CIS Benchmarks & Security Policies
Out-of-the-box security policies, CIS benchmarks, and compliance frameworks to protect your infrastructure.
What Are Security Benchmarks?
Security benchmarks are standardized sets of security configuration guidelines developed by industry experts and organizations like CIS (Center for Internet Security). They define the baseline security settings needed to protect systems from threats.
Mondoo provides over 300 out-of-the-box policies covering cloud platforms, operating systems, containers, Kubernetes, SaaS applications, and more. Each policy contains hundreds of individual checks validated against industry best practices.
Production-Ready Out of the Box
Every policy in Mondoo is actively maintained by our security research team. We continuously update policies to address new vulnerabilities, changing compliance requirements, and evolving best practices.
Most customers start with our built-in policies and see immediate value. Policy as Code is available when you need customization, but the out-of-the-box experience covers 95% of use cases.
Continuous Updates
Policies are updated regularly as new CVEs, benchmarks, and compliance changes are released.
Expert Curated
Our security team validates every check against real-world environments and vendor guidance.
Zero Configuration
Enable policies with one click. No YAML to write, no queries to learn—just results.
Immediate Value
Get security insights within minutes of connecting your first asset.
Security Policies as Code
Mondoo uses a policy-as-code approach where all security policies are defined in human-readable YAML files powered by MQL (Mondoo Query Language). This enables version control, code review, and GitOps workflows for your security configuration.
YAML-Based Policies
Define policies in human-readable YAML format. Easy to understand, modify, and share across teams.
Mondoo Query Language
Powerful query language to inspect any resource. Query cloud APIs, OS configurations, and application settings.
GitOps Ready
Store policies in Git, use pull requests for changes, and automate deployment through CI/CD pipelines.
policies:
- uid: custom-security-policy
name: Custom Security Policy
version: "1.0.0"
authors:
- name: Your Team
groups:
- title: SSH Configuration
checks:
- uid: ssh-protocol-2
title: Ensure SSH Protocol is set to 2
mql: sshd.config.params["Protocol"] == 2
impact: 80
- uid: ssh-root-login
title: Ensure SSH root login is disabled
mql: sshd.config.params["PermitRootLogin"] == "no"
impact: 90Modify Built-In Policies
Enable or disable individual checks, adjust check behavior to meet your needs with properties.
Create Your Own Policies
Write custom policies using MQL to enforce organization-specific security requirements and best practices.
Exceptions & Waivers
Document and manage exceptions for specific assets or checks with approval workflows and expiration dates.
Custom Risk Scoring
Define custom impact scores and risk weights based on your business context and compliance requirements.
Fully Customizable Benchmarks
Every benchmark in Mondoo can be customized to match your organization's specific requirements. Disable checks that don't apply, adjust severity levels, or create entirely new policies from scratch.
CIS SecureSuite Certified
Mondoo is the first CIS SecureSuite vendor certified for Cloud and Kubernetes security, covering AWS, Azure, GCP, EKS, AKS, and GKE.
Popular Benchmarks
CIS AWS Foundations Benchmark - Level 1
Essential AWS security configuration baseline
CIS Azure Foundations Benchmark - Level 1
Essential Azure security configuration baseline
CIS Google Cloud Platform Benchmark - Level 1
Essential GCP security configuration
CIS Kubernetes Benchmark - Level 1
Essential Kubernetes cluster security (Master & Worker)
CIS Red Hat Enterprise Linux 9 Benchmark
RHEL 9 security configuration (Level 1 & 2)
CIS Windows Server 2025 Benchmark
Windows Server 2025 DC & Member Server (Level 1, 2, NG)
CIS Microsoft 365 E3 Benchmark
M365 E3 security baseline (Level 1 & 2)
Filter by technology
155 policies
AWS Best Practices for Compute
Security best practices for AWS compute services
AWS Best Practices for Database Services
Security configuration for AWS database services
AWS Best Practices for EC2
Security hardening for EC2 instances
AWS Best Practices for Encryption and Keys
KMS and encryption best practices
AWS Best Practices for HIPAA Security
AWS operational controls for HIPAA compliance
AWS Best Practices for IAM
Identity and access management best practices
AWS Best Practices for NIST 1800-25
Data integrity best practices
AWS Best Practices for NIST 800-171
AWS controls for protecting CUI per NIST 800-171
AWS Best Practices for NIST 800-172
Enhanced security requirements for CUI
AWS Best Practices for NIST 800-181
Workforce framework for cybersecurity
AWS Best Practices for NIST 800-53 rev 5
AWS operational best practices aligned with NIST 800-53 revision 5 controls
AWS Best Practices for NIST CSF
AWS operational best practices for NIST Cyber Security Framework
AWS Best Practices for NIST Privacy Framework
Privacy risk management aligned with NIST
AWS Best Practices for PCI-DSS Security
Payment card industry security controls for AWS
AWS Best Practices for S3
S3 bucket security configuration
AWS Best Practices for Serverless
Lambda and serverless security controls
AWS Cost Control Policy
Cost optimization and governance policies
BSI SiSyPHuS Windows 10
German BSI configuration recommendations for Windows 10
BSI SYS.1.2 Windows Server 2016/2019/2022
BSI baseline for Windows Server systems
BSI SYS.1.3 Linux and Unix Servers
BSI security requirements for Linux/Unix servers
CIS AlmaLinux OS 10 Benchmark
AlmaLinux 10 security configuration (Level 1 & 2)
CIS AlmaLinux OS 8 Benchmark
AlmaLinux 8 security configuration (Level 1 & 2)
CIS AlmaLinux OS 9 Benchmark
AlmaLinux 9 security configuration (Level 1 & 2)
CIS Amazon EKS Benchmark - Level 1
Amazon EKS security baseline
CIS Amazon EKS Benchmark - Level 2
Advanced EKS hardening (Worker Node)
CIS Amazon Linux 2 Benchmark
Amazon Linux 2 security (Level 1 & 2)
CIS Amazon Linux 2023 Benchmark
Amazon Linux 2023 security (Level 1 & 2)
CIS Amazon Linux Benchmark
Amazon Linux security (Level 1 & 2)
CIS Apple macOS 10.15 Catalina Benchmark
macOS Catalina security (Level 1 & 2)
CIS Apple macOS 11 Big Sur Benchmark
macOS Big Sur security (Level 1 & 2)
CIS Apple macOS 12 Monterey Benchmark
macOS Monterey security (Level 1 & 2)
CIS Apple macOS 13 Ventura Benchmark
macOS Ventura security (Level 1 & 2)
CIS Apple macOS 14 Sonoma Benchmark
macOS Sonoma security (Level 1 & 2)
CIS Apple macOS 15 Sequoia Benchmark
macOS Sequoia security (Level 1 & 2)
CIS Apple macOS 26 Tahoe Benchmark
macOS Tahoe security (Level 1 & 2)
CIS AWS Database Services Benchmark - Level 1
Security for RDS, DynamoDB, and other AWS databases
CIS AWS Foundations Benchmark - Level 1
Essential AWS security configuration baseline
CIS AWS Foundations Benchmark - Level 2
Advanced AWS security hardening controls
CIS Azure AKS Benchmark - Level 1
Azure Kubernetes Service security baseline
CIS Azure AKS Benchmark - Level 2
Advanced AKS security hardening
CIS Azure Compute Services Benchmark - Level 1
Azure VM and compute security baseline
CIS Azure Compute Services Benchmark - Level 2
Advanced Azure compute hardening
CIS Azure Database Services Benchmark - Level 1
Azure SQL and database security baseline
CIS Azure Database Services Benchmark - Level 2
Advanced Azure database hardening
CIS Azure Foundations Benchmark - Level 1
Essential Azure security configuration baseline
CIS Azure Foundations Benchmark - Level 2
Advanced Azure security hardening controls
CIS Azure Windows Server 2019 Benchmark
Azure-specific Windows Server 2019 hardening
CIS Azure Windows Server 2022 Benchmark
Azure-specific Windows Server 2022 hardening
CIS CentOS Linux 6 Benchmark
CentOS 6 security configuration (Level 1 & 2)
CIS CentOS Linux 7 Benchmark
CentOS 7 security configuration (Level 1 & 2)
CIS CentOS Linux 8 Benchmark
CentOS 8 security configuration (Level 1 & 2)
CIS Cisco IOS XE 17.x Benchmark
Cisco IOS XE security (Level 1 & 2)
CIS Cisco IOS XR 7.x Benchmark
Cisco IOS XR security (Level 1 & 2)
CIS Cisco NX-OS Benchmark
Cisco Nexus switch security (Level 1 & 2)
CIS Debian Linux 10 Benchmark
Debian 10 security configuration (Level 1 & 2)
CIS Debian Linux 11 Benchmark
Debian 11 security configuration (Level 1 & 2)
CIS Debian Linux 12 Benchmark
Debian 12 security configuration (Level 1 & 2)
CIS Debian Linux 8 Benchmark
Debian 8 security configuration (Level 1 & 2)
CIS Debian Linux 9 Benchmark
Debian 9 security configuration (Level 1 & 2)
CIS Distribution Independent Linux Benchmark
Generic Linux security baseline (Level 1 & 2)
CIS GitHub Benchmark
GitHub organization security (Level 1 & 2)
CIS GitLab Benchmark
GitLab security configuration (Level 1 & 2)
CIS Google Cloud Platform Benchmark - Level 1
Essential GCP security configuration
CIS Google Cloud Platform Benchmark - Level 2
Advanced GCP security hardening
CIS Google Container-Optimized OS Benchmark
Security for Google Container-Optimized OS
CIS Google GKE Benchmark - Level 1
Google Kubernetes Engine security baseline
CIS Google GKE Benchmark - Level 2
Advanced GKE security hardening
CIS Google Workspace Benchmark
Google Workspace Enterprise security (Level 1 & 2)
CIS IBM AIX 7 Benchmark
IBM AIX 7.x security configuration (Level 1 & 2)
CIS Kubernetes Benchmark - Level 1
Essential Kubernetes cluster security (Master & Worker)
CIS Kubernetes Benchmark - Level 2
Advanced Kubernetes hardening (Master & Worker)
CIS Kubernetes V1.23 Benchmark
Kubernetes 1.23 specific security controls
CIS Kubernetes V1.24 Benchmark
Kubernetes 1.24 specific security controls
CIS Linux Mint 22 Benchmark
Linux Mint 22 workstation security (Level 1 & 2)
CIS Microsoft 365 E3 Benchmark
M365 E3 security baseline (Level 1 & 2)
CIS Microsoft 365 E5 Benchmark
M365 E5 security baseline (Level 1 & 2)
CIS Microsoft Exchange Server 2019 Benchmark
Exchange 2019 security (Edge, Mailbox, MDM)
CIS Microsoft Intune Windows 10 Benchmark
Intune-managed Windows 10 security
CIS Microsoft Intune Windows 11 Benchmark
Intune-managed Windows 11 security
CIS NGINX Benchmark
NGINX security (Webserver, Proxy, Loadbalancer)
CIS Oracle Cloud Infrastructure Benchmark - Level 1
OCI security configuration baseline
CIS Oracle Linux 10 Benchmark
Oracle Linux 10 security configuration (Level 1 & 2)
CIS Oracle Linux 6 Benchmark
Oracle Linux 6 security configuration (Level 1 & 2)
CIS Oracle Linux 7 Benchmark
Oracle Linux 7 security configuration (Level 1 & 2)
CIS Oracle Linux 8 Benchmark
Oracle Linux 8 security configuration (Level 1 & 2)
CIS Oracle Linux 9 Benchmark
Oracle Linux 9 security configuration (Level 1 & 2)
CIS Red Hat Enterprise Linux 10 Benchmark
RHEL 10 security configuration (Level 1 & 2)
CIS Red Hat Enterprise Linux 6 Benchmark
RHEL 6 security configuration (Level 1 & 2)
CIS Red Hat Enterprise Linux 7 Benchmark
RHEL 7 security configuration (Level 1 & 2)
CIS Red Hat Enterprise Linux 8 Benchmark
RHEL 8 security configuration (Level 1 & 2)
CIS Red Hat Enterprise Linux 9 Benchmark
RHEL 9 security configuration (Level 1 & 2)
CIS Red Hat OpenShift v4 Benchmark - Level 1
OpenShift Container Platform security baseline
CIS Red Hat OpenShift v4 Benchmark - Level 2
Advanced OpenShift hardening
CIS Rocky Linux 10 Benchmark
Rocky Linux 10 security configuration (Level 1 & 2)
CIS Rocky Linux 8 Benchmark
Rocky Linux 8 security configuration (Level 1 & 2)
CIS Rocky Linux 9 Benchmark
Rocky Linux 9 security configuration (Level 1 & 2)
CIS SUSE Linux Enterprise 11 Benchmark
SLES 11 security configuration (Level 1 & 2)
CIS SUSE Linux Enterprise 12 Benchmark
SLES 12 security configuration (Level 1 & 2)
CIS SUSE Linux Enterprise 15 Benchmark
SLES 15 security configuration (Level 1 & 2)
CIS Ubuntu Linux 14.04 LTS Benchmark
Ubuntu 14.04 security configuration (Level 1 & 2)
CIS Ubuntu Linux 16.04 LTS Benchmark
Ubuntu 16.04 security configuration (Level 1 & 2)
CIS Ubuntu Linux 18.04 LTS Benchmark
Ubuntu 18.04 security configuration (Level 1 & 2)
CIS Ubuntu Linux 20.04 LTS Benchmark
Ubuntu 20.04 security configuration (Level 1 & 2)
CIS Ubuntu Linux 22.04 LTS Benchmark
Ubuntu 22.04 security configuration (Level 1 & 2)
CIS Ubuntu Linux 24.04 LTS Benchmark
Ubuntu 24.04 security configuration (Level 1 & 2)
CIS VMware ESXi 6.7 Benchmark
ESXi 6.7 security (Corporate & High Security)
CIS VMware ESXi 7.0 Benchmark
ESXi 7 security (Corporate & High Security)
CIS VMware ESXi 8.0 Benchmark
ESXi 8 security (Corporate & High Security)
CIS Windows 10 Enterprise Benchmark
Windows 10 desktop security (Level 1, 2, BitLocker, NG)
CIS Windows 11 Enterprise Benchmark
Windows 11 desktop security (Level 1, 2, BitLocker)
CIS Windows Server 2016 Benchmark
Windows Server 2016 DC & Member Server (Level 1, 2, NG)
CIS Windows Server 2019 Benchmark
Windows Server 2019 DC & Member Server (Level 1, 2, NG)
CIS Windows Server 2022 Benchmark
Windows Server 2022 DC & Member Server (Level 1, 2, NG)
CIS Windows Server 2025 Benchmark
Windows Server 2025 DC & Member Server (Level 1, 2, NG)
DISA Arista MLS DCS-7000 Series NDM STIG
DoD STIG for Arista network devices
Mondoo AWS GuardDuty
AWS GuardDuty findings integration
Mondoo AWS IAM Access Analyzer
IAM policy analysis and recommendations
Mondoo AWS Security
Comprehensive AWS security posture assessment
Mondoo Azure Security
Comprehensive Azure security assessment
Mondoo Container Secrets Security
Detect secrets in container images
Mondoo DNS Security
DNS security configuration assessment
Mondoo Dockerfile Security
Container image security best practices
Mondoo Email Security
Email security configuration (SPF, DKIM, DMARC)
Mondoo Endpoint Detection and Response
EDR agent presence and configuration
Mondoo GitHub Organization Security
GitHub org security configuration
Mondoo GitHub Repository Best Practices
Repository operational best practices
Mondoo GitHub Repository Security
Repository security settings
Mondoo GitLab Security
GitLab security configuration
Mondoo Google Cloud Cost Control
GCP cost optimization policies
Mondoo Google Cloud Security
GCP security posture assessment
Mondoo Google Cloud Tagging
GCP resource tagging standards
Mondoo Google Workspace Security
Google Workspace security assessment
Mondoo HTTP Security
HTTP/HTTPS security headers and config
Mondoo Kubernetes Best Practices
K8s operational best practices
Mondoo Kubernetes Security
Kubernetes cluster and workload security
Mondoo Linux Security
Linux server security baseline
Mondoo Linux Workstation Security
Linux desktop security baseline
Mondoo macOS Security
macOS security baseline
Mondoo MCP Security
Model Context Protocol security assessment
Mondoo Microsoft 365 Security
M365 security configuration baseline
Mondoo Microsoft Entra ID Security
Azure AD / Entra ID security
Mondoo NTLMv1 Audit
Detect legacy NTLMv1 authentication
Mondoo Okta Organization Security
Okta identity security configuration
Mondoo Shodan Security
External exposure assessment via Shodan
Mondoo Slack Team Security
Slack workspace security settings
Mondoo SMBv1 Audit
Detect legacy SMBv1 protocol usage
Mondoo TLS/SSL Security
TLS configuration and certificate validation
Mondoo VMware vSphere ESXi Security
ESXi host security baseline
Mondoo VMware vSphere Security Baseline
vSphere environment security
Mondoo Windows Security
Windows server security baseline
Mondoo Windows Workstation Security
Windows desktop security baseline
NSA PowerShell Security Measures
NSA guidance for PowerShell security
NSA/CISA Kubernetes Hardening Guide v1.2
Joint guidance for securing Kubernetes clusters
VMware vSphere Security Configuration Guide 7
VMware official security guide for vSphere 7
VMware vSphere Security Configuration Guide 8
VMware official security guide for vSphere 8
Need Custom Policies?
Create your own security policies using cnspec's policy-as-code framework. Write policies in YAML with MQL and enforce them across your infrastructure.