FirewallIQ Secure
Authorized · Non-destructive · Audit-ready

Prove your firewall is what you think it is.

FirewallIQ Secure validates firewall configurations, exposes hidden gaps, and produces evidence auditors actually accept — without exploiting, evading, or touching a single byte on your systems.

Request a 30-min demoHow it works
Safety profile compiled-in. Cannot be disabled at runtime.
Validates configuration & exposure. Never exploits.
Findings map to PCI, ISO 27001, NIST, CIS, GDPR, DPDPA.
fis scan ▸ scope:prod-dmz ▸ rate:200ppsrunning…
HostPortObservation
10.20.0.14443/tcpTLS 1.3 · valid cert
10.20.0.143389/tcpRDP — exposed externally
10.20.0.7161/udpSNMPv2c · default community
10.20.0.722/tcpSSH 8.9 · auth disabled probe
10.20.0.2123/tcpTelnet — insecure protocol
10.20.0.218443/tcpAdmin panel · TLS 1.0
Evidence hash: a3f9…b1c2Safety profile: sp-2026.05.1audit ✓
8
Validation modules
7
Compliance frameworks
9
Firewall vendors supported
0
Exploits, ever

The problem

Your firewall isn't what the diagram says it is.

Perimeter security degrades silently. Every change adds entropy. Every audit cycle exposes the same gaps — discovered too late.

Rules drift quietly

One emergency any-any rule lives forever. Shadow rules accumulate. Nobody reviews 8,000 lines of config every quarter.

Exposure hides in plain sight

An admin panel briefly opened for a vendor never closed. Telnet on a forgotten device. SNMP with public community on a printer VLAN.

Segmentation looks good on paper

The diagram says PCI is isolated. The reality is one misconfigured NAT and a forgotten east-west allow rule.

Audits arrive on a deadline

PCI Q4. ISO recertification next month. You need evidence, not opinions — and you need it now.

The approach

Defensive by design. Auditable by default.

FirewallIQ Secure is built for the team that has to prove the perimeter works — not the team trying to break it. Three principles are wired into the platform, not bolted on as policy.

  • Authorized

    Every scan is bound to a signed scope. No scope, no scan. No exceptions.

  • Non-destructive

    Reachability and configuration only. We never exploit, brute-force, or modify your systems.

  • Auditable

    Findings carry hash-chained evidence. Reports are signed. Audit log is append-only and exportable.

From scan request → audit-ready finding

  1. 01

    Scope is signed by your security lead

    An Ed25519-signed document defines what IPs and domains are in-bounds. Scope is the contract.

  2. 02

    Scan is approved and rate-limited

    Production scope requires dual approval and step-up MFA. Rate is capped per the safety profile.

  3. 03

    Workers run with safety compiled-in

    Each worker refuses jobs that don't match its signed safety profile. Offensive primitives aren't in the binary.

  4. 04

    Evidence is hashed and chained

    Every banner, screenshot, and probe is written to a WORM evidence vault with a tamper-evident hash chain.

  5. 05

    Findings map to your frameworks

    PCI 1.2.1, ISO A.8.20, NIST PR.AC-05, CIS 4.4 — auto-mapped, with the rationale auditors expect.

The platform

Eight modules. One pane of glass.

Each module is purpose-built and rate-limited. Together they answer the one question that matters: is the perimeter actually doing what we said it does?

Asset & service discovery

Nmap, naabu, and custom safe probes map open ports, services, banners, and protocols across your authorized scope.

Firewall rule analysis

Parsers for Palo Alto, FortiGate, Cisco ASA, Check Point, pfSense, Juniper, SonicWall, Sophos. Detects any-any, shadow rules, missing egress.

Exposure validation

Verifies which services are externally reachable. Flags exposed RDP, SMB, SNMP, Telnet, weak TLS, expired or default certificates.

Segmentation validation

Multi-vantage TCP handshake probes prove which zones can — and can't — talk. Violations against your declared policy are surfaced immediately.

Encrypted evidence vault

Object-locked storage with a tamper-evident hash chain. Every finding is replayable for audit, with full chain-of-custody.

Risk scoring engine

CVSS base score × business context. Mapped to MITRE ATT&CK, CIS Controls, PCI-DSS, ISO 27001, NIST CSF, GDPR, and DPDPA.

Audit-ready reporting

Executive, technical, and compliance reports in PDF, DOCX, JSON, CSV, or HTML — all cryptographically signed and verifiable.

AI-assisted remediation

Claude-powered explanations, natural-language queries over findings, and remediation guidance grounded in vendor docs and CIS benchmarks.

How it works

Four steps. Audit-grade outcome.

01

Define & sign scope

Your security lead authors a scope — CIDRs, domains, exclusions, validity window — and signs it with Ed25519. No scope, no scan.

02

Request & approve

Engineers create a scan request bound to the scope. Production-touching scans require dual approval and step-up MFA.

03

Run, rate-limited & safe

Workers run with a signed, compiled-in safety profile. Discovery, exposure, segmentation, and rule analysis — all non-destructive.

04

Review evidence & export

Findings are scored, mapped, and persisted with hash-chained evidence. Export signed reports — PDF, DOCX, JSON, or HTML.

The safety promise

Defensive isn't a feature. It's the architecture.

Offensive primitives aren't in our worker binaries. The safety profile is compiled-in, signed, and verified at startup — there is no runtime flag to flip.

What we never do

  • Exploit vulnerabilities (not even safe POCs)
  • Brute-force or spray credentials
  • Upload payloads or execute remote commands
  • Bypass authentication on target systems
  • Establish persistence or lateral movement
  • Exfiltrate data or modify target state
  • Run denial-of-service or destructive traffic
  • Attempt to evade detection

What we guarantee

  • Bind every scan to a signed scope document
  • Enforce dual approval for production-scope scans
  • Cap packet rate per the compiled-in safety profile
  • Emit immutable audit logs with hash-chained integrity
  • Refuse jobs that don't match the worker's signed profile
  • Store evidence in WORM-locked, encrypted storage
  • Require step-up MFA for any sensitive action
  • Show you every probe, every result, every operator

Compliance

Findings, mapped to the controls your auditor asks about.

Every finding category is mapped — by us, reviewed annually — to the controls in every framework you care about. CI gates ensure no category ships without a complete mapping.

pci

PCI-DSS v4.0

Requirements 1, 2, 10, 11

iso

ISO/IEC 27001:2022

Annex A — A.8, A.12, A.13

csf

NIST CSF 2.0

PR.AC, PR.PT, DE.CM

800

NIST SP 800-53 Rev. 5

AC, SC, SI families

cis

CIS Controls v8

Controls 4, 12, 13

gdpr

GDPR

Article 32 — security of processing

dpdpa

DPDPA 2023 (India)

Section 8(5) — safeguards

SOC 2 mapping

Coming in v2

Built for the team

One platform. Four very different jobs.

CISO

Defensible perimeter posture you can take to the board. A risk heatmap that doesn't need translation.

  • Executive dashboard
  • Trending exposure
  • Compliance posture rollup

Security engineer

The platform you wished your scripts could grow into. Approved, repeatable, evidence-producing.

  • Safe scan orchestration
  • Finding triage workflow
  • AI-assisted remediation

Auditor / GRC

Findings already mapped to your framework, with hash-chained evidence and signed reports.

  • Auto control mapping
  • Chain-of-custody evidence
  • Signed PDF / DOCX export

MSSP & consultants

Multi-tenant, white-labelable, audit-grade. Deliver perimeter assessments at portfolio scale.

  • Per-client tenant isolation
  • Branded reports
  • Integration with your SOC stack

Why FirewallIQ Secure

We're not a scanner. And we're not a pentest.

We're the audit-grade, defense-only middle ground — repeatable, authorized, and built to produce the evidence your auditor actually wants.

CapabilityFirewallIQ SecureTraditional pentestDIY scriptsGeneric scanner
Authorized, scope-bound by design
Non-destructive — no exploitation, ever
Immutable, hash-chained audit log
Findings auto-mapped to PCI / ISO / NIST / CIS
Vendor-neutral firewall rule analysis
Segmentation validation across vantages
Multi-tenant with 8-layer isolation
AI explanations & natural-language query
Continuous monitoring (scheduled, diffed)
Repeatable evidence in days, not weeks

covered · partial · not covered

Architecture

Built like the systems we audit.

Stateless workers. Signed artifacts. Append-only audit. Tenant isolation in eight layers. Deployable as SaaS, dedicated, or on-prem (including air-gapped).

Edge

WAF · CDN · mTLS

API gateway

OIDC · RBAC · audit

Orchestrator

FSM · scope check

Workers

Go · safety-pinned

Data plane

Postgres · RLS · Redis

Evidence vault

WORM · hash chain

Tenant isolation

Token → app context → Postgres RLS → storage prefix → network policy.

Supply chain

Cosign-signed images. Admission verifies provenance. SLSA L3 target.

Observability

OpenTelemetry → Tempo. Loki for logs. Audit log → Kafka → WORM.

Full design lives in our internal docs — happy to walk you through it on a call.

Frequently asked

Questions, answered straight.

No. We never run exploit code, even safe proofs-of-concept. The platform validates reachability and configuration only. Offensive primitives are not present in our worker binaries — the safety profile is compiled-in, signed, and verified at startup.

Walk into your next audit with evidence, not estimates.

A 30-minute demo on real findings. We'll walk through scope signing, a live scan, and a signed compliance report — all on a customer-style sandbox.

Request a 30-min demoRead the safety promise

No credit card. No agent install. Authorized-only by design.

Chat with us