ScubaGear: Open-source tool to assess Microsoft 365 configurations for security gaps

ScubaGear is an open-source tool the Cybersecurity and Infrastructure Security Agency (CISA) created to automatically evaluate Microsoft 365 (M365) configurations for potential security gaps.

ScubaGear analyzes an organization’s M365 tenant configuration, offering actionable insights and recommendations to help administrators address security gaps and strengthen defenses within their Microsoft 365 environment.

The private sector, critical infrastructure, and all levels of government utilize the tool. ScubaGear’s reports guide organizations in quickly identifying and addressing configuration vulnerabilities, reducing the risk of security breaches.

Since its launch in 2022, ScubaGear has been updated nine times, incorporating enhancements that improve accessibility and ease of use. The tool is now available on PowerShell Gallery, simplifying installation and lowering the technical skills required for deployment.

ScubaGear uses a three-step process:

• PowerShell code queries M365 APIs for various configuration settings.
• It then calls Open Policy Agent (OPA) to compare these settings against Rego security policies written per the baseline documents.
• Finally, it reports the comparison results as HTML, JSON, and CSV.

ScubaGear is available for free download on GitHub.

Must read:

• 33 open-source cybersecurity solutions you didn’t know you needed
• 20 free cybersecurity tools you might have missed
• 15 open-source cybersecurity tools you’ll wish you’d known earlier
• 20 essential open-source cybersecurity tools that save you time

I have read and agree to the terms & conditions

Leave this field empty if you're human: