Maester exists to make cloud security testing open, reusable, and available to everyone.
The core idea is simple: security guidance should not only be written down. It should be executable. If a setting matters, if a risky default is buried ten pages deep in a portal, or if a standard says something should be configured a certain way, people should be able to run a test, see the result, understand the rationale, and improve.
This should not require a large budget, a specialist team, or access to expensive tooling. Individual admins, small security teams, nonprofits, schools, startups, and organizations in developing nations deserve useful security checks, too.
Maester is open source and will remain open source.
The core framework will remain free. The included core tests will remain free. Running Maester locally in your own environment will remain free.
Anyone should be able to take Maester, install it, inspect it, adapt it, run it, and use it in their own workflows. That includes individual admins, internal security teams, consultants, MSPs, vendors, auditors, educators, and community contributors.
An objective of the Maester project is to minimize duplication of efforts, provide a reference model across environments, and allow that model to be reused within the authority provided by the MIT license.
Community-driven, not a company-owned control point.
Commercial organizations should be able to build services around Maester without needing permission from one vendor. The healthiest version of Maester is one where many people and organizations contribute to the open core, build on it, and help improve it.
Jozra is Merill's company, and it will be one of the commercial participants building around Maester. I (Merill) will continue investing heavily in the open project while also building hosted services like Maester Cloud that make Maester easier to run and use, providing paid support, and offering commercial licensing for organizations that cannot use open source software. The open framework itself should stand on its own as a community asset.
For individuals and small teams
Maester should be something you can use without asking for budget.
For organizations building on Maester
Help fund the initiative through sponsorship, contribution, or commercial support.
Make security testing open, reusable, and available to everyone.