Enterprise

Policy management that enforces your TLS standards

Define your own TLS standards and let sslbrain detect, report, and remediate deviations. Four remediation modes, chosen per policy. Enterprise only.

What the module does

Filtered policies

Define requirements for protocols, cipher suites, key types, and server settings. Policies can be scoped to environment, tag, or endpoint group.

Monitoring, alerts, and reports

Periodic evaluation of the inventory. Findings reach the notification relay and aggregate into reports that can be exported.

Pre-seeded templates

Templates for common TLS baselines. All templates ship disabled, so you actively choose what gets evaluated.

Four remediation modes

From plain reporting, through draft plans, to approved plans and auto-run. You decide how far automation goes per policy.

Pre-seeded templates

Starting points covering the common TLS baselines. Tailor them to your own policies. All templates are disabled until you turn them on.

Detect dangerous TLS configurations

Flags endpoints with known-weak protocols, broken cipher suites, or expired CA chains.

Detect weak certificate keys

Flags certificates with RSA below 2048 bits, or ECC curves outside your approved list.

Mozilla Modern

Mozilla SSL Configuration Generator: Modern. TLS 1.3 only and a strict cipher list for public web endpoints.

Mozilla Intermediate

Mozilla SSL Configuration Generator: Intermediate. Broader compatibility, still a healthy baseline.

sslbrain Recommended Public TLS

Our recommended baseline for publicly exposed TLS endpoints. Covers NIS2-relevant controls.

Windows / IIS Schannel baseline

Adapted to the Windows Schannel model where protocols and cipher suites are governed by registry keys.

CDN / WAF / load balancer baseline

For endpoints that live behind a CDN, WAF, or load balancer, where TLS terminates at the edge.

Four remediation modes

Each policy picks its own level. Start with reporting only and raise the mode as you build trust in the control.

  1. 1

    Findings only

    The policy evaluates and reports. No change is proposed. Use this for discovery and baselining.

  2. 2

    Draft plan

    The policy generates a draft remediation plan with concrete change suggestions. The plan is not approved and not runnable.

  3. 3

    Approved plan

    The plan is saved and approved manually. It executes only when an operator clicks run, or when a scheduled window opens.

  4. 4

    Auto-run

    The policy may generate and execute plans without manual approval. Auto-run is enabled per policy, and an in-flight run can be stopped manually.

Auto-run is off by default. You enable it per policy, and an in-flight run can be stopped manually.

How it works

  1. 1.

    Inventory

    The module operates on the existing sslbrain inventory of certificates and endpoints.

  2. 2.

    Posture observations

    Endpoints are scanned at fixed intervals. The result is a snapshot of the current TLS posture.

  3. 3.

    Policy evaluation

    Each enabled policy evaluates the observations against its baseline.

  4. 4.

    Findings

    Deviations are recorded as findings with target, policy id, and a clear description.

  5. 5.

    Notifications

    Findings reach the notification relay on the cadence you have configured.

  6. 6.

    Remediation plan

    If the policy uses a higher mode than findings only, a plan is generated in the chosen mode.

  7. 7.

    Execution and audit evidence

    An in-flight run can be stopped manually. Every evaluation, plan, and run is written to the audit log.

Frequently asked questions

Is auto-run enabled by default?

No. All templates ship disabled. Auto-run is an explicit per-policy choice, and an in-flight run can always be stopped manually.

Which certificates does the policy module update?

The module operates on the certificate inventory sslbrain already manages or has discovered. It does not update certificates outside that inventory. Scope filters can narrow it further.

How does it integrate with audit logs?

Every evaluation, finding, plan, and execution is written to the immutable audit log with timestamp, actor, policy id, target id, and outcome. The log can be exported to SIEM as JSON or CEF.

Can I customize the Mozilla templates?

Yes. The templates are starting points. Your own policy can copy a template and override individual fields, for example permitting a cipher suite or tightening key size. Customized policies carry their own version history.

What happens if the module is disabled?

Existing certificates and deployments continue unchanged. The module no longer creates new findings, plans, or remediations until it is re-enabled. The audit log of prior activity is retained.

Get early access

Join the list and get 20% off your first year of Basic, Professional or Enterprise.

We process this data in line with our Privacy Policy