Skip to main content

The Maester Manifesto

Maester exists to make cloud security testing open, reusable, and available to everyone.

The core idea is simple: security guidance should not only be written down. It should be executable. If a setting matters, if a risky default is buried ten pages deep in a portal, or if a standard says something should be configured a certain way, people should be able to run a test, see the result, understand the rationale, and improve.

This should not require a large budget, a specialist team, or access to expensive tooling. Individual admins, small security teams, nonprofits, schools, startups, and organizations in developing nations deserve useful security checks, too.

That part is personal to me. I grew up in Sri Lanka. I know what it means when useful technology exists, but is priced out of reach for the people and organizations that could benefit from it most. Security should not become another place where the gap between well-funded organizations and everyone else gets wider.

Maester exists to help close that gap.

Open Source Core

Maester is open source and will remain open source.

The core framework will remain free. The included core tests will remain free. Running Maester locally in your own environment will remain free.

Anyone should be able to take Maester, install it, inspect it, adapt it, run it, and use it in their own workflows. That includes individual admins, internal security teams, consultants, MSPs, vendors, auditors, educators, and community contributors.

An objective of the Maester project is to minimize duplication of effort, provide a reference model across environments, and allow for that to be reused within the authority provided by the MIT license.

A Community Project

Maester should remain a community-driven project, not a company-owned control point.

Commercial organizations should be able to build services around Maester without needing permission from one vendor. The healthiest version of Maester is one where many people and organizations contribute to the open core, build on it, and help improve it.

Jozra is Merill's company, and it will be one of the commercial participants building around Maester. I (Merill) will continue investing heavily in the open project while also building hosted services that make Maester easier to run and use, providing paid support, and offering commercial licensing for organizations that cannot use open source software. The open framework itself should stand on its own as a community asset.

  • If you are an individual admin or a small team, Maester should be something you can use without asking for budget.
  • If you are a large enterprise, vendor, MSP, or services organization building value on top of Maester, I hope you will help fund this initiative through sponsorship, contribution, or commercial support.

The mission is simple:

Make security testing open, reusable, and available to everyone.