We built a free open source alternative to Wiz for Azure — here is how it works

Vishnu Ajith — Sat, 16 May 2026 12:24:05 +0000

Enterprise cloud security tools like Wiz, Prisma Cloud, and
Microsoft Defender for Cloud cost upwards of $500,000 per year.
Most organisations running on Azure simply cannot afford them.

So we built OpenShield — a free, open source Cloud Security
Posture Management (CSPM) platform for Azure.

What is OpenShield

OpenShield scans your Azure subscription for misconfigurations,
maps every finding to compliance frameworks, and ships an
automated remediation playbook for every single rule.

It is built in Python, MIT licensed, and completely free.

github.com/openshield-org/openshield

What it detects

OpenShield currently has 20+ scan rules across six categories:

Storage - public blob access, missing lifecycle policies, disabled diagnostic logging
Network — open SSH/RDP, missing NSGs, no DDoS protection, WAF disabled, VPN using IKEv1, Network Watcher not enabled
Identity — overprivileged service principals, MFA not enforced, unrestricted guest access in Entra ID
Database — public PostgreSQL access, SQL auditing disabled
Compute — VMs with no NSG, unencrypted disks
Key Vault — soft delete disabled, public network access, diagnostic logging disabled

Every rule returns a structured finding with the resource ID,
description, remediation steps, and a link to the playbook.

Compliance mapping

Every finding is automatically mapped to four frameworks:

CIS Azure Benchmark
NIST CSF
ISO 27001
SOC 2 Type II

This means you get compliance posture out of the box with
no manual mapping required.

Remediation playbooks

This is the part that makes OpenShield different from most
open source security tools.

Every scan rule ships with a hardened CLI playbook. When you
get a finding, you do not just learn what is wrong — you get
the exact command to fix it.

Example playbook for AZ-STOR-004 (storage diagnostic logging):

./fix_az_stor_004.sh my-resource-group my-storage-account \
  /subscriptions/.../resourceGroups/log-rg/.../logstore

Playbooks are hardened with input validation, shell injection
prevention, secure temp file handling, and confirmation prompts
before making any changes.

Microsoft Sentinel integration

OpenShield pushes findings directly to Microsoft Sentinel via
Log Analytics. Four KQL detection rules are included out of
the box:

HIGH severity findings in the last 24 hours
Misconfiguration wave detection
Persistent misconfigurations
New resource type critical findings

This means you get SIEM-level visibility from a free open
source tool.

The API

A Flask REST API exposes scan results, compliance scores, and
findings data. It is deployed on Render and live at:

https://openshield-api.onrender.com

Endpoints include:

GET /api/findings — list all findings with filters
GET /api/score — security posture score (0-100)
GET /api/compliance/cis — CIS compliance breakdown
GET /api/compliance/nist — NIST compliance breakdown
POST /api/scans/trigger — trigger a live scan

CI pipeline

Every pull request runs seven automated checks:

Python syntax check on all rule files
Rule structure validation and RULE_ID uniqueness
Hardcoded credential scan
Playbook existence and bash syntax validation
Compliance JSON validation across all four frameworks
API syntax check
Compliance vs rule cross-reference

This means every contribution is validated before it touches
the main branch.

How to run it

git clone https://github.com/openshield-org/openshield
cd openshield
pip install -r requirements.txt

cp .env.example .env
# Add your Azure credentials to .env

python scanner/engine.py

You need an Azure service principal with Reader role on your
subscription. Full setup guide is in the repo.

How it was built

OpenShield was built in public by students and engineers from
Ulster University, Southampton Solent University, and Middlesex
University alongside researchers at Quentangle Quantum Systems
in London.

Every contributor has a PR merged into a production grade open
source security tool. That goes on their GitHub profile and CV
permanently.

Contributing

OpenShield is actively looking for contributors. If you want
to add a scan rule, write a remediation playbook, or improve
the compliance mappings, the contributing guide gets you
making your first PR in under 30 minutes.

github.com/openshield-org/openshield

Good first issues are labelled and waiting. The whole team
is available on Discord to help you through your first PR.

What is next

React dashboard with live demo URL
30+ scan rules
BSides Birmingham conference talk
OWASP project listing

If you work in cloud security and want a free tool that
actually works, or you want your first open source contribution
on a real security project — come build with us.

github.com/openshield-org/openshield

DEV Community: Vishnu Ajith

We built a free open source alternative to Wiz for Azure — here is how it works

What is OpenShield

What it detects

Compliance mapping

Remediation playbooks

Microsoft Sentinel integration

The API

CI pipeline

How to run it

How it was built

Contributing

What is next