CIS-CAT Pro is the Center for Internet Security's automated benchmark assessment tool. It scores Windows endpoints against the CIS Benchmarks, a published set of configuration recommendations covering hundreds of settings. Sherlock EoP Auditor is a Windows endpoint surface scanner that enumerates local privilege escalation paths often unrelated to benchmark settings. CIS-CAT Pro answers "are we configured per CIS recommendations?" EoP Auditor answers "can a regular user become SYSTEM on this host regardless of CIS posture?" Both matter in mature Windows hardening programs.
What CIS-CAT Pro tests
CIS-CAT Pro is the Center for Internet Security's automated benchmark assessment tool. It evaluates Windows endpoint configuration against the CIS Benchmarks for Windows (separate benchmarks for Windows 10, Windows 11, Server 2019, Server 2022, Server 2025) plus benchmarks for many other platforms (Linux distributions, network devices, cloud services).
Specific assessment categories CIS-CAT Pro covers include account policy configuration (password policy, account lockout, Kerberos policy), local security policy (audit policy, user rights assignment, security options), Windows Defender configuration, BitLocker configuration, Windows Firewall policy, Group Policy plus user environment settings, application installation restrictions plus removable media policy.
The reports surface per-control compliance status (Pass / Fail / Not Applicable), aggregate compliance score against the benchmark plus remediation guidance per failed control. The output formats include CSV, HTML plus XCCDF for integration with downstream compliance management platforms.
The tool is published by CIS as a benchmark conformance check. CIS-CAT Lite is free for limited use; CIS-CAT Pro requires CIS SecureSuite membership. Annual cost varies by organization size plus member tier.
What Sherlock EoP Auditor tests
The Sherlock EoP Auditor is a Windows endpoint surface scanner that enumerates local privilege escalation vectors. The tool runs on demand against a single host plus surfaces conditions that would allow a regular user account to escalate to SYSTEM or other privileged identity on that machine.
Specific conditions EoP Auditor enumerates include third-party Windows services running as SYSTEM with weak access controls or authorization gaps, named pipe authorization issues in privileged services, kernel driver attack surfaces, scheduled task misconfigurations, COM object permission gaps, registry key ACL issues plus file system permission vectors on privileged executables.
The findings are often unrelated to CIS Benchmark recommendations. A host can be fully CIS-compliant plus still contain configuration-class privilege escalation surfaces from third-party software. CIS Benchmarks recommend Windows configurations that Microsoft ships; they do not enumerate the third-party Windows services installed by line-of-business software.
Different question classes
CIS-CAT Pro answers: "Of the Windows configuration settings CIS recommends, which are not configured per recommendation on this host?" The output is per-control compliance status.
Sherlock EoP Auditor answers: "Regardless of CIS recommendation coverage, what local conditions allow privilege escalation on this host?" The output is configuration-class plus design-class findings often in third-party software.
The two outputs are largely non-overlapping. A CIS-compliant host can still have EoP Auditor findings because the EoP Auditor surface (third-party service authorization gaps, etc.) is not in scope for CIS recommendations. A CIS-noncompliant host can pass EoP Auditor if the local privilege escalation surfaces are absent regardless of CIS configuration.
Coverage matrix
CIS Benchmark compliance scoring: CIS-CAT Pro covers comprehensively. EoP Auditor does not produce CIS compliance scores.
Account policy configuration audit: CIS-CAT Pro covers. EoP Auditor does not test account policy.
Audit policy configuration: CIS-CAT Pro covers. EoP Auditor does not.
Group Policy plus security options: CIS-CAT Pro covers. EoP Auditor does not.
Third-party service authorization gaps: EoP Auditor covers in depth. CIS-CAT Pro does not enumerate third-party software surfaces.
Named pipe authorization gaps: EoP Auditor covers. CIS-CAT Pro does not.
Kernel driver attack surfaces: EoP Auditor covers. CIS-CAT Pro does not.
COM object permission gaps: EoP Auditor covers. CIS-CAT Pro does not.
Compliance reporting for SOC 2 / PCI DSS / HIPAA: CIS-CAT Pro provides direct mapping to common compliance frameworks. EoP Auditor does not produce direct compliance mappings.
Multi-platform support (Linux, cloud, network): CIS-CAT Pro covers many platforms. EoP Auditor is Windows-only.
Cross-host fleet rollup reporting: CIS-CAT Pro Dashboard provides fleet-wide compliance trending. EoP Auditor is point-in-time per-host.
When each tool is the right starting point
Choose CIS-CAT Pro first if the question your security program needs to answer is "is our Windows configuration aligned with CIS Benchmark recommendations plus compliant for SOC 2 / PCI / HIPAA reporting?" CIS-CAT Pro is the right starting choice for compliance-driven security programs plus organizations that need standardized benchmark scoring.
Choose Sherlock EoP Auditor first if the question your security program needs to answer is "do our Windows endpoints have local privilege escalation surfaces that CIS Benchmark compliance does not address?" EoP Auditor is the right starting choice for organizations whose CIS compliance posture is strong but who suspect third-party software has introduced privilege escalation surface.
Choose both for mature Windows hardening. The two cover non-overlapping surfaces. Running only CIS-CAT Pro leaves configuration-class third-party software findings unaddressed. Running only EoP Auditor leaves CIS Benchmark compliance unmeasured.
What this means for security planning
The mistake Windows security programs make is treating CIS Benchmark compliance as complete hardening. It is not. The Sherlock Forensics incident response casework consistently surfaces breaches where the compromised host was CIS-compliant per the audit report plus contained configuration-class escalation surfaces in third-party software. The host passed CIS-CAT plus still got compromised because the configuration class CIS does not test was vulnerable.
The honest practitioner posture is to layer both classes. Run CIS-CAT Pro for benchmark compliance plus run EoP Auditor for configuration-class privilege escalation surface enumeration. Skipping either layer leaves a class of finding unaddressed.
The Sherlock Forensics services practice handles ransomware response, breach investigation plus court-defensible forensic examination. The forensic toolchain includes the Sherlock Disk Imager for acquisition with chain of custody, the Sherlock Universal Events Viewer for timeline reconstruction plus the Sherlock EoP Auditor for privilege escalation surface assessment.
Talk to our team about Windows hardening assessment, compliance program design or incident response engagement.
CIS Benchmark compliance and configuration-class auditing are different security disciplines. Get on the EoP Auditor early access list for the configuration-class layer. Talk to our team about Windows hardening program design.