OPEN · MIT · v0.9 · SHIPPED APR 2026

You shouldn't need a $60k/yr GRC platform to pass an audit.

Free, MIT-licensed compliance tooling for the IT shops, MSPs, and solo consultants priced out of the enterprise racket. No black boxes, no per-seat fees, no "contact sales."

Browse the tools → ⭐ 160 on GitHub
CIS Controls v8
NIST 800-53 r5 · 800-171
CMMC 2.0 L1/L2
~/acme-msp — audit-prep

PS C:\audit\acme-msp> Invoke-M365Assessment

 

M365-ASSESS v2.0 · acme.onmicrosoft.com

274 checks · 14 frameworks

 

✓ Pass X Fail ! Warn ? Review

 

── Identity ──────────────────────────

✓ ENTRA-ADMIN-001 Global Admin Count 0.5s

X ENTRA-CA-001 CA Blocks Legacy Auth 0.6s

X ENTRA-GUEST-001 Guest Access Restriction 0.2s

! ENTRA-MFA-001 MFA Registration Campaign 0.4s

── Exchange ──────────────────────────

X EXO-FORWARD-001 Auto-Forward External 1.3s

✓ EXO-AUTH-002 SMTP AUTH Disabled 0.8s

 

report → ./out/acme-2026-04-19.html (1.3 MB)

 

✓ 248 passed · 19 warn · 7 fail [41s]

 

PS C:\audit\acme-msp>

# the status quo

#01

Enterprise GRC platforms

Start at $60k/yr. Priced for Fortune 500, sold to everyone.

✗ not this
#02

Spreadsheet chaos

14 tabs, 2,000 rows, one consultant holding it together.

✗ not this
#03

Free tools that ship and vanish

GitHub repo, 3 commits, archived. No one to call when it breaks.

✗ not this

→ WE BUILD

MIT-licensed tooling that runs in your environment, produces audit-ready output, and ships from the same frustrations you have. The fundamentals stay free, forever. No pricing tiers on the core tools. No black boxes. No vendor lock-in. If it breaks, you can read the code.

// the tools

Two shipping. More coming.

view all →
🛡️

M365-Assess

STABLE

274 Automated checks across 14 compliance frameworks, interactive HTML report, no data leaves your machine.

$ Install-Module M365Assess; Invoke-M365Assess -Client acme
CISNISTcomplianceM365security-tools
PowerShell ⭐ 159 ⑂ 32 📄 MIT
Learn more → View on GitHub →
🏷️

Az-Stamper

STABLE

Automatically stamps Azure resources with creator identity and configurable metadata tags via Event Grid-triggered Azure Function

$ func azure functionapp publish gvnz-stamper
Azuregovernancetaggingcompliance
JavaScript ⭐ 1 ⑂ 0 📄 MIT
Learn more → View on GitHub →
$ next up: gv-evidence (evidence collector), gv-map (framework cross-walk) — follow on GitHub

// from the blog

Practitioner notes.

all posts →

M365-Assess 2.0 — A New Report Engine and 274 Automated Checks

M365-Assess 2.0 ships a React-based interactive report, 274 security checks mapped across 14 compliance frameworks, and a 5x reduction in report size.

read →

Azure Resource Tagging for Audit and Compliance: Why Activity Logs Aren't Enough

Azure activity logs expire after 90 days. When an auditor asks who created a resource, you need a better answer. Az-Stamper solves this with automatic resource tagging.

read →

Harden Microsoft Intune: What the CISA Advisory Means for Your Tenant

CISA issued urgent guidance on Intune hardening after the Stryker breach. Here's what happened and the specific steps to lock down your tenant.

read →