Automation & connectors

Yes — Bastion can pull evidence from your systems instead of you answering every control by hand. Here's how it works today, what's coming, and why the design keeps your sensitive data on your own machine.

The model: collect locally, map to controls

Most NIST 800-171 controls are observable from systems you already run. Bastion uses a simple, universal contract: a connector reads a system, decides each control's status, and produces a small import file. You drop that file into Bastion's Integrations tab and the controls fill in — with evidence notes — in seconds.

Crucially, the collector runs where your data already is (your machine, your network). Bastion never needs your admin credentials or a cloud connection, so your CUI and your secrets never leave your environment. That's the right posture for defense data.

The import contract

Any connector just needs to emit JSON in this shape (the same format Sightline and Cairn use):

{
  "source": "Intune",
  "generated": "2026-06-11",
  "signals": [
    { "control": "3.13.16", "suggest": "met",     "evidence": "BitLocker enforced on 48/48 devices" },
    { "control": "3.5.3",   "suggest": "partial", "evidence": "MFA on 46/48 devices" },
    { "control": "3.1.1",   "suggest": "met",     "evidence": "Conditional Access restricts to enrolled users" }
  ]
}

control is the NIST 800-171 ID, suggest is one of met / partial / notmet / inherited / na, and evidence is the human-readable proof. (Documentation sources like Cairn use a documents array with the same fields plus a title.)

What maps from where

System	Auto-evidences
MDM / endpoint mgmt (Intune, Jamf, JumpCloud, Sightline)	Encryption, patch status, screen lock, host firewall, configuration baselines, EDR presence — 3.1, 3.4, 3.13, 3.14
Identity provider (Entra ID, Okta, Google)	MFA, access control, account management, session control — 3.1, 3.5
EDR / antimalware (CrowdStrike, Defender)	Malicious-code protection, monitoring — 3.14, 3.6
Cloud config (AWS, Azure, GCP posture)	Boundary protection, encryption in transit, logging — 3.13, 3.3
Vulnerability scanner (Nessus, Qualys)	Flaw remediation, risk & security assessment — 3.11, 3.12, 3.14
SIEM / log pipeline	Audit logging, review, retention — 3.3
Knowledge base / GRC docs (Cairn)	Policies, procedures, plans, training records — the documentation controls across all families

Three levels of automation

Today — export & import. Export from Sightline, Cairn, or any tool that can produce the import JSON (or a CSV), and import it. Semi-automated, zero setup, nothing leaves your machine.

Next — local collector CLI. A small script you run on your network queries your MDM/IdP/EDR/cloud read-only APIs and writes the Bastion import file. Re-run it monthly to re-score automatically. A starter is in the repo's connectors/ folder (a CSV-to-Bastion mapper you can point at any tool's export).

Later — hosted connectors (Pro). One-click OAuth connectors that keep your evidence continuously in sync. This is the paid/team tier and is on the roadmap; the local-first options above need no account.

A note on automation honesty. Automated signals are a starting point, not a rubber stamp. A tool can confirm encryption is on; it can't confirm your policy requires it or that staff are trained. Always review auto-filled controls before you treat the score as final — Bastion lets you override any of them.

Try the Integrations tab Connector starter on GitHub →