Paste a running-config or upload a .cfg file. NetGuard parses it,
classifies the device, runs the catalog-driven DISA STIG audit, triages every
manual-review item, and gives you a STIG-Viewer-ready .ckl in
one click. Nothing leaves this machine.
python -m netguard --build-stig-catalog stigs --catalog-out stigs/stig_catalog.json.
The audit will run but no STIG findings will be produced.
{{ catalog_path }}Build the catalog to see rule counts here.
{% endif %}{{ n_implemented }} STIG vulns netguard verifies structurally: banner, vty timeout, NTP redundancy + auth, SNMPv3, syslog redundancy, password encryption, HTTP server disable, login-audit logging. Same code covers IOS, IOS-XE, NX-OS via short_id mapping.
Every FAIL carries Expected / Actual / At / Patch — the exact config commands to paste, with source line numbers. No more "V-220544 failed" with no context.
A 25-topic protocol classifier scans every MANUAL rule and proposes "likely N/A" with engineering reasoning ("Device runs no BGP; routing is via EIGRP AS 65000 on lines 145–158") or "applicable — review these lines" with config localization. Drops the review pile 40–60%.
DISA .ckl drops into STIG Viewer.
Annotated .cfg for the compliance binder.
CSV for ad-hoc analysis. Every line that maps to a STIG control is documented in place.
Beyond STIG: detects the AAA / RADIUS prereqs, host-mode mismatches, monitor-mode (auth open) ports, missing portfast/bpduguard, and VLAN-uplink blackholes that silently break IP phones + dot1x clients.
netguard --pull HOST --audit-after SSHs to a Cisco device,
pulls running-config + facts, runs the audit end-to-end. Browser-driven
pull is on the roadmap.