Noxen and CIS Controls v8
The CIS Controls are the most pragmatic baseline in the industry — cheap to adopt, vendor-neutral, and structured around how attacks actually unfold. Noxen produces direct technical evidence for a cluster of v8 safeguards focused on inventory, configuration, and continuous vulnerability management. It does not certify your organisation against CIS; CIS isn't a certification programme to begin with. What you get is dated, per-host evidence you can hand to an assessor, a board, or your own future self.
What CIS Controls v8 is
The Center for Internet Security publishes the CIS Critical Security Controls — currently at v8 — as a prioritised list of 18 controls broken down into roughly 153 safeguards. v8 reorganised the older v7.1 set around modern fleets (cloud, remote work, mobile) and introduced Implementation Groups so organisations can right-size the work:
- IG1 — essential cyber hygiene. The minimum a small organisation should implement. Mostly about knowing what you have and patching it.
- IG2 — enterprise. Adds vendor management, more rigorous configuration management, network segmentation.
- IG3 — mature. Adds red-team exercises, threat hunting, advanced data governance.
Noxen primarily produces evidence for the technical subset of IG1 and a handful of IG2 safeguards. If you are operating at IG3, Noxen is one input among many.
How Noxen maps to CIS Controls v8
Each Noxen probe tags its findings with the safeguard numbers it
satisfies evidence for. An SSH inventory probe contributes to
Control 1 (Inventory of Enterprise Assets) and Control 2 (Software
Asset Management). A CVE match against an installed package
contributes to Control 7 (Continuous Vulnerability Management).
A weak sshd_config finding contributes to Control 4
(Secure Configuration of Enterprise Assets and Software).
The mapping is conservative. Where a control has a workflow-or-policy component that Noxen can't observe (for example, "review the asset inventory quarterly"), Noxen contributes the technical artefact and labels the control as partial. The CSV makes the partial/full distinction explicit so you don't accidentally over-claim coverage to an assessor.
Controls Noxen produces evidence for
| Control | Coverage | What Noxen contributes |
|---|---|---|
| 1 — Inventory and Control of Enterprise Assets | Partial | Per-host record with hostname, IP, OS, kernel, last-seen timestamp. Covers the technical inventory; the authorisation workflow (1.2) stays with you. |
| 2 — Inventory and Control of Software Assets | Partial | Full dpkg/rpm package list per host with versions. Satisfies the "maintain a software inventory" safeguards (2.1, 2.2). Allowlisting (2.5+) is out of scope. |
| 4 — Secure Configuration of Enterprise Assets and Software | Partial | sshd_config audit (root login, password auth, key algorithms), TLS configuration audit, HTTP security headers, exposed admin surface flags. Maps cleanly to 4.1, 4.2, 4.6, 4.8. |
| 7 — Continuous Vulnerability Management | Full | This is the headline control. CPE-to-CVE matching against a signed daily feed, severity bucketing, diff-from-yesterday reporting. Covers 7.1, 7.3, 7.4, 7.5, 7.6, 7.7 directly. |
| 8 — Audit Log Management | Partial | Scan history and finding history are themselves audit logs of security-relevant changes to the fleet. Covers the security-tooling slice of 8.2; full coverage requires syslog/journald collection elsewhere. |
| 12 — Network Infrastructure Management | Partial | Detection of out-of-date firmware / OS on network-facing hosts (routers, firewalls, UniFi, Mikrotik, OPNsense). Covers 12.1 evidence; segmentation policy (12.2+) stays with you. |
| 13 — Network Monitoring and Defense | Partial | Port-scan deltas and exposed admin surface detection contribute to the host-attack-surface side of 13.1, 13.3. Not a substitute for an IDS. |
| 18 — Penetration Testing | Adjacent | Noxen is not a pentest tool, but its findings inform scope for 18.1 and reduce the "low-hanging fruit" a pentest would otherwise spend time documenting. |
Controls Noxen does NOT cover
Be honest with your auditor about gaps. The following controls are either policy-driven, people-driven, or about systems Noxen doesn't reach.
- Control 3 — Data Protection. Classification, retention, DLP. Noxen sees package inventories, not the data sitting on the host.
- Control 5 — Account Management. User lifecycle, MFA enrolment, dormant-account review. Workflow, not telemetry.
- Control 6 — Access Control Management. Role-based access, just-in-time elevation, audit of privileged sessions.
- Control 9 — Email and Web Browser Protections. Out of scope; Noxen scans servers, not endpoints.
- Control 10 — Malware Defenses. EDR / antivirus territory.
- Control 11 — Data Recovery. Backup verification, restore testing.
- Control 14 — Security Awareness and Skills Training. People controls.
- Control 15 — Service Provider Management. Vendor risk, contract review.
- Control 16 — Application Software Security. SAST, DAST, secure SDLC.
- Control 17 — Incident Response Management. Runbooks, tabletop exercises, post-incident review.
How to export evidence
The MSP / Team tier exposes a "Compliance CSV" export under the Reports menu. Pick CIS v8 as the framework and either a single host or the entire fleet. The output is a flat CSV with these columns:
scan_date— ISO 8601 timestamp of the scan that produced the finding.host— display name from the host catalog.finding_id— stable identifier (CVE ID, probe name, or composite for non-CVE findings).severity— critical / high / medium / low / info.cis_control— top-level control number (e.g.7).cis_safeguard— sub-safeguard reference (e.g.7.3).coverage—full/partial/adjacent.summary— one-line human description.
For a SOC 2 Type II window or any rolling assessment, schedule the export monthly. NoxenAgent already runs nightly scans, so the data is fresh; the export is just a snapshot of the current finding set with its mapping applied. See continuous scanning vs patching for why "scan once a quarter for the audit" is the wrong cadence.
When this is enough — and when it isn't
Noxen's CIS mapping is enough on its own for homelab operators, SMBs targeting IG1, prosumer self-hosters who want to point at something concrete in a board meeting, and consultants producing lightweight maturity assessments. It is also enough as the vulnerability-management evidence layer for organisations already running other tooling (Wazuh, Tenable, Qualys) that covers the controls Noxen doesn't.
It is not enough on its own for an organisation formally claiming CIS v8 IG2 or IG3 conformance with an external assessor. You need policy documentation, evidence of executive sign-off, vendor management records, IR runbooks, and training logs — none of which Noxen produces. Treat the CSV as the Control-7-and-friends slice of a wider evidence binder.
See the MSP tier → · All compliance mappings · A 30-minute baseline