Updated June 2026: Harden 1.1 is out with 93 checks (up from 52 at launch), dual DISA STIG + CIS Benchmark compliance, HTML/JSON/CSV compliance reports, headless agent mode with scheduled scanning, and 38 one-click fixes. See the product page for full details.

We’re releasing Harden, a native macOS tool that audits your Mac’s security configuration against best-practice checks — including DISA STIG and CIS Benchmark controls — and helps you fix what it finds. No Terminal required.

The gap it fills

Your Mac has dozens of security settings spread across System Settings, command-line tools, and kernel parameters. Guides exist for hardening them, but they’re aimed at sysadmins and expect you to run commands like defaults read com.apple.alf globalstate and interpret the output. Harden does all of that for you and presents the results in plain language with one-click fixes.

It’s inspired by Lynis and Netflix Stethoscope, but built as a native Mac app for people who want security visibility without the command line.

What it checks

Harden runs 64 checks across seven categories:

  • Firewall — application firewall, stealth mode, logging, outbound filtering, pf
  • Encryption — FileVault, Time Machine encryption
  • System Protection — SIP, Gatekeeper, XProtect, Secure Boot, auto-updates, macOS version
  • Sharing — SSH, screen sharing, file sharing, AirDrop, remote management, Bluetooth sharing
  • Authentication — auto-login, password after sleep, guest account, lock delay, screensaver timeout
  • Network — DNS, Wi-Fi security, saved open networks, sysctl hardening
  • Privacy — analytics sharing, Safari suggestions, Siri, Lockdown Mode, TCC permissions

Each check is weighted by severity, and your overall score reflects how much of your security surface is covered. 25 checks can be auto-fixed — user-level settings apply instantly, and system-level changes prompt for your admin password through the standard macOS dialog. 47 checks are mapped to DISA STIG rules for macOS 15 Sequoia, with a dedicated compliance report tab.

Why hardening matters

Default settings are chosen for convenience, not security. FileVault might be off. Your firewall might be in permissive mode. Remote management services you’ve never used might be enabled. These aren’t theoretical risks — they’re configuration gaps that any security audit would flag.

Harden doesn’t change anything without your permission. It shows you the landscape, explains the risks, and lets you decide. The same philosophy behind Tapped (network visibility) and Survey (wireless privacy) — observe first, then act.