← Built by the factory
This harness was produced by the same system described on the homepage.
SSH Compliance Testing

AI-Native SSH Image Testing.

Validates SSH configurations against eight compliance frameworks. Fixture-driven. pytest-powered. Reports your auditors will accept.

SSH Compliance Testing is an agent harness - a kernel-governed runtime that connects to your hosts, runs every compliance check, and produces auditor-ready evidence without manual intervention.

compliance-scan
STIG/ CIS Benchmarks/ NIST 800-171/ FIPS 140-3/ PCI DSS/ HIPAA/ SOC 2/ ISO 27001/ Paramiko/ pytest/
STIG/ CIS Benchmarks/ NIST 800-171/ FIPS 140-3/ PCI DSS/ HIPAA/ SOC 2/ ISO 27001/ Paramiko/ pytest/

The Problem

SSH compliance is manual, fragmented, and reactive.

Most teams treat SSH auditing as a quarterly fire drill. Engineers SSH into boxes, grep sshd_config, and paste output into spreadsheets. Drift happens silently between audits. By the time anyone checks, the environment has already failed.

Manual evidence collection

Auditors want structured proof. They get terminal screenshots, copy-pasted config snippets, and spreadsheets that are out of date the day they are created. No repeatability, no chain of custody.

Configuration drift between audits

You pass an audit in January and drift by March. An admin hotfixes a cipher suite, another disables a setting for troubleshooting, nobody reverts it. Drift persists for weeks or months before anyone notices.

Every framework, different rules

STIG, CIS, NIST, PCI, HIPAA, SOC 2, ISO 27001 all have overlapping but different SSH requirements. Teams maintain separate scripts, checklists, or spreadsheets for each one. Nothing is unified.

No visibility at scale

Large enterprises accumulate thousands of SSH keys with no centralized inventory. Keys from former employees and decommissioned services persist indefinitely. Auditors find no trail of who provisioned what.

Frameworks

Eight Standards. One Harness.

Each framework targets a different compliance need. The harness validates all eight from a single pytest run.

Government

DISA STIG

Defense Information Systems Agency Security Technical Implementation Guides. Required for DoD networks.

Industry

CIS Benchmarks

Center for Internet Security consensus-based configuration guidelines. The baseline for hardening.

Federal

NIST 800-171

Protecting Controlled Unclassified Information in nonfederal systems. CMMC requirement.

Cryptography

FIPS 140-3

Federal cryptographic module validation. Ciphers, key exchange, MACs - all validated.

Payment

PCI DSS

Payment Card Industry Data Security Standard. SSH hardening for cardholder data environments.

Healthcare

HIPAA

Health Insurance Portability and Accountability Act. Technical safeguards for PHI access controls.

Audit

SOC 2

Service Organization Control. Trust service criteria for security, availability, and confidentiality.

International

ISO 27001

International information security management standard. Annex A control validation.

How It Works

You Configure. The Agent Validates.

Define your targets in JSON. The AI agent reads your host fixture, selects the right validators for your image variant, connects via SSH, and runs every check. You get the report.

01

Define Your Targets

Add a JSON fixture per host. Hostname, SSH credentials, image variant, expected packages and services. Adding a new target is config, not code.

02

Agent Plans the Run

The AI agent reads your host fixture, identifies the image variant, and selects the right validators. Kernel enforcement prevents architectural drift.

03

Agent Connects and Validates

The agent SSHs into your hosts, executes validation commands through the 5-layer framework, and captures evidence for every check. Retry, timeout, fail-fast built in.

04

Structured Results

Pass/fail per rule, per framework, per host. Command output captured as evidence. Run it in CI/CD or schedule it nightly. Auditor-ready.

Architecture

Five Layers. Strict Separation.


    

  


  

    
Live Scan

    
What a Compliance Check Looks Like

    

      

        sshd_config audit
        complete
      

      

        

          STIG-001
          PermitRootLogin
          grep -i PermitRootLogin /etc/ssh/sshd_config
          PASS
        

        

          STIG-002
          Protocol
          grep -i ^Protocol /etc/ssh/sshd_config
          PASS
        

        

          CIS-001
          LogLevel
          grep -i ^LogLevel /etc/ssh/sshd_config
          PASS
        

        

          NIST-003
          Ciphers
          grep -i ^Ciphers /etc/ssh/sshd_config
          FAIL
        

        

          FIPS-001
          KexAlgorithms
          grep -i ^KexAlgorithms /etc/ssh/sshd_config
          PASS
        

        

          FIPS-002
          MACs
          grep -i ^MACs /etc/ssh/sshd_config
          PASS
        

      

    

  


  

    
Results

    
By The Numbers

    

      

        0
        Compliance Frameworks
      

      

        0
        Purpose-Built Validators
      

      

        0
        Checks Per Host
      

    

  


  

    
Who This Is For

    
Built For Teams That Ship Secure

    

      

        
        
DevSecOps / Fleet / Continuous

        
DevSecOps Teams

        
Maintaining SSH hardening across a fleet of hosts. Run compliance checks in CI/CD. Catch drift before it reaches production.

      

      

        
        
Government / Defense / CMMC

        
Defense Contractors

        
STIG compliance is not optional when your systems sit on a DoD network. Continuous validation replaces the scramble before an audit.

      

      

        
        
Security / Audit / Reporting

        
Security Teams

        
Structured reports with rule IDs, severity levels, and evidence. Designed to hand directly to an auditor.

      

      

        
        
MSP / Multi-Tenant / Scalable

        
Managed Service Providers

        
Each customer gets their own fixture file with their compliance requirements. Scale without writing new code.

      

    

  


  

    
Why Isagawa

    
Built Different From Scripts

    

      

        
Auditable Evidence

        
Every check captures command output as evidence. Hand the report to an auditor - no manual screenshots needed.

      

      

        
Self-Improving

        
When a check fails or a rule changes, the system updates its own protocol. Lessons compound across every run.

      

      

        
8 Frameworks, One Platform

        
STIG, CIS, NIST, FIPS, PCI, HIPAA, SOC 2, ISO 27001 - validated from a single pytest run.

      

      

        
Kernel-Enforced

        
The AI agent can't skip checks or drift from architecture. Hooks block non-compliant operations before they execute.

      

    

  


  

    
Talk to Us

    
Interested in compliance automation for your infrastructure?

    

      Contact Us
      View on GitHub
    

    
View verified build history - every change signed with Sigstore