Audit your Microsoft 365 tenant against CIS benchmarks and see how your configuration maps to ISO 27001, DORA, NIS2, and NIST CSF 2.0. Honest coverage, trade-off scoring, and actionable remediation.
Enterprise tools are overkill. Free scanners are too narrow. There's a gap in between.
Enterprise tools
EUR 50k+ per year. Designed for 10,000-seat deployments with dedicated compliance teams. Overkill for SMEs.
Free scanners
Check CIS benchmarks only. No regulatory mapping to DORA or NIS2. No remediation guidance or trade-off analysis.
PostureIQ
CIS benchmarks mapped to 4 regulatory frameworks. Honest coverage, trade-off scoring, remediation guidance. Free to use.
No agents, connectors, or Azure AD app registrations required.
Our script collects M365 configuration from Graph, Exchange, SharePoint, Teams, and Purview. Exports to JSON.
PostureIQ evaluates 61 posture controls and 336 device hardening settings against all 6 frameworks instantly.
Framework scores, quick wins ranking, clause-by-clause breakdowns, and downloadable evidence packs for auditors.
PostureIQ runs your M365 configuration against CIS benchmarks, then maps every finding to the regulatory framework that matters to you.
Technical baselines
CIS M365 v3
52 controlsMicrosoft 365 Foundations Benchmark. The industry-standard configuration hardening checklist.
CIS Intune
285+ settingsWindows 11 Enterprise device hardening benchmarks for Intune-managed endpoints.
Regulatory mappings
ISO 27001:2022
Information Security Management System
Annex A controls
DORA
EU Digital Operational Resilience Act
Art. 9 & 10
NIS2
EU Network & Information Security Directive
Art. 21
NIST CSF 2.0
US Cybersecurity Framework
PR & DE functions
CIS benchmarks provide the technical assessment. Regulatory frameworks show how each finding maps to the compliance obligations that apply to your organisation.
Not just a scanner. PostureIQ gives you the context to make decisions.
Every remediation rated for security gain, user impact, effort, and disruption. Fix what matters first.
We show exactly what we assess and what we don't. No inflated percentages or false confidence.
Built for organisations subject to DORA, NIS2, and ISO 27001. EU data residency. EUR pricing.
MSPs: manage multiple tenants, compare scores side-by-side, and share read-only client portals.
Clause-by-clause CSV exports, framework crosswalk maps, and risk registers. Ready for your auditor.
PowerShell script collects data. Upload JSON. See scores. No agents, connectors, or app registrations.
Full compliance scoring for free. No credit card required. No trial countdown. If you find PostureIQ useful, buy us a coffee.
No strings attached
One-time payment. No subscription. No auto-renewal.
Your compliance data is sensitive. Here is how we handle it.
All data processed and stored in Frankfurt (eu-central-1). No replication outside the EU.
You control the data export. PostureIQ never connects to your M365 tenant or stores your credentials.
Article 17 right to erasure. Full data export and account deletion available in Settings at any time.
Privacy policy and Data Processing Agreement published and available before you create an account.