Audit · Score · Fix

Now Available

Your firewall policies. Audited in 60 seconds.

AI-powered multi-vendor firewall auditing for MSPs and IT teams. Upload a config, get a scored report with compliance mapping and vendor-specific remediation commands.

Start Free Audit →Book a Demo
See how it works ↓
87Good
Critical0
High2
Medium3

See it in action

Upload a config. 60 seconds later, this is what you get.

41High Risk
Fortinet

500 rules analyzed

↑ +22 vs last audit

9

Critical

201

High

18

Medium

1

Low

↻ New Audit
↓ Export

Your firewall has 9 critical issues that leave your network exposed to attack. Rule VPN-485 permits unrestricted traffic from any source to any destination — effectively bypassing your entire security perimeter. Immediate action required.

Est. fix time:4h 30m
Controls passing:18/32
Total findings:229
Policy Quality35%
Risk Level28%
Compliance Score56%

⚑ Fix These First

critical8 rules

Unrestricted Traffic Rule

Firewall rule VPN-485 permits all traffic from any source to any destination…

critical1 rule

No Default Deny Rule

Your FortiGate has no final deny-all rule — any traffic not explicitly permitted…

high168 rules

Unreachable (Shadowed) Rules

Rule Legacy-Old-52 is completely hidden behind SBNP-Monitoring-42…

Duplicate Rules — 82 rules affected
Insecure Protocols Allowed — 14 rules affected
+ 12 more findings

Between Enterprise and a Spreadsheet

Enterprise tools cost $50K+ and take 6 weeks. Spreadsheets are free but miss everything. ShieldIQ is the middle ground.

Enterprise Tools

$50K–500K/yr

4–6 week setup

Complex deployments, long contracts, dedicated teams required. Great if you have the budget.

ShieldIQ

$149/month

60 seconds

Multi-vendor, AI-explained, compliance-mapped. Built for MSPs.

Spreadsheets

Free

Hours of manual work

What most SMBs use today. Misses shadowed rules, duplicates, drift.

How It Works

Upload

Drop your firewall config — JSON, XML, or text export. We detect the vendor automatically.

Score

15 security checks run instantly. You get a risk score from 0–100 with compliance mapping to PCI-DSS, NIST, and CIS.

Fix

Every finding includes vendor-specific CLI commands you can copy and paste to remediate. No guesswork.

Why MSPs Choose ShieldIQ

AuditDeep analysis in 60 seconds

AI-Powered Explanations

Every finding explained in plain English. No security team required. Trial includes AI on your top 3 findings.

Compliance Mapping

Maps findings to PCI-DSS v4.0, NIST 800-53, CIS Controls, and HIPAA. Show clients exactly which controls are failing.

Copy-Paste Remediation

Vendor-specific CLI commands for every fix. Upload a FortiGate config, get FortiGate commands. Not generic advice.

ReportDeliverables your clients can act on

White-Label PDF Reports

Your logo, your colors. Generate server-side PDF, DOCX, and HTML reports branded as your company.

Rule Cleanup Reports

Focused list of every disabled, stale, duplicate, and shadowed rule safe to delete. Hand it to your client.

Shareable Audit Links

Generate a read-only link for your client. They see full results without needing a login. Expires after 30 days.

ManageFleet visibility and continuous compliance

MSP Client Management

Create client orgs, switch between them with one click, and see fleet health across all clients from a single dashboard.

ConnectWise PSA Integration

Critical findings automatically create tickets in ConnectWise Manage. Your techs see issues in their existing workflow.

Scheduled Audits & Alerts

Run audits automatically. Get emailed when scores drop or new critical findings appear. Batch upload multiple configs at once.

15 Security Checks. Every Audit.

Every config is analyzed against the same 15 checks, regardless of vendor. Consistent results across your entire fleet.

Allow-All TrafficMissing Default DenyNo LoggingDuplicate RulesShadowed RulesUnrestricted ServicesInsecure ProtocolsBroad EgressDevice HardeningDisabled RulesStale RulesRule ComplexityWeak JustificationBroad SubnetsMissing Descriptions

For Healthcare IT

HIPAA Security Rule, mapped to firewall policy.

Technical safeguards under 45 CFR §164.312 translated into rule-level findings. Written so your compliance officer can read them — and your board can act on them.

TECHNICAL SAFEGUARDS

Every finding cites 45 CFR §164.312

Access Control, Audit Controls, Transmission Security, Person Authentication. The exact regulation, on every finding — no guesswork when your assessor asks which rule applies.

PLAIN ENGLISH

Explanations your board can read

AI rewrites every finding in language a non-technical director can understand. No 'CIDR' or 'shadowed rule' — just what's at risk, why it matters, and what it exposes.

ASSESSMENT SUPPORT

Pre-audit hygiene, not a replacement

Scope disclosures, risk scores, and prioritized remediation designed to support your HIPAA assessment — not replace a qualified assessor or security consultant.

HIGHBroad Egress — Unrestricted Outbound Traffic
example finding
rule_id : policy-47
name : EHR-Backup-Egress
source : 10.50.0.0/16 (clinical-vlan)
dest : any
services : tcp/443
logging : disabled

✦ Why this matters

Your clinical VLAN can send data to any external destination on HTTPS. If the backup process or a workstation on this network is compromised, PHI could exfiltrate without triggering any log entry — leaving no forensic trail for a HIPAA breach investigation.

ComplianceHIPAA §164.312(e)(1) Transmission securityHIPAA §164.312(b) Audit Controls

ShieldIQ maps findings to HIPAA Security Rule technical safeguards. Read our HIPAA note before uploading configurations with identifiable medical system details.

↓ Download healthcare sample

12 Vendors. One Platform.

Upload any supported config — we detect the vendor automatically and run the same 15 checks.

FortiGateUpload + API
Palo AltoUpload
Cisco ASAUpload
Cisco MerakiUpload
Cisco FirepowerUpload
SonicWallUpload
Sophos XGSUpload
WatchGuardUpload
Check PointUpload
AWSAWSUpload
AzureAzureUpload
Google CloudGCPUpload

Simple Pricing

No long-term contracts. No per-seat fees. Start free, upgrade when you need more.

MonthlyAnnualSave 17%

Free Trial

Free

Try ShieldIQ with a real audit. See exactly what you get before you pay.

  • 1 firewall audit
  • 15 security checks
  • AI on top 3 findings
  • HTML report export
Start Free Audit
Most Popular

Pro

$149/month

Full-powered auditing for companies with up to 5 firewalls. AI analysis, all export formats, cleanup reports.

  • 5 devices
  • Unlimited audits
  • Full AI analysis
  • PDF + DOCX + CSV exports
Start Free Audit

Business

$349/month

For regulated industries and growing teams. White-label, fleet visibility, and scheduled compliance.

  • 20 devices
  • Shareable audit links
  • White-label reports
  • Scheduled audits + alerts
Get Started

MSP

$499/month + $29/client

Unlimited audits across your entire client base. Client management, ConnectWise integration, batch upload, and priority support.

  • Unlimited devices
  • Client management + API
  • ConnectWise PSA integration
  • Batch upload + priority support
Book a Demo

Enterprise

$2500/quarter

Custom scope for large organizations. Dedicated onboarding, custom compliance profiles, and SLA.

  • Unlimited everything
  • Custom compliance
  • Dedicated onboarding
  • Enterprise SLA
Book a Demo
ROI Calculator

See What You Save

Drag the sliders to match your environment

150100
1001,0002,000
Manual Audit Time
7 days

50 hours per audit cycle

ShieldIQ Time
5 min

15 security checks per firewall

Annual Savings vs Manual
$13,212

vs $15,000/yr manual (2 audits at $150/hr)

vs Enterprise Tools
Save $48,212

vs ~$50K/yr entry estimate (Tufin/FireMon floor)

Frequently Asked Questions

Questions we hear from MSPs and IT teams before they get started.

Do my clients' firewall configs leave my environment?+
No. Configs are processed entirely in memory during the audit and immediately discarded after. We store findings and risk scores — not the raw configuration content. Your clients' network topology, IP ranges, and rule logic never leave your machine or get written to any database.
Do I need to install an agent or give ShieldIQ access to my firewalls?+
No agents, no network credentials required for an upload-based audit. You export a config file from your firewall's management console (a process that takes about 30 seconds) and upload it. We detect the vendor automatically and return results in under 60 seconds. API-connected scheduled audits are available for advanced users who want continuous monitoring.
How is this different from a vulnerability scanner like Nessus or Qualys?+
Vulnerability scanners probe live systems for unpatched CVEs and open ports. ShieldIQ analyzes the firewall's own policy logic — finding rule errors like shadowed rules, allow-all policies, missing default deny, and stale rules that active scanners cannot detect. It's policy auditing, not vulnerability scanning. Most MSPs use both: scanners find exploitable weaknesses, ShieldIQ finds the policy misconfigurations that let those weaknesses through.
My firewall vendor has a built-in policy checker. Why do I need ShieldIQ?+
Built-in tools only analyze their own vendor's format and produce output designed for network engineers — not client delivery. ShieldIQ audits 12 vendors using the same 15 checks, maps findings to PCI-DSS v4.0, NIST 800-53, CIS Controls, and HIPAA, and generates AI explanations in plain English. You also get rule cleanup reports listing every rule safe to delete, score projections showing exactly how much your score improves after fixing issues, shareable audit links for clients, and white-labeled PDF reports. It's the difference between a system log and a board-ready deliverable.
Will ShieldIQ reports hold up with a PCI-DSS auditor?+
ShieldIQ maps every finding to specific PCI-DSS v4.0 controls — for example, an allow-all rule flags controls 1.3.1 and 1.3.2. The technical report is formatted as audit evidence and shows exactly which controls pass or fail. Most customers use ShieldIQ to find and remediate gaps before their QSA arrives, then provide the report as supporting evidence. ShieldIQ does not replace a QSA assessment, but it significantly reduces what the assessor finds.
Can I white-label the reports for my clients?+
Yes — Business ($349/mo) and MSP ($499/mo) plans include full white-labeling. Upload your logo, set your brand colors, and add a custom footer. Both the executive summary and the full technical report render under your company name. Clients receive professional, branded PDF and Word reports. ShieldIQ is never mentioned anywhere in the output.
When does the MSP plan make more sense than Pro or Business?+
If you're managing more than a handful of clients, the MSP plan ($499/month + $29/client) scales better than separate subscriptions. A Pro plan covers 5 devices for $149/month — great for a single company. But an MSP with 15 clients on Pro would pay $2,235/month. On the MSP plan, that same MSP pays $644/month and gets client management (create and switch between client orgs), batch upload (audit multiple configs at once), ConnectWise PSA integration (auto-create tickets for critical findings), API access, and priority support. Most MSPs move to the MSP plan after their third or fourth client.
Is ShieldIQ SOC2 certified?+
Not yet — SOC2 Type I is on our 2026 roadmap with Type II to follow. In the meantime, we're transparent about how data is handled: raw configs are processed in memory and never stored, access is role-based with JWT authentication, all stored data is encrypted at rest with AES-256, refresh tokens rotate on every use, and we maintain an immutable audit log. Read our full Security Practices page for details on encryption, AI data handling, and our security roadmap.
JH

Built by James Hill — infrastructure engineer, for infrastructure teams.

8+ years operating hybrid IT/OT environments at scale. Security+ certified. I've managed firewalls, automated networks, and deployed across AWS, Azure, and GCP at a global manufacturer. After years of auditing firewall policies by hand or paying enterprise prices for tools that take weeks to set up, I built the tool I wished existed — multi-vendor, AI-explained, and ready in 60 seconds.

Connect on LinkedIn

Ready to audit your firewall policies?

See ShieldIQ in action with your own firewall config. 15-minute demo, no commitment.

Start Free AuditBook a Demo →