InfoRelay·NetGuard
v0.1 · offline · on-prem · DoD-ready

The Cisco STIG audit tool that never touches the internet.

InfoRelay NetGuard ingests your Cisco running-configs, runs the full DISA quarterly STIG, explains every finding in plain network-engineer language, and emits ready-to-file compliance artifacts — DISA .ckl, annotated .cfg, Excel workbook, printable PDF. Configs never leave the audit host.

⬇ Download NetGuard Read the docs
1,005 STIG rules across 9 Cisco product families 40–60% MANUAL-review reduction via L2 triage No telemetry · No external LLM · No phone-home
netguard — ~/audit · live SSH pull
$ netguard --pull 10.50.0.12 --user scan --audit-after
Password for scan@10.50.0.12: ••••••••
SSH 10.50.0.12 · autodetected cisco_xe
pulled 17,842 bytes of running-config · hostname V1-9407R-1
product: IOS-XE_Switch · STIG: NDM, L2S, RTR
153 rules audited · 10 PASS · 6 FAIL · 137 MANUAL
MANUAL triage: 35 likely-N/A · 102 applicable · 0 unknown
V-220544 FAIL — vty 0 4 exec-timeout 9:59 (need ≤ 5 min)
Patch: line vty 0 4 / exec-timeout 5 0
Saved: V1-9407R-1-20260521.ckl · .annotated.cfg · .xlsx
What it does

Catalog-driven. Intelligence-augmented. Audit-trail-ready.

Every applicable Vuln_Num produces a row. Every FAIL carries the exact remediation. Every MANUAL is triaged with engineering reasoning so the review pile drops 40–60% before the auditor opens it.

📚

1,005 STIG rules · 9 product families

Pre-ingested DISA quarterly bundle for IOS, IOS-XE Switch + Router, NX-OS Switch, ACI, ASA, IOS-XR, ISE, Wireless. Drop the next quarterly zip → catalog rebuilds in-process.

🎯

L1 — Deviation engine

Every FAIL carries Expected / Actual / At-line / Patch. The operator gets the exact commands to paste, with source-line refs into their config. No more "V-220544 failed" with no context.

🧠

L2 — MANUAL triage

25-topic protocol classifier scans every MANUAL rule. Marks "likely N/A" with engineer's reasoning ("Device runs no BGP — routing is via EIGRP AS 65000 on lines 145–158") or "applicable, review lines X–Y".

Live SSH pull

netguard --pull HOST --audit-after. Autodetects IOS / IOS-XE / NX-OS / IOS-XR via Netmiko. Pulls show running + facts (model, serial, software) and chains audit + annotation + CKL.

📊

Real audit artifacts

DISA .ckl drops into STIG Viewer. Annotated .cfg for the compliance binder. Excel workbook for analyst review. Printable PDF for the executive summary. All produced in one click.

📦

Batch mode

Drop 50 configs at once → aggregate dashboard with per-device drill-down + one-click ZIP downloads of every CKL, every annotated config, every workbook.

🔁

Drift detection

Pick two saved audits, compare. NetGuard re-audits both against the current catalog and shows: NEW FAILs, RESOLVED, status changes. Use after every quarterly STIG release.

🔒

Air-gap clean

Binds to 127.0.0.1 only. The only outbound traffic is SSH to operator-specified targets. No telemetry. No phone-home. No external LLM, ever. Suitable for SCIF-adjacent admin workstations.

🖥

Native desktop app

Single-binary install. Double-click to launch — own window, own title bar, no browser tab. CLI mode available for headless / scripted use.

End-to-end

From a config you don't trust to a checklist you can file.

Three input modes, one pipeline, four artifact types. Nothing leaves the box.

1

Ingest

Paste a config, upload a folder of .cfg files, or have netguard SSH to your devices with the scan account.

2

Detect

Product family auto-inferred (IOS-XE switch vs router, NX-OS, IOS-XR). Catalog-driven audit selects only the STIGs that apply.

3

Audit + Triage

Every applicable Vuln_Num produces a finding. Auto-checks PASS/FAIL with Deviation. Manual items get an engineer's note for likely N/A vs applicable.

4

File

Download CKL → STIG Viewer. Annotated .cfg → compliance binder. XLSX → analyst review. Print → PDF for the exec summary.

Why offline

Your configs are not training data.

Built for environments where running-configs cannot leave the perimeter: air-gapped admin workstations, STIG'd networks, SCIF-adjacent enclaves, and any DoD posture where "calls home" is a non-starter.

We deliberately stop at the edge of external LLM. The "intelligence" you see — the Deviation engine, the MANUAL triage — is rule-driven Python that you can vet line-by-line. No models. No API calls. No outbound traffic except to the devices you point it at.

netguard posture
  • Binds 127.0.0.1 only by default
  • SSH-pull is the only outbound traffic — and only to IPs you specify
  • Credentials live in process memory for the duration of the pull; never written to disk
  • Audit configs persist under ~/.netguard/configs/
  • No telemetry. No phone-home. No external LLM. No exceptions.
Get NetGuard

Download v0.1 · Free for evaluation

Single-binary builds for Windows, macOS, Linux. SHA-256 + Ed25519 signatures published alongside.

🪟 Windows
10/11 x64 · Edge WebView2
netguard-0.1-windows-x64.zip
🍎 macOS
Apple Silicon · 13+
netguard-0.1-macos-arm64.zip
🐧 Linux SOON
AppImage · x86_64 · WebKitGtk
netguard-0.1-linux-x86_64.AppImage
📦 Source
Build it yourself · vet every line
inforelay-netguard-0.1-src.tar.gz

Installing on Windows

  1. Download netguard-0.1-windows-x64.zip.
  2. Right-click the zip → Extract All…
  3. Right-click netguard-0.1-windows-x64.exeProperties → check Unblock at the bottom → OK.
  4. Double-click the .exe. Windows SmartScreen will show "Windows protected your PC" — click More info → Run anyway. (Until we ship with an EV code-signing cert, this is the expected one-time approval.)
  5. NetGuard opens in a native window. CLI mode: netguard-0.1-windows-x64.exe --audit foo.cfg --ckl-out report.ckl

Why the warnings? Pre-v1.0 evaluation builds are unsigned. The binary is reproducible from the public source at inforelay-netguard-0.1-src.tar.gz; verify with the SHA-256 published alongside each download. v1.0 release will be EV-signed and SmartScreen-clean.

Already have Python? pip install inforelay-netguard, then netguard --app for the native window or netguard --audit foo.cfg for the CLI. See the user guide for the full walkthrough.
The NetGuard family

One brand. A growing toolbox.

NetGuard is InfoRelay's tools spin-off — offline, on-prem, intelligent network engineering utilities. Audit is the first; more are on the way.

LIVE

NetGuard Audit

This product — DISA Cisco STIG audit, MANUAL triage, CKL / annotated.cfg / XLSX / PDF outputs, live SSH pull.

2026 Q3

NetGuard Trace

"Can workstation 10.20.10.45 reach Call Manager 10.50.0.100 on tcp/2000?" Walks L2/L3/ACL/routing across every audited device to find the break.

2026 Q4

NetGuard Drift

Continuous config-drift detection across your inventory. Alerts on baseline divergence without ever sending the configs anywhere.

2027

NetGuard Multi-vendor

PAN-OS (Palo Alto) and JunOS (Juniper) STIG audit modules with the same Deviation + Triage intelligence layer.

FAQ

The questions a DoD ISSO asks first.

Does NetGuard ever make external network calls?
No. The Flask UI binds to 127.0.0.1 only. The single exception is the --pull feature, which makes an SSH connection to operator-specified device IPs — never to anywhere else. No telemetry, no update checks, no analytics.
What's the difference vs. SCAP Compliance Checker (SCC) or Evaluate-STIG?
SCC and Evaluate-STIG are general SCAP/STIG scanners. NetGuard is purpose-built for Cisco network devices — same audit, plus the Deviation engine (Expected / Actual / Patch on every FAIL), MANUAL triage with engineering reasoning, live SSH pull, CKL export, and a native desktop app. The output drops into your existing STIG Viewer workflow.
What Cisco platforms are supported?
v0.1 ships the full DISA catalog for IOS, IOS-XE (Switch + Router), NX-OS Switch, ACI, ASA, IOS-XR, ISE, and Wireless — 1,005 rules across 9 product families. Auto-detection picks the right STIG set; you can override with --product.
How are STIG catalogs updated?
Drop the next DISA quarterly zip into the /catalog page in the UI (or netguard --build-stig-catalog on the CLI). NetGuard extracts safely under ./stigs/ and rebuilds the cache in-process. No service restart.
Will it run on my air-gapped admin workstation?
Yes. Single-binary install, no Python runtime needed on the target. The DISA STIG bundle ships with the binary (public-domain XCCDF). The only inbound port is 127.0.0.1:9999 for the UI; no firewall changes required.
Licensing model?
Per-site tiered: Standard (100 devices), Pro (250), Enterprise (1,000+). Ed25519-signed license file with hardware-fingerprint binding. Evaluation tier ships unrestricted for 30 days — exact pricing announced before v1.0 release.