How Mondoo Evaluates Your Infrastructure

Mondoo evaluates your infrastructure using four concepts that build on each other. If you understand these four, you understand how the whole product works.

1. Policies

A policy is a codified security standard. Mondoo ships hundreds of them based on CIS benchmarks, NIST and BSI guidance, vendor best practices, and Mondoo's own research. You enable, disable, or preview policies per space to control which standards apply where.

This is policy as code: each policy is a versioned, testable artifact rather than a PDF that someone has to interpret. Auditing your infrastructure becomes a query instead of a project.

2. Checks

Each policy contains checks. A check is a single assertion about an asset, for example:

• "The asset does not accept ICMP redirects."
• "The S3 bucket has server-side encryption enabled."
• "The Kubernetes API server requires authentication."

Every check returns pass or fail, and every check has an impact (Critical, High, Medium, or Low) that tells Mondoo how much weight to give it.

3. Findings

When a check fails, the result is a finding. Findings come from three sources:

• Misconfigurations detected by failed policy checks
• Vulnerabilities (CVEs) in software installed on the asset
• Vendor advisories published by software vendors for their products

Every finding gets its own risk score that combines the issue's base severity with the context of the asset it appears on.

4. Risk scores

Mondoo aggregates findings into scores at three levels:

All three use the same 0-100 scale where higher means more risk.

Next steps

• Monitor your infrastructure to see these concepts in the Mondoo App.

• Open your Top Actions list to start fixing the highest-impact findings.

• To learn how to write your own checks and policies, read the Policy Authoring Guide.