The Problem with Manual CE+ Audits
If you manage Cisco Meraki networks for clients — or for your own organisation — and you have been through a Cyber Essentials+ assessment, you know the drill.
An assessor asks for evidence. You log into the Meraki dashboard, navigate to the right page, take a screenshot, paste it into a document, and write a note explaining what it proves. Then you do it again for the next control. And the next one. Across every network in the organisation.
For a single-site business with one MX and a handful of access points, this takes a couple of hours. For an MSP managing 20 Meraki orgs across dozens of sites, it takes days. And you have to do it again every 12 months when the certification renews.
The painful irony is that all of this data is already available programmatically. Every firewall rule, every SSID encryption setting, every admin account, every firmware version — it is all accessible through the Meraki Dashboard API. The evidence is there. Nobody has built the mapping layer to connect it to compliance controls.
Until now.
The Five CE+ Controls and Where They Live in Meraki
Cyber Essentials defines five technical controls. Each one maps directly to specific Meraki configuration data that can be retrieved via API. Here is the mapping.
1. Firewalls
The CE+ requirement is straightforward: boundary firewalls must be configured with a default-deny posture for inbound traffic, unnecessary ports must not be open, and rules should follow least-privilege principles.
On a Meraki MX, this means auditing the L3 and L7 firewall rules, port forwarding rules, 1:1 NAT rules, and 1:Many NAT rules. The key check is whether the last L3 firewall rule is an explicit deny-all — and whether any rules above it are overly permissive (allow any-any).
| Check | What to Look For | Meraki API Endpoint |
|---|---|---|
| Default deny inbound | Last L3 rule is deny-all | GET /networks/{id}/appliance/firewall/l3FirewallRules |
| No allow-any rules | No rules with srcCidr=Any, dstCidr=Any, policy=allow | GET /networks/{id}/appliance/firewall/l3FirewallRules |
| Minimal port forwarding | Audit exposed ports and protocols | GET /networks/{id}/appliance/firewall/portForwardingRules |
| No unnecessary NAT | Review 1:1 and 1:Many NAT entries | GET /networks/{id}/appliance/firewall/oneToOneNatRules |
2. Secure Configuration
Default credentials must be changed, unnecessary services disabled, and systems configured to reduce the attack surface. For Meraki, this means checking for SSIDs still named "Unconfigured SSID", disabled but broadcasting networks, and unused switch ports that are still active.
Meraki's cloud-managed model gives you a head start here — there are no local admin passwords on the devices themselves. But SSID configuration and switch port hygiene still need auditing.
| Check | What to Look For | Meraki API Endpoint |
|---|---|---|
| No default SSIDs | No SSID named "Unconfigured SSID" that is enabled | GET /networks/{id}/wireless/ssids |
| Unused SSIDs disabled | SSIDs not in use have enabled=false | GET /networks/{id}/wireless/ssids |
| Switch port hygiene | Unused ports are disabled | GET /devices/{serial}/switch/ports |
3. Access Control
This is where most Meraki organisations fail their first CE+ assessment. The requirement is clear: multi-factor authentication must be enforced for all administrator accounts, accounts should follow least-privilege principles, and stale accounts must be removed.
The Meraki Dashboard has an organisation-wide setting to enforce two-factor authentication. If it is not enabled, every admin account without 2FA is a CE+ failure. You also need to audit admin privilege levels — not everyone should be a full org admin.
| Check | What to Look For | Meraki API Endpoint |
|---|---|---|
| MFA enforced org-wide | enforceTwoFactorAuth = true | GET /organizations/{id}/loginSecurity |
| No shared accounts | Unique email per admin, no generic addresses | GET /organizations/{id}/admins |
| Least privilege | Not all admins are "full" org admins | GET /organizations/{id}/admins |
| No stale accounts | Last active within policy window | GET /organizations/{id}/admins |
4. Patch Management
All devices must be running firmware that is supported by the vendor and patched within 14 days of a critical security update. Meraki makes this relatively easy because firmware is managed centrally, but it still needs verifying.
The API exposes both the currently running firmware version and the latest available version for each device model. The check is a version comparison — is the running version current, or is there a pending upgrade that has not been applied?
| Check | What to Look For | Meraki API Endpoint |
|---|---|---|
| Firmware current | Running version matches or is within one of latest | GET /organizations/{id}/firmware/upgrades |
| All devices online | No devices offline (cannot patch what you cannot reach) | GET /organizations/{id}/devices/statuses |
5. Malware Protection
Network-level malware protection applies to the MX security appliance. Meraki offers Advanced Malware Protection (AMP) and Intrusion Detection/Prevention (IDS/IPS) as part of the Advanced Security licence. For CE+, you need to demonstrate that these protections are active on your boundary device.
| Check | What to Look For | Meraki API Endpoint |
|---|---|---|
| AMP enabled | Advanced Malware Protection mode is not "disabled" | GET /networks/{id}/appliance/security/malware |
| IDS/IPS enabled | Intrusion detection mode is "detection" or "prevention" | GET /networks/{id}/appliance/security/intrusion |
| Content filtering | Blocked URL categories are configured | GET /networks/{id}/appliance/contentFiltering |
Manual vs Automated: The Real Difference
Here is what the same audit looks like done manually versus with automated tooling.
Log into each Meraki org individually
Navigate to each config page and screenshot
Paste screenshots into a Word document
Write explanations for each finding
Repeat for every network in the org
Time: 2-5 days per org
Connect Meraki org with a read-only API key
Click "Run Scan"
Get a compliance scorecard with pass/fail per control
Download a PDF report with evidence and remediation
Track changes between scans automatically
Time: under 2 minutes per org
For MSPs, the maths is simple. If you manage 15 Meraki organisations and each takes 3 days to audit manually, that is 45 days of engineering time per year just on CE+ evidence gathering. Automated scanning reduces that to minutes and frees your team to do actual remediation work instead of taking screenshots.
What About the Assessment Itself?
To be clear: automated scanning does not replace the CE+ assessor. The assessor still needs to perform their own hands-on verification. But here is how automated pre-audit scanning changes the process:
- You find problems before the assessor does. Running a scan before your assessment window means you can fix issues while there is still time. No surprises on assessment day.
- You can hand the assessor a clean report. A per-control scorecard with evidence values speeds up their review. They still verify independently, but your preparation demonstrates rigour.
- You maintain compliance between assessments. CE+ is a point-in-time certification. Configuration drift between annual assessments is the biggest risk. Monthly scans catch changes before they become audit failures.
The MSP Opportunity
If you are an MSP managing Meraki clients, automated compliance scanning is not just an internal efficiency tool. It is a revenue opportunity.
Compliance-as-a-service is an established MSP offering, but the delivery has always been labour-intensive. With automated tooling, you can offer ongoing compliance monitoring to every Meraki client at a fraction of the cost:
- Monthly compliance reports delivered automatically to each client, branded with your logo
- Proactive remediation — catch a firewall rule change or firmware lag before the client's annual assessment
- Evidence on demand — when a client's auditor asks "prove your firewall config meets CE+", you generate a report in seconds, not days
- Portfolio-wide visibility — see which of your 30 clients are at risk with a single dashboard, sorted by compliance score
The clients who need this the most are exactly the ones MSPs already serve: UK businesses with government contracts that require Cyber Essentials certification, regulated industries that need continuous evidence, and growing companies whose networks change faster than their compliance posture can keep up.
What You Need to Get Started
Automating CE+ audits for Meraki networks requires three things:
- A read-only Meraki API key. Generate one from the Meraki Dashboard under your user profile. The key only needs read access — compliance auditing never writes to or modifies your network configuration.
- Your Meraki Organisation ID. This identifies which org to scan. If you manage multiple orgs, each gets its own scan with its own compliance scorecard.
- A tool that maps API data to compliance controls. This is the hard part — and it is what we built MerakiGuard to do.
MerakiGuard connects to your Meraki organisation, pulls the full configuration via API, and evaluates every relevant setting against the five CE+ controls. You get a compliance score, per-check pass/fail results with evidence, remediation guidance for every failure, and a PDF report you can hand to your assessor or your client.
No agents to install. No firewall changes. No write access to your network. Just a read-only API key and two minutes.