewalld: Query firewall zones, rules, and active configuration
  • UFW: Query Uncomplicated Firewall status, rules, and defaults
  • SELinux: Query SELinux mode, status, and policy configuration
  • AppArmor: Query AppArmor profiles and enforcement status
  • grub.config: Query GRUB bootloader configuration and settings
  • iptables/ip6tables: New FORWARD chain and default policy fields for complete firewall visibility
  • os.date: Query system time and timezone configuration
  • machine.cpu: Query CPU socket and core topology

These resources power simpler, more maintainable policies and are already used in updated Mondoo and CIS benchmark checks.

New macOS Resources

New purpose-built resources for macOS give you full visibility into endpoint security posture:

  • FileVault: Query disk encryption status and configuration
  • Gatekeeper: Query Gatekeeper enforcement and allowed sources
  • SIP: Query System Integrity Protection status
  • macos.firewall: Query firewall status, stealth mode, and application rules

Beyond cloud and OS

Our resource expansion this month goes well beyond cloud providers and operating systems. New resources for SaaS services, container tooling, and even IaC code mean you can query and secure more of your stack than ever before.

Docker scanning expanded with new healthcheck, volume, shell, and workdir resources for Dockerfiles, and Kubernetes gained 8 new resources for cluster security and exploration.

SaaS platforms saw major additions as well:

  • GitHub: Repository dependency graph SBOM resource and new security resources
  • GitLab: New security resources plus namespace and settings resources
  • Google Workspace: 22 new fields across existing resources
  • Microsoft 365: 42 new fields plus a sensitivity labels resource

Our out-of-the-box policies for macOS, Dockerfile, GitLab, Google Workspace, and Kubernetes were all updated with critical security checks that take full advantage of these new capabilities.

New and Updated CIS Benchmarks

New benchmarks

  • CIS Apache HTTP Server 2.4 Benchmark v2.3.0: Secure your Apache web servers with comprehensive hardening checks.
  • CIS AWS End User Compute Services Benchmark v1.2.0: Cover WorkSpaces, AppStream, and other end-user compute services.
  • CIS GitHub Benchmark v1.2.0: Expanded coverage for GitHub organization and repository security.

Updated benchmarks

  • CIS AWS Database Services Benchmark updated to v2.0.0
  • CIS Microsoft Windows Server 2025 Benchmark updated to v2.0.0
  • CIS Microsoft Windows Server 2022 Benchmark updated to v5.0.0
  • CIS Windows 11 Enterprise Benchmark updated to v5.0.1

Expanded OS Platform Support

  • Bottlerocket OS: Advisory support with native ecosystem matching and remediation instructions for Amazon's container-optimized Linux.
  • Wolfi OS: Detection and package support for the container-focused Linux distribution.

deps.dev Provider

Analyze Go module dependencies using the deps.dev API for software composition analysis. The new deps.dev provider lets you query dependency metadata, versions, and known vulnerabilities for Go modules directly from Mondoo.

Vulnerability detection improvements

  • Improved .NET Framework vulnerability detection for more accurate Windows reporting
  • Improved Windows hotpatch and KB detection
  • New vulnerability detection for SLES ESPOS, RHEL ELS, Oracle ELS, and Ubuntu Pro extended support programs. If you're paying for extended support from your OS vendor, Mondoo now recognizes that and only flags vulnerabilities that actually apply to your covered systems instead of treating them as end-of-life.
  • RPM modularity support via CSAF for more accurate RHEL, CentOS, and Rocky Linux scanning
  • Advisory supersedence handling for Chrome, Firefox, Edge, and macOS so you only see the single advisory or patch you need to apply to fix all findings, instead of every historical advisory
  • Improved EOL advisories with enhanced descriptions of the EOL condition and friendly marketing names for Microsoft OS releases

Webhook Ticketing Integration

The webhook ticketing integration is now generally available. Send Mondoo findings directly to any ticketing system that supports a webhook endpoint, giving you the flexibility to integrate with your existing workflows regardless of which ticketing platform you use.

Release Highlights

Previous Page

Mondoo 13.0 is out!

Next Page

On this page

IntroductionExpanded Network SecurityNew network platformsMajor PAN-OS expansionExpanded Arista EOS capabilitiesPost-quantum cryptography detectionExpanded Resources and Security ChecksAWS: Our largest expansion everAzure: Deeper coverage and actionable fixesGCP: Broad new service coverageNew Linux System ResourcesNew macOS ResourcesBeyond cloud and OSNew and Updated CIS BenchmarksNew benchmarksUpdated benchmarksExpanded OS Platform Supportdeps.dev ProviderVulnerability detection improvementsWebhook Ticketing Integration