Sounds interesting.  Did you get any impression as to whether if affects the stability or responsiveness of the network devices that it is testing?  That's the second question we always get asked about these various testing tools.  The questions usually go, "How accurate is it?  Oh, and will it break our stuff?"

Quick disclaimer, I have not used the tool, I'm basing my observations on information that was on the website:

My concern was that I could not find any information on what the tool bases the audit results on? I always had great results using CIS RAT. Their benchmark guide is detailed and fairy well written. A person auditing an IOS/PIX device has access to details of the recommendation made by the tool, not just pass or fail.

pseud0, if you are concerned about this particular tool's impact on the audit device (as we all are with any audit tool) best option is to save config file and run audit on a file instead of pulling it directly from the device.

Thanks for the update RoleReversal,

Iit would be curious to run both tools on the same config and compare the results. I tend to think of the CIS as sort of a "standard" or "best practices" for benchmarks... from their website:


As far as your other question goes, you have to fill provide name, email and accept TOUA before download. Although email address or personal info is NOT verified (by confirmation email or otherwise). You get access to download right away.

Sorry for replying to my own post, I managed to do a quick comparison sooner than expected. (Don't you love quite Fridays? ).

I've just ran the CIS Router Audit Tool (RAT) using the same configuration I initially used with Nipper. Mostly both tools came back with the same set of potential weaknesses. So unless they both missed the same issue the coverage appears to be similar with each tool.

The report created by RAT is shorter and more concise than Nipper's although part of that is achieved by hiding some information on hyperlinked pages. (Config file your testing needs to be in the same directory as the rat binary or the links won't work).

As well as listing weaknesses RAT assigns each issue a priority and determines a % score based on which tests you pass or fail. I'm not sure I like having metrics like this as anything that isn't 100% secure is vulnerable to something, and despite what the value says nothing is 100% secure.

As I touch on the SNMP aspects of the report with Nipper I'll do the same for RAT. As with Nipper, RAT complained that I didn't have snmp disabled, and failed me on failed me on 4 tests because I had multiple lines with the string 'snmp-server' (snmp-server community foo; snmp-server location bar etc.).

A feature that RAT implements that isn't fully available with Nipper is that it generates a Cisco command file to run against the device that will 'fix' every security issue with the device. Whilst I'm sure this could be a time saver in many scenarios, if I had blindly run this file against my device I would have lost a lot of functionality that I actually need. Again using SNMP for an example, it is utilised for statistic gathering and most importantly monitoring the state of the device.

As I said with my review of Nipper, don't just follow the advice and fixes without understanding the impact they will have on your network, unless you fancy a world of hurt

Overall, I quite like both tools and each has advantages over the other. Mostly it will come down to personal preference, which tool you know better and can better interpret the findings. Personally, I think I'll hang on to both for some cross checking.

Kudos on a nice comparison writeup RR!

As  per the above comparison and when i tried that , even i felt both the tools are doing good , But Nipper is bit Elaborate on information whatever it shows...

   Thanks for introducing these tools anyway ...