The Traditional Approach: Manual Meraki Audits
For most IT teams and managed service providers, a Meraki compliance audit starts the same way: somebody opens a browser, logs into the Meraki Dashboard, and begins clicking through configuration pages one at a time.
The process is familiar and tedious in equal measure. You start with the security appliance — checking L3 and L7 firewall rules, reviewing port forwarding entries, verifying NAT mappings. Then you move to wireless, inspecting each SSID for encryption settings, authentication modes, and whether unused networks are properly disabled. Next come the switches: VLAN assignments, trunk configurations, port security. Finally, you audit the organisation-wide settings — admin accounts, two-factor enforcement, firmware versions, API access.
At each step, the process is the same. Navigate to the page. Read the setting. Take a screenshot. Paste it into a Word document or spreadsheet. Add a note explaining what the setting is and why it matters. Move on.
For a single Meraki organisation with one or two networks, this takes two to five days of focused work depending on complexity. The steps break down roughly like this:
- Scoping and preparation. Identify which networks, devices, and settings fall within the audit boundary. Gather the compliance standard you are auditing against — whether that is Cyber Essentials+, PCI-DSS, NIST, or an internal policy. Build a checklist mapping each control to the corresponding Meraki configuration.
- Evidence collection. Log into the Meraki Dashboard for each organisation. Navigate to every relevant configuration page. Screenshot each setting. For organisations with multiple networks, repeat the process per network. This is where the bulk of time is spent.
- Documentation. Organise screenshots and notes into a structured report. Map each finding to the relevant compliance control. Flag deviations and write remediation recommendations. Format the document for handoff to auditors or stakeholders.
- Review and remediation. Walk through findings with the network team. Prioritise fixes. Implement changes. Then go back and re-verify the updated settings to confirm remediation worked.
The real cost is not just the hours. It is the opportunity cost. A senior network engineer spending three days taking screenshots is a senior network engineer who is not designing, optimising, or troubleshooting. The work is important, but the execution is mechanical. It does not require expertise to take a screenshot of a firewall rule — it requires expertise to know whether the rule is correct.
Then there is the consistency problem. When two different engineers audit the same network, they produce different reports. One might flag an overly broad firewall rule as a finding; the other might miss it. One might check firmware versions against the latest stable release; the other might compare against whatever version they remember seeing last. Manual audits are only as reliable as the person performing them on that particular day.
What Automated Compliance Auditing Looks Like
Automated Meraki compliance auditing takes a fundamentally different approach. Instead of a human navigating the dashboard and taking screenshots, software connects directly to the Meraki Dashboard API and pulls every relevant configuration setting programmatically. The raw configuration data is then evaluated against a predefined set of compliance checks — each one mapped to a specific control within a recognised standard.
The workflow is short enough to describe in three steps:
- Connect. Provide a read-only Meraki API key. The tool authenticates to the Meraki Dashboard API and identifies the organisations and networks accessible with that key. No agents to install, no firewall rules to open, no write access required.
- Scan. Click a button. The tool queries dozens of API endpoints — firewall rules, SSID settings, switch port configurations, admin accounts, firmware versions, security features, and more. Every setting that is relevant to compliance is pulled in a single sweep.
- Report. Within minutes, you receive a compliance scorecard showing a pass or fail result for each check, grouped by control area. Failed checks include the specific evidence value that caused the failure and guidance on what to change. The full results are available as a downloadable PDF report.
The entire process — from connecting an API key to viewing a complete compliance scorecard — takes under two minutes per organisation. Not two days. Two minutes.
Because the checks are codified, they are also perfectly consistent. The same configuration produces the same result every time. There is no variation based on who ran the scan, what day it was, or whether someone was rushing to finish before a deadline. The logic is deterministic: a firewall rule either matches the compliance requirement or it does not.
This consistency also makes it straightforward to track changes over time. Run a scan today, run another scan next month, and compare the two. Did someone add a permissive firewall rule? Did a new SSID get created without WPA3? Did an admin account lose its MFA requirement? Automated scanning surfaces configuration drift the moment it happens — not six months later when the annual audit comes around.
Side-by-Side Comparison
The differences become stark when you put the two approaches next to each other across the dimensions that matter most.
| Factor | Manual Audit | Automated Scan |
|---|---|---|
| Time per org | 2–5 days of engineer time | Under 2 minutes |
| Evidence quality | Screenshots with manual annotations; prone to missed settings and out-of-date captures | Machine-readable config values pulled directly from API; timestamped and complete |
| Consistency | Varies by engineer, by day, by attention span; two people may produce different findings from the same network | Deterministic; identical config always produces identical results regardless of who runs it |
| Multi-org scaling | Linear increase in time; 10 orgs means 10x the effort with no shortcuts | Near-constant time per org; scanning 10 orgs takes roughly the same per-org effort as scanning 1 |
| Cost | Senior engineer time at £50–150/hr; external consultants at £800–2,000+ per assessment | Fixed subscription cost; unlimited scans at a fraction of a single consultant engagement |
| Drift detection | None between assessments; compliance is only verified at the point of audit | Continuous; rescan at any cadence to catch changes as they happen |
Screenshots go stale the moment after you take them
No audit trail between annual assessments
Findings depend on who does the work
Remediation requires a second round of screenshots
Evidence is always current to the moment of the scan
Scan weekly, monthly, or on-demand — your choice
Codified checks produce repeatable results
Rescan after remediation to instantly verify fixes
When Manual Auditing Still Makes Sense
Automated scanning is not a replacement for every aspect of compliance work. There are scenarios where manual review remains essential, and it is worth being honest about them.
Initial policy development. Before you can audit against a standard, someone needs to interpret that standard and decide what it means for your specific environment. What constitutes an acceptable firewall rule? Which VLAN topology meets your segmentation requirements? These are architectural decisions that require human judgement and domain expertise. Automated tooling can tell you whether your configuration matches a defined policy, but it cannot write the policy for you.
Complex hybrid environments. If your network includes non-Meraki gear — Palo Alto firewalls, Aruba switches, legacy infrastructure — an automated Meraki scan only covers part of the picture. The compliance boundary extends beyond what the Meraki API can see. In these cases, manual review is necessary for the components that are not API-accessible, and the automated scan covers the Meraki estate.
Regulatory conversations. When an auditor or regulator asks probing questions about your security posture, they want to speak to a person, not read a machine-generated report. Automated evidence strengthens those conversations — being able to produce a detailed compliance scorecard on demand is impressive — but it does not replace the need for a knowledgeable human who can explain the reasoning behind configuration decisions.
Exceptions and compensating controls. Every real-world environment has exceptions. A port forwarding rule that technically violates a compliance check might be justified by a documented business need and a compensating control. Automated scanning flags the deviation; human review determines whether the exception is acceptable. The best approach combines both: let the tool find every non-conformance, then apply human judgement to classify each one.
The MSP Multiplier
The case for automation becomes overwhelming when you look at it through the lens of a managed service provider. MSPs do not audit one Meraki organisation. They audit ten, twenty, fifty. The economics of manual auditing simply do not scale.
Consider an MSP managing 15 Meraki clients, each with their own Meraki organisation. A manual audit takes an average of 3 days per organisation. That is 45 days of engineer time to complete a single round of compliance audits across the client base. At a conservative blended cost of £80 per hour, those 45 days represent over £28,000 in labour costs per audit cycle.
With automated scanning, the same 15 organisations can be audited in an afternoon. Connect each API key once, run scans across all organisations, and review the scorecards. The time shifts from evidence collection — which is mechanical — to remediation guidance — which is where the MSP actually adds value.
This changes the commercial model too. Manual auditing is expensive to deliver, which means MSPs either charge high fees for compliance services (limiting uptake) or absorb the cost and deliver compliance work at a loss. Automated tooling makes compliance-as-a-service commercially viable at scale. Monthly compliance reports, continuous drift monitoring, and on-demand evidence generation become standard service inclusions rather than expensive add-ons.
The clients who need this the most are exactly the ones MSPs already serve: UK businesses with government contracts that require Cyber Essentials+ certification, organisations handling payment card data that must demonstrate PCI-DSS compliance, and growing companies whose networks change faster than their compliance posture can keep up.
The maths is simple. If you spend 3 days per client and manage 15 clients, you are spending 45 days a year on evidence gathering alone. Automated scanning gives you those 45 days back.
How MerakiGuard Automates Meraki Compliance
MerakiGuard was built specifically to solve this problem. It connects to the Cisco Meraki Dashboard API using a read-only API key, pulls the complete network configuration, and evaluates it against recognised compliance standards.
Here is what it covers:
- 50+ automated checks across firewall rules, SSID security, switch port configuration, admin account hygiene, firmware status, camera retention, sensor monitoring, and more
- Four compliance standards out of the box: Cyber Essentials+, PCI-DSS, NIST CSF, and CIS Benchmarks — each with controls mapped to specific Meraki configuration checks
- Read-only access — MerakiGuard never writes to or modifies your Meraki configuration. It reads settings, evaluates them, and reports findings. Your network is never at risk from the scanning process itself.
- Per-check evidence — every check records the actual configuration value it found, so you can see exactly what passed, what failed, and why. No guesswork.
- PDF compliance reports — downloadable reports suitable for handing to auditors, clients, or internal stakeholders. Business and Enterprise tier users can white-label reports with their own logo and brand colours.
- Drift tracking — run scans at any cadence and compare results over time. See when a configuration change introduced a compliance gap so you can address it before the next formal assessment.
- Multi-organisation support — connect as many Meraki organisations as you manage. Each gets its own compliance scorecard and scan history. Ideal for MSPs with large client portfolios.
The setup takes less than a minute. Generate a read-only API key from your Meraki Dashboard, add your organisation in MerakiGuard, and run your first scan. There are no agents to deploy, no firewall changes to make, and no complex integration work. If you have a Meraki API key, you are ready to go.
Manual auditing served the industry well when there was no alternative. But the Meraki Dashboard API has matured to the point where every compliance-relevant setting is available programmatically. The evidence is already there in machine-readable form. The question is whether you want to spend days extracting it by hand or minutes extracting it with software.
For most teams, the answer is obvious.