Secure Configuration

Configuration can be overlooked in the drive to patch.

Most businesses try to keep on top of patching — patch Tuesday, patch Wednesday, patch every other day. A key aspect is often missed: securely hardening systems. Group Policy hasn't been touched in three years. Local admin is on by default. Intune is flagging devices nobody chases.

Rebasoft measures — continuously — and tells you the day one slips.

Book a 30-minute walkthrough

20,300 controls to measure

Which controls, on which platform, how?

Most IT teams have patching covered: scan & fix. The difficulty in secure configuration is know what to set, how to set it and which systems are compliant. Failure to do this can allow attackers walk in through a misconfigured share, a default credential, or an unsigned PowerShell policy nobody noticed had drifted.

Where breaches actually start

Verizon’s data says 65% of incidents start with a configuration weakness, not a missing patch.

An open window right now

Industry research says 96% of organisations have at least one exploitable configuration weakness open today.

The CE+ failure point

Cyber Essentials Plus assessors fail more clients on configuration than on missing patches.

Tooling in a silo

Most "secure configuration" tooling runs once a quarter, against an asset list imported six months ago, with no connection to your vulnerability data or audit evidence.

65% of breaches start with a configuration weakness, not a missing patch. 96% of organisations have an exploitable one open right now. What was difficult is now easy to catch.

Focused

Measured continuously, against the controls that matter.

Every host checked, every day, against the baselines your auditors, insurers and regulators actually ask about — with each finding mapped straight to the setting that fixes it.

Continuous Cyber Essentials and CE+ measurement

Every Windows host checked daily against all the CE Secure Configuration controls plus patch-age and supported-OS controls. The same measurements pre-fill your CE self-assessment.

CIS and STIG/DISA hardening baselines

Government-grade baselines for the systems that need them — CIS for general hardening, STIG for the platforms regulated environments require, all in the same console.

Drift detection in real time

The day a host stops complying — a changed GPO, a disabled setting, a new VM from a stale template — you know. Not at the next audit.

TLS / SSL certificate health

Every TLS endpoint scanned for expiry, weak ciphers and NIST-aligned hardening. Web servers, BMCs, internal apps, IoT — all in one view. Two weeks before Monday 9am, not 9.05am.

Automated

Evidence that compiles itself.

The findings don't sit in a tab nobody opens. They route to owners, answer questionnaires and back up the renewal — from one data set.

Findings mapped straight to the fix

Each finding tells you the exact Group Policy setting, registry value or Intune control to change. No more "non-compliant" with no next step.

Intune compliance follow-through

The devices Intune flags as non-compliant get tagged to the user, ranked by risk and tracked to closure.

One scan, every framework

The same evidence answers Cyber Essentials, CE+, ISO 27001, NIST CSF, PCI DSS, TSA, DORA, NHS DSPT and partner control frameworks.

Questionnaires answered on screen

"Do you enforce screen lock?" "Are local admins disabled?" "Is SMBv1 disabled?" Each becomes a screenshot rather than a phone call — including the insurance questionnaire that increasingly sets your premium.

Audit ready

Audit prep stops being a quarter-eater.

Evidence already there

Days of audit preparation become minutes of export — the same evidence, every audit, every framework.

The CE+ pass rate goes up

Continuous measurement closes the drift gap that fails most clients.

Insurance premiums get defensible

Show proven configuration discipline every day, with evidence.

Time and tools handed back

Two days a quarter of scanning-and-writing-up returned — and the standalone configuration and GRC tools cancelled.

The board gets a defensible answer: "98% of our crown-jewel systems are compliant. Of the 2%, here’s the owner, the deadline and the reason."

First 3 days

From uncertainty to assurance in 3 days.

From assets to configuration, the challenge is bringing it all together. Rebasoft automates from discovery to configuration findings in days, not months.

Day 1

Automated asset discovery

We find User, Service and SaaS app inventory, revealing unknown assets and gaps.

Day 2

Business focused security

Identify critical dependencies and prioritise risk based on business impact.

Day 3

Continuous evaluation.

Immediately track and validate findings.

The Rebasoft difference

What you have today	What it actually gives you	What Rebasoft gives you
GRC tool (Drata, Vanta, etc.)	A green dashboard because you said so.	A green dashboard because the estate actually is green — measured continuously.
Configuration scanner (quarterly)	A snapshot. Stale within a week.	Daily, continuous measurement with drift alerts.
Intune compliance reporting	A list nobody chases.	A list tagged to users, ranked by risk, tracked to closure.
The auditor's spreadsheet	A scramble every audit.	The same evidence, every audit, every framework.

Proof in the field

Compliance evidenced, all the way to the edge.

A charity used Rebasoft to monitor what was being done in their name. With multiple outsourcing contracts, configuration drift happened and changes were made — often without the IT team's knowledge. Continuous compliance measurement allowed those changes to be picked up, keeping Cyber Essentials Plus compliance fully managed.

In their words

“I can now see all the changes — in one system — and validate them for configuration compliance purposes.”

— CISO.

Why Rebasoft?

Find the security gaps left open.

A 30-minute walkthrough on a live console. We'll show you the Cyber Essentials configuration view, the CIS view, the STIG view — and how each one maps straight to the fixes your team can deploy today.

Book my walkthrough

FAQ

How often does Rebasoft re-check configuration?

Configuration posture is continuously assessed against the controls you choose to monitor. When configuration drift occurs, it is identified quickly, allowing teams to remediate issues before they become audit findings or security risks.

Will it tell us how to fix what it finds?

Yes. Findings are linked directly to the configuration settings, policies or controls responsible for the issue, helping teams understand exactly what needs to change and reducing investigation time.

Which frameworks does it cover?

Rebasoft supports Cyber Essentials Plus (CE+), CIS Benchmarks, STIG/DISA, ISO 27001, NIST CSF, PCI DSS, NHS DSPT, DORA and other leading frameworks. A single source of evidence can support multiple compliance initiatives, reducing duplication, effort and audit costs.

Does it work with Intune?

Yes. Rebasoft integrates with Intune to identify non-compliant devices, associate them with users, prioritise risk and track remediation through to resolution.

What about Mac and Linux?

macOS and Linux devices are fully included within asset discovery and visibility workflows. Windows currently has the deepest configuration coverage, with Linux and macOS capabilities continuing to expand.

We already use Drata / Vanta — what's different?

Platforms such as Drata and Vanta help organisations manage compliance programmes. Rebasoft complements that approach by continuously measuring the actual state of systems and controls, helping ensure compliance evidence reflects operational reality rather than periodic attestations.

Does this replace our patch tool?

No. Rebasoft complements patch management solutions by validating that updates have been successfully applied and identifying where vulnerabilities remain. It helps verify outcomes rather than replace deployment tools.

How quickly will we see the gaps?

Most customers see their initial findings within hours of deployment. Asset visibility, configuration issues and prioritised risks are typically available on the first day.