Server hardening (CIS, ANSSI)

Your servers hardened, and kept that way

We harden your Linux and Windows servers to recognised standards (CIS, ANSSI): SSH, firewall, auditd, patching, accounts, services, the Docker daemon. We capture a baseline, then monitor drift — so hardening isn’t a one-shot that’s quickly forgotten. A fixed fee per server, with no hourly billing.

You leave with a clear before/after report you can use as proof of compliance for an audit or your cyber insurance.

Who it’s for

• Organisations with exposed servers — web, app, VPN: you want to reduce the attack surface before it’s tested for you.
• Teams preparing an audit or cyber insurance — you need a documented baseline and a presentable compliance report.
• Teams wanting the baseline to hold — not hardening forgotten in six months, but drift monitored month after month.

What’s managed

Responsibilities are split clearly and in writing:

• We manage: the hardening pass — SSH, firewall/nftables, auditd/tlog, fail2ban/CrowdSec, kernel/sysctl, account and SUID review, service minimisation, Docker daemon hardening.
• We manage: baseline capture and drift monitoring.
• We manage: the monthly hardening report and patch governance (by tier).
• Shared / You: application-level security and business risk acceptance.

Features included

• Full CIS/ANSSI hardening pass, tested in staging
• Before/after report with remediation included
• Frozen baseline and drift monitoring (monthly or weekly by tier)
• Linux and Windows (WDAC/baseline on the Windows side)
• Automatic config-drift remediation (Pro and Signature tiers)
• Compliance report presentable to an audit or cyber insurer
• Planned window, no service downtime, with rollback
• Quarterly review (Signature tier)

This offering comes in two parts: a one-time hardening project, then a drift-management subscription. The per-server packages, project and subscription, with their published prices, are detailed in the table below.

Security included

Hardening reduces your attack surface: what we close can no longer be exploited. We capture the hardened state as a reference baseline, then monitor drift — any unplanned change raises an alert. The pass is tested in staging and applied in a planned window, with rollback.

Frequently asked questions

CIS or ANSSI? Both. We apply CIS benchmarks and ANSSI recommendations to your context, and we document every accepted exception.

Is there service downtime? No. The pass is tested in staging and applied in a planned window. If anything goes wrong, a rollback is in place.

Could my applications break? That’s exactly why we test before applying and keep a rollback. Hardening aims to reduce the surface, not break your services.

What happens after hardening? Configuration drifts over time. That’s what the subscription is for: monitoring drift and remediating it, so the baseline holds.

How is this different from an EDR? Hardening reduces the attack surface (prevention); an EDR detects and responds to threats (detection). They’re complementary.

Go further

Pair prevention with detection: add EDR/XDR with automation, security administration or a PaaS — one contract, one invoice, one SLA.