Before (the problem)
CIS Benchmarks are the recognized security baseline — and they arrive as sprawling
PDFs running to thousands of rules per product. A team that wants to know “how
covered are we, and where are the gaps?” has no view that answers it. The benchmark
becomes a document no one reads rather than a posture anyone can act on.
What we built
Compliance analytics layered over the CIS benchmark library:
- Coverage view across products and benchmark families
- Rule search over the full library
- Drift and gap tracking — what is covered, what regressed, what was never met
- A normalized store of 11,000+ security rules
How it works
- CIS benchmark content is extracted and normalized into a queryable store.
- Rules are mapped to products and coverage state.
- The dashboard renders coverage, surfaces gaps, and tracks drift over time.
- Search lets a user jump from “which rules cover X” to the specific rule IDs.
Outcomes
- 11,000+ rules turned from static PDFs into a searchable, actionable view
- A single coverage-and-gap picture a team can work from, per product
- Drift tracking so a regression is visible instead of silent
Stack & role
CIS Benchmarks · SQLite · Node.js. Built & operated in-house.
Timeline
Built in-house; live. Paired with PRISMA (the AI analyst that reasons over this same
baseline data).
What it proves
A benchmark library only protects you if you can see your posture against it. This
turns 11,000+ rules from a compliance artifact into a working coverage instrument.