Open source · Windows 10/11 · Offline

Security posture auditing for Windows, entirely offline.

A single executable that scores your Windows security configuration against CIS Benchmark controls and gives you plain-English remediation steps — no cloud, no agent, no license.

↓ Download apotrope.exe View on GitHub ↗
or with Python 3.12+: pip install apotrope
Administrator: Windows Terminal
PS C:\> .\apotrope.exe --html report.html ◈ APOTROPE v0.1.5 Windows Security Posture Auditor scanning 56 controls [████████████████████] done · 21.7s SECURITY SCORE WORKSTATION-07 Windows 11 Pro 23H2 · CORP.local 69 / 100 D · POOR █████████████████░░░░░░░ ✓ 35 pass ✗ 3 fail ! 4 warn i 14 info 56 checks evaluated ⚑ TOP FAILURES HIGH Public inbound = Allow CIS 9.3.2 MED SMB signing not required CIS 2.3.8.1 MED Script-block logging off CIS 18.9.95.1 → report.html written · open to triage all 7 issues PS C:\>
No cloud No agent No telemetry No license key Single executable Read-only
// Features

Everything you need for a fast, credible assessment.

No setup, no accounts, no data leaving the machine — just an honest read on the box in front of you.

01

Single Executable

Drop apotrope.exe on a USB stick and run it on any Windows machine. No install, no Python, no dependencies.

02

Fully Offline

No data leaves the machine. No telemetry, no cloud APIs, no license servers — your audit data stays yours.

03

CIS Benchmark Mapping

Every finding is annotated with its CIS Benchmark control ID — v5.0.0 for Windows 11, v4.0.0 for Windows 10 — detected automatically at scan time.

04

Scored & Graded

A 0–100 security score with an A–F letter grade gives you an at-a-glance read on the system's risk posture.

05

HTML & JSON Reports

Export a self-contained HTML report for stakeholders or a structured JSON report for pipeline integration.

06

Comparative Scanning

Save a baseline and diff against it later to track remediation progress with --baseline and --compare.

07

Custom Profiles

An apotrope.toml profile lets you disable checks, override severities, and tune thresholds for your environment.

08

Actionable Remediation

Every failing check ships a concrete fix command or Group Policy path — not just a description of the problem.

// Checks

One scan, the controls that actually move risk.

Fourteen categories of Windows security posture, mapped to CIS and scored by severity.

55+Checks
14Categories
~22sPer scan
Access Control4 checks
UAC elevation prompts, admin approval mode, secure desktop.
Accounts6 checks
Local accounts, guest status, password & lockout policy.
Antivirus4 checks
Defender real-time protection, signature age, tamper protection.
Encryption2 checks
BitLocker drive encryption status, per volume.
File Sharing4 checks
SMB signing, legacy SMBv1, and exposed shares.
Firewall6 checks
Domain, private & public profile state and inbound posture.
Hardening5 checks
LSA protection, autorun, and miscellaneous OS hardening.
Network4 checks
Protocol hardening, discovery, and exposure reduction.
Patching3 checks
Windows Update health, pending updates & reboots.
Persistence2 checks
Startup programs and autorun entries.
PowerShell5 checks
Script-block / module logging and execution policy.
Remote Access3 checks
RDP exposure and Network Level Authentication.
Services2 checks
Risky or unnecessary running services.
System6 checks
OS edition, build number, and support lifecycle.
// Scoring

A transparent score you can reason about.

Start at 100. Each failing or warning check deducts points weighted by severity. The total maps to a letter grade.

Point deductions

SeverityFailWarn
Critical−15−7
High−10−5
Medium−5−2
Low−2−1
Info00
A90 – 100Excellent
B80 – 89Good
C70 – 79Fair
D60 – 69Poor
F0 – 59Critical
// Report

A report you can email to someone who wasn't in the room.

One self-contained HTML file — gauge, prioritised findings, CIS mappings, remediation — that opens in any browser with no server and no network.

See the full sample report.

Filterable findings, copy-ready fixes, and a score you can defend. Generated entirely on the audited machine.

Open live sample report →
69 D · POOR
Result mix
✓ 35 pass ✗ 3 fail ! 4 warn i 14 info
// Get Started

Up and running in under a minute.

Standalone apotrope.exe below — no Python required. Have Python 3.12+? pip install apotrope and run apotrope instead.

1

Download the executable

Grab apotrope.exe from the latest release and save it somewhere easy to find — Desktop or Downloads works fine.

2

Open an Administrator terminal

Right-click PowerShell or Command Prompt → Run as administrator. Some checks (BitLocker, local accounts, services) need elevation for full results.

3

Go to the folder you saved it in

cd $env:USERPROFILE\Downloads

In Command Prompt: cd %USERPROFILE%\Downloads

4

Run a scan

.\apotrope.exe

The .\ prefix is required — PowerShell doesn't run programs from the current folder by bare name. It works in Command Prompt too.

5

Generate an HTML report

.\apotrope.exe --html report.html --verbose

Opens as a standalone file in any browser — no server required.

6

Track changes over time

.\apotrope.exe --baseline before.json # ... remediate findings ... .\apotrope.exe --compare before.json