📚
1,005 STIG rules · 9 product families
Pre-ingested DISA quarterly bundle for IOS, IOS-XE Switch + Router, NX-OS Switch, ACI, ASA, IOS-XR, ISE, Wireless. Drop the next quarterly zip → catalog rebuilds in-process.
InfoRelay's tool suite for air-gapped admin workstations. Offline DISA Cisco STIG audits, single-binary AD CS cert lifecycle, no telemetry, no installer, no phone-home. Built for the network engineers running the perimeter, not their dashboards.
line vty 0 4 / exec-timeout 5 0exec-timeout 9 59 on line 142.Every tool in the family is single-binary, air-gap deployable, written in Python you can vet. No SaaS. No cloud control plane. No connected LLM. Each tool stands alone; together they replace a row of vendor licenses at a fraction of the TCO.
DISA Cisco STIG audit · live SSH pull · MANUAL triage · CKL / annotated.cfg / XLSX / PDF.
Live · v0.1 🔐Windows AD CS-aware cert tool. Discover · monitor · enroll · bulk CSR · troubleshoot. 11 prebuilt template recipes.
"Can workstation X reach Call Manager Y on tcp/2000?" Walks L2/L3/ACL/routing across every audited device.
Continuous config-drift detection across your inventory. Alerts on baseline divergence — without ever sending configs anywhere.
PAN-OS and JunOS STIG audit modules with the same Deviation + Triage intelligence layer.
Live discovery, normalization, and offline change-control for the whole device fleet. CMDB-grade artifacts, zero connected services.
Four design choices we will never break.
Binds 127.0.0.1 only. SSH-pull is the only outbound traffic — and only to IPs you specify. No telemetry. No update checks. No connected LLM.
No MSI. No service. No registry edits. No scheduled tasks. The binary's SHA-256 IS the entire SWAB artifact your ISSO has to track.
Drop the .exe on disk, double-click, scan. First audit completes in under 60 seconds. No deployment ceremony, no consultant engagement.
Per-site tiered: Standard (100 devices) / Pro (250) / Enterprise (1,000+). No per-user fees. No per-feature paywalls. The full product is what ships.
Every applicable Vuln_Num produces a row. Every FAIL carries exact remediation. Every MANUAL is triaged with engineering reasoning so the review pile drops 40–60% before the auditor opens it.
Pre-ingested DISA quarterly bundle for IOS, IOS-XE Switch + Router, NX-OS Switch, ACI, ASA, IOS-XR, ISE, Wireless. Drop the next quarterly zip → catalog rebuilds in-process.
Every FAIL carries Expected / Actual / At-line / Patch. The operator gets the exact commands to paste, with source-line refs into their config.
25-topic protocol classifier scans every MANUAL rule. Marks "likely N/A" with engineer's reasoning, or "applicable, review lines X–Y".
netguard --pull HOST --audit-after. Autodetects IOS / IOS-XE / NX-OS / IOS-XR. Pulls show running + facts and chains audit → annotation → CKL.
DISA .ckl drops into STIG Viewer. Annotated .cfg for the binder. Excel for analyst review. Printable PDF for executive summary.
Drop 50 configs at once → aggregate dashboard with per-device drill-down. Pick two saved audits → re-audit both → see NEW FAILs, RESOLVED, status changes.
Three input modes, one pipeline, four artifact types. Nothing leaves the box.
Paste a config, upload a folder of .cfg files, or have netguard SSH to your devices with the scan account.
Product family auto-inferred (IOS-XE switch vs router, NX-OS, IOS-XR). Catalog-driven audit selects only the STIGs that apply.
Every applicable Vuln_Num produces a finding. Auto-checks PASS/FAIL with Deviation. Manual items get an engineer's note for likely N/A vs applicable.
Download CKL → STIG Viewer. Annotated .cfg → compliance binder. XLSX → analyst review. Print → PDF for the exec summary.
tcpdump.Three operator realities the InfoRelay suite handles where SaaS platforms can't follow.
Your team is staring at 800 MANUAL items per device. Most aren't applicable but you have to write a justification on every one. The analyst pile is the bottleneck — not the auditing.
Every commercial PKI / audit tool wants to phone home. Telemetry, license check-in, cloud-side dashboards. Your ATO doesn't allow any of it.
MSI installers trigger registry writes, service installs, scheduled tasks — every one of which the SWAB has to vet. By the time the tool is approved, the audit window has passed.
Drop the binary on disk. Point it at a device. Get a CKL in 60 seconds. Free for evaluation — Standard / Pro / Enterprise pricing announced before v1.0.
SHA-256 + Ed25519 signatures published alongside. Source tarball lets you build it yourself and vet every line.
netguard-0.1-windows-x64.zip.netguard-0.1-windows-x64.exe → Properties → check Unblock at the bottom → OK.netguard-0.1-windows-x64.exe --audit foo.cfg --ckl-out report.cklEnd-to-end walkthrough: SSH-pull setup, batch mode, drift compare, CKL hand-off to STIG Viewer, AppLocker / SmartScreen notes for STIG'd boxes.
ComparisonHonest feature-by-feature: where CertGuard wins (air-gap, single binary, 10% of TCO) and where CyberArk is still the right tool (HSM, K8s, MSP).
One-pagerPrint-ready single page for SWAB submission and budget-approval conversations. Pricing tiers, security posture, deployment footprint.
127.0.0.1 only. The single exception is the --pull feature, which makes an SSH connection to operator-specified device IPs — never to anywhere else. No telemetry, no update checks, no analytics./catalog page in the UI (or netguard --build-stig-catalog on the CLI). NetGuard extracts safely under ./stigs/ and rebuilds the cache in-process. No service restart.