SANS CAG

Home / Glossary / SANS CAG
SANS CAG Consensus Audit Guidelines framework showing critical security controls organized by implementation group for enterprise cybersecurity programs.

SANS CAG (Consensus Audit Guidelines) is a prioritized set of cybersecurity best practices developed collaboratively by the SANS Institute, the National Security Agency, the U.S. Department of Defense, and leading security practitioners to defend against the most common and damaging cyber attacks. Unlike compliance-centric frameworks built around audit requirements, the CAG was explicitly designed to reflect real attacker behavior—grounding each control in documented offensive techniques drawn from actual intrusion data. Originally published as the SANS Top 20 Critical Security Controls, the framework was later transitioned to the Center for Internet Security, where it now exists as the CIS Controls. For enterprise security architects, SOC managers, and CISOs, understanding SANS CAG is foundational because it provides an evidence-based blueprint for building defenses that measurably reduce risk against known, active threat techniques.

Origins and Development of the SANS CAG Framework

The SANS CAG emerged in 2008 from a recognized gap between compliance-oriented security frameworks and the practical realities of defending enterprise networks against sophisticated adversaries. Government agencies, intelligence organizations, and private-sector experts collaborated to produce a control set grounded in threat intelligence rather than regulatory theory.

  • Government and Intelligence Community Collaboration: The initial development effort involved the NSA, U.S. Cyber Command, the Department of Energy, and SANS Institute contributors. This partnership ensured that the controls reflected attack patterns being actively observed against critical national infrastructure and high-value enterprise targets—not theoretical risk models. The result was a framework that spoke directly to the techniques attackers were deploying in the field.
  • From SANS to CIS: In 2013, SANS transferred stewardship of the CAG to the Center for Internet Security. Under CIS, the controls evolved through several major version updates—from 20 controls in version 6 to 18 controls in version 8, with significant structural reorganization. Despite this evolution, the framework retains its core philosophy: prioritize defensive investment based on documented adversary behavior and real-world breach data.
  • Community-Driven Refinement: Unlike standards maintained by a single body, SANS CAG and its successor CIS Controls rely on a broad practitioner community that includes CISO advisors, security researchers, government agencies, and technology vendors. This consensus-based development process keeps the framework responsive to emerging threat trends and technology shifts, making it more adaptable than traditional regulatory standards that update on slower regulatory cycles.

The transition from SANS CAG to CIS Controls also introduced Implementation Groups. This tiered adoption model allows organizations to tailor control implementation to their size, risk profile, and available resources. This structural addition made the framework significantly more accessible for enterprises at varying levels of security maturity.

The 20 Critical Security Controls: Structure and Scope

In its original SANS CAG form, the framework comprised 20 prioritized controls organized into three tiers—basic, foundational, and organizational—that collectively address the most critical defensive capabilities needed to resist common attack patterns observed across enterprise environments.

  • Basic Controls (1–6): The first tier covers the foundational hygiene practices that all organizations must implement before investing in more advanced capabilities. These include hardware asset inventory, software asset management, continuous vulnerability assessment, controlled use of administrative privileges, secure configuration management for hardware and software, and audit log maintenance. The premise is direct: organizations cannot defend assets they haven’t inventoried or systems they haven’t configured securely.
  • Foundational Controls (7–16): The second tier addresses more sophisticated defensive capabilities, including email and browser protections, malware defenses, network port and service limitations, data recovery capabilities, network device configuration management, boundary defense, data protection, need-to-know access controls, wireless access control, and account monitoring. These controls form the operational backbone of enterprise security programs and address the majority of techniques used in credential-based and network-based attacks.
  • Organizational Controls (17–20): The third tier addresses the people and process dimensions of security programs: security awareness and training, application software security, incident response and management, and penetration testing. These controls recognize that technology alone is insufficient. Effective security requires trained personnel, tested incident response processes, and continuous improvement through adversary simulation exercises.

The structured, tiered approach makes SANS CAG actionable for organizations at different maturity levels, enabling security leaders to demonstrate measurable progress and prioritize investment without requiring simultaneous adoption of all 20 controls across the enterprise.

Implementation Groups and Risk-Based Prioritization in SANS CAG

The evolution from SANS CAG to CIS Controls v8 introduced a formal risk-based prioritization model through Implementation Groups (IGs). This prioritization model remains one of the most practically valuable features of the framework for enterprise security program planning and resource allocation.

  • Implementation Group 1 (IG1) — Essential Cyber Hygiene: Defines the minimum control set that every organization should implement, regardless of size or complexity. It focuses on foundational safeguards, including asset inventory, patch management, malware defense, data recovery, and basic access controls. For many small and mid-size enterprises, achieving full IG1 coverage represents a substantial reduction in exposure to commodity threats such as ransomware, credential stuffing, and opportunistic exploitation.
  • Implementation Group 2 (IG2) — Intermediate Security Controls: IG2 extends IG1 with controls suited to organizations that have more complex IT environments and dedicated security staff. Added capabilities include security awareness training programs, structured incident response planning, audit log management and review, and controlled use of privileged accounts. IG2 addresses threats beyond opportunistic attacks, including targeted intrusion attempts by organized threat actors.
  • Implementation Group 3 (IG3) — Advanced Enterprise Controls: IG3 encompasses the full control set and targets organizations that handle sensitive data, operate critical infrastructure, or face sophisticated, targeted adversaries. It adds capabilities, including structured penetration testing programs, advanced data protection controls, application security testing, and comprehensive security monitoring with threat-hunting. IG3 organizations are expected to maintain continuous validation of control effectiveness.

Enterprise security architects and CISOs use Implementation Groups to stage control adoption across multi-year roadmaps, align security investments with risk tolerance, and communicate program progress to board-level stakeholders in a structured, measurable format that connects security activity to business risk reduction.

SANS CAG and Threat-Informed Defense Strategies

One of the defining characteristics of SANS CAG is its explicit grounding in observed attacker behavior. This threat-informed approach aligns directly with modern security operations frameworks such as MITRE ATT&CK and the Cyber Kill Chain, enabling security teams to connect control coverage to specific adversary techniques.

  • Mapping Controls to Attack Techniques: Each SANS CAG control addresses one or more phases of the attacker lifecycle. Asset inventory controls reduce the attack surface. Vulnerability management removes exploitable weaknesses. Access control restrictions limit lateral movement and privilege escalation. Security teams can map individual controls to specific MITRE ATT&CK techniques to assess defensive coverage, identify gaps, and prioritize remediation efforts across the organization’s security architecture.
  • Continuous Control Validation: SANS CAG’s emphasis on measurement and testing sets it apart from many compliance frameworks. Organizations are expected to continuously assess control effectiveness using defined metrics, red-team exercises, and regular penetration tests. This model validates that controls are operationally effective against real attack techniques—not just documented—and drives continuous improvement in the defensive posture.
  • Integration with Threat Intelligence: Threat intelligence can be operationalized directly through SANS CAG by connecting adversary TTPs, campaign indicators, and emerging attack vectors to specific control categories. For example, intelligence about ransomware campaigns exploiting unpatched vulnerabilities strengthens the operational justification for aggressive vulnerability management programs aligned with CIS Control 7 (v8).

The threat-informed nature of SANS CAG makes it particularly valuable as a foundation for managed detection and response (MDR) programs, where security operations teams need a common language to prioritize detection coverage, tune alert logic, and measure the effectiveness of their defensive capabilities against realistic adversary scenarios.

Aligning SANS CAG with Compliance and Regulatory Frameworks

Enterprise security programs rarely operate within a single framework. Most organizations must satisfy multiple regulatory requirements simultaneously, and SANS CAG—evolved as the CIS Controls—serves as an effective operational foundation that maps naturally to many common compliance regimes, reducing redundant implementation work.

  • NIST Cybersecurity Framework (CSF) Alignment: The CIS Controls map extensively to the NIST CSF, particularly within the Identify, Protect, Detect, and Respond functions. Organizations using SANS CAG as their primary implementation framework can produce evidence that simultaneously satisfies NIST CSF requirements, simplifying compliance reporting, streamlining audit preparation, and reducing the overhead of maintaining separate control inventories for each framework.
  • PCI DSS and HIPAA Compliance Support: Many SANS CAG controls directly address specific PCI DSS and HIPAA requirements around access control, audit logging, vulnerability management, and incident response. Security teams can use CIS control coverage as a primary compliance baseline, reducing the redundant work required when managing multiple regulatory mappings across payment card data environments or covered healthcare entities.
  • SOC 2 and ISO 27001 Mapping: The organizational and process-oriented controls in SANS CAG—security awareness training, incident response management, and penetration testing—align with SOC 2 Trust Services Criteria and ISO 27001 control categories. Enterprises pursuing multiple certifications can use SANS CAG as a single operational framework that addresses requirements across standards without duplicating implementation and documentation effort.

Organizations that anchor their security program to SANS CAG gain a framework designed for practical effectiveness that also maps naturally to audit requirements. The framework reduces the gap between active security operations and compliance readiness, enabling security teams to demonstrate both defensive effectiveness and regulatory adherence from a unified control foundation.

Operationalizing SANS CAG in Enterprise Security Programs

Translating SANS CAG guidance into operational reality requires mapping high-level controls to specific technical configurations, workflows, and measurement systems that security teams can execute and continuously sustain across complex enterprise environments.

  • Asset and Vulnerability Management Integration: Controls 1 and 7 (CIS v8) require comprehensive asset discovery and continuous vulnerability assessment. Enterprises operationalize these by integrating asset management platforms, vulnerability scanners, configuration management databases (CMDBs), and SOC workflows. Automated discovery pipelines that feed prioritized vulnerability remediation queues turn policy requirements into continuously updated security posture data that drives daily operational decisions.
  • Privileged Access and Identity Controls: Implementing CAG controls around administrative privilege management requires integration with identity and access management (IAM) platforms, privileged access workstations (PAWs), and just-in-time access provisioning systems. These controls directly reduce the risk of credential-based lateral movement—which remains the most common post-exploitation technique observed in enterprise breach investigations—by limiting the scope and duration of elevated access rights.
  • Security Awareness and Adversary Simulation Testing: SANS CAG’s organizational controls require trained personnel and validated processes, not just deployed technology. Enterprise programs operationalize this through structured security awareness curricula, role-based technical training for security and IT staff, and regular red-team or purple-team exercises. These exercises test control effectiveness against realistic attack scenarios and provide evidence of program maturity to supportexecutive reporting and board-level risk discussions.

Measuring SANS CAG program effectiveness requires defining specific metrics for each control, including asset coverage rates, vulnerability remediation SLAs, patch compliance percentages, and mean time to detect (MTTD) and mean time to respond (MTTR) to security events. These metrics provide the evidence base for communicating program maturity and risk reduction to executive stakeholders in business-relevant terms.

Conclusion

SANS CAG represents a foundational approach to enterprise cybersecurity that prioritizes defensive investment based on real-world attacker behavior rather than theoretical compliance requirements. Its structured, prioritized framework—maintained and evolved as the CIS Controls—gives security architects and SOC leaders a practical roadmap for building resilient defenses that demonstrably reduce risk. By grounding controls in threat intelligence, aligning them with major regulatory frameworks, and requiring continuous measurement of effectiveness, SANS CAG enables enterprises to move beyond checkbox compliance toward genuinely effective security programs. Organizations that build their security operations around this framework gain a common language for prioritizing investments, communicating risk to executive stakeholders, and continuously validating the strength of their defensive posture against evolving adversary techniques.

Deepwatch® is the pioneer of AI- and human-driven cyber resilience. By combining AI, security data, intelligence, and human expertise, the Deepwatch Platform helps organizations reduce risk through early and precise threat detection and remediation. Ready to Become Cyber Resilient? Meet with our managed security experts to discuss your use cases, technology, and pain points, and learn how Deepwatch can help.

Related Content

  • Move Beyond Detection and Response to Accelerate Cyber Resilience: This resource explores how security operations teams can evolve beyond reactive detection and response toward proactive, adaptive resilience strategies. It outlines methods to reduce dwell time, accelerate threat mitigation, and align SOC capabilities with business continuity goals.
  • The Dawn of Collaborative Agentic AI in MDR: In this whitepaper, learn about the groundbreaking collaborative agentic AI ecosystem that is redefining managed detection and response services. Discover how the Deepwatch platform’s dual focus on both security operations (SOC) enhancement and customer experience ultimately drives proactive defense strategies that align with organizational goals.
  • 2024 Deepwatch Adversary Tactics & Intelligence Annual Threat Report: The 2024 threat report offers an in-depth analysis of evolving adversary tactics, including keylogging, credential theft, and the use of remote access tools. It provides actionable intelligence, MITRE ATT&CK mapping, and insights into the behaviors of threat actors targeting enterprise networks.