Purpose: Every feature that exists across competitors in this space, organized by category. Use this to decide what opnDossier should (and shouldn't) be.
Compiled: March 17, 2026
Sources: Titania Nipper, Tufin, AlgoSec, FireMon, nipper-ng, pfFocus, pfopn-convert, and community research.
How to Read This#
Each feature is listed with which tier offers it.
Tier 1 = Enterprise platforms (Tufin, AlgoSec, FireMon) — $50K–$500K+/year
Tier 2 = Nipper (Titania) — $1,900–$3,800/year
Tier 3 = Free/OSS (nipper-ng, pfFocus, ad-hoc scripts)
opnD = opnDossier current or planned
1. Configuration Parsing & Ingestion#
Getting the config data in and making sense of it.
| Feature | Tier 1 | Tier 2 | Tier 3 | opnD | Notes |
|---|---|---|---|---|---|
| Parse config from file (offline) | Some | Yes | Yes | Yes | Core capability |
| Pull config directly from live device | Yes | No | No | No | Enterprise feature |
| Multi-vendor support (Cisco, Palo Alto, etc.) | Yes (120+) | Yes (20+) | Partial | No | Nipper's bread and butter |
| OPNsense config.xml parsing | No | No | No | Yes | Unique differentiator |
| pfSense config.xml parsing | No | No | No | Planned | Nobody else does this |
| Batch/bulk config ingestion | Yes | Yes | No | No | Pro/Enterprise for MSPs |
| Config history / version tracking | Yes | Resilience | No | No | "What changed?" audits |
| Continuous config monitoring | Yes | Resilience | No | No | Enterprise-only |
| Cloud security group parsing | Yes | No | No | No | Out of scope |
| Normalize to common data model | Yes | Internal | No | Planned | CommonDevice model |
2. Security Audit & Vulnerability Detection#
Finding problems in the config.
| Feature | Tier 1 | Tier 2 | Tier 3 | opnD | Notes |
|---|---|---|---|---|---|
| Misconfiguration detection | Yes | Yes | Basic | Partial | Core value prop |
| Vendor hardening guide checks | Yes | Yes | No | No | Vendor-specific |
| Default/weak credential detection | Yes | Yes | Partial | No | Basic security check |
| Unused/orphaned rule detection | Yes | Yes | No | No | Rule cleanup |
| Shadowed/hidden rule detection | Yes | Basic | No | Planned (#202) | Hard to spot manually |
| Overly permissive rules (any/any) | Yes | Yes | Basic | No | Common misconfiguration |
| Redundant rule detection | Yes | Basic | No | No | Duplicate rules |
| Risk scoring / severity rating | Yes | Yes (CVSS) | No | No | Prioritization |
| Vulnerability correlation (CVE) | Some | Partial | No | No | Match against CVEs |
| Attack surface analysis | Yes | No | No | No | Enterprise-only |
| Configuration drift detection | Yes | Resilience | No | Planned (#201) | Change detection |
3. Compliance & Regulatory Frameworks#
Mapping configs against standards.
| Feature | Tier 1 | Tier 2 | Tier 3 | opnD | Notes |
|---|---|---|---|---|---|
| CIS Benchmarks | Yes | Yes | No | Planned (#150) | Next big feature |
| DISA STIGs | Yes | Yes | No | Planned (Pro) | Military/government |
| NIST 800-53 | Yes | Yes | No | No | Federal controls |
| NIST 800-171 / CMMC | Yes | Yes | No | No | Defense supply chain |
| PCI-DSS | Yes | Yes | No | Planned (#204) | Wide applicability |
| HIPAA | Yes | Some | No | No | Healthcare |
| Custom compliance policies | Yes | No | No | Planned (#205) | Org-specific rules |
| Pass/fail evidence per control | Yes | Yes | No | No | Audit evidence |
| Compliance score / dashboard | Yes | Yes | No | No | Percentage compliant |
4. Reporting & Output#
How findings get communicated.
| Feature | Tier 1 | Tier 2 | Tier 3 | opnD | Notes |
|---|---|---|---|---|---|
| Human-readable config summary | Yes | Yes | pfFocus | Yes | Plain English output |
| Security audit report | Yes | Yes | Basic | Partial | Core deliverable |
| PDF export | Yes | Yes | No | Planned (#207) | Client reports |
| HTML export | Yes | Yes | nipper-ng | Yes | Interactive |
| JSON / machine-readable | Some | No | No | Yes | Automation |
| SARIF export (CI/CD) | No | No | No | Planned (#209) | Differentiator |
| White-label / custom branding | Yes | Yes | No | No | Pen tester need |
| Remediation guidance | Yes | Yes | No | Planned (#206) | How to fix findings |
| Risk-prioritized findings | Yes | Yes | No | No | Most critical first |
5. Network Topology & Visualization#
| Feature | Tier 1 | Tier 2 | Tier 3 | opnD | Notes |
|---|---|---|---|---|---|
| Network topology map | Yes | No | No | Planned (Later) | Visual device map |
| Traffic flow simulation | Yes | No | No | No | "What if" analysis |
| Path analysis | Yes | No | No | No | Source to destination |
| Zone segmentation modeling | Yes | No | No | No | Zone-based view |
| Multi-device correlation | Yes | No | No | No | Cross-device analysis |
6. Policy Management & Automation#
Almost exclusively enterprise. Not our market.
| Feature | Tier 1 | Tier 2 | Tier 3 | opnD | Notes |
|---|---|---|---|---|---|
| Rule lifecycle management | Yes | No | No | No | Enterprise |
| Change request workflow | Yes | No | No | No | Enterprise |
| Pre-change risk analysis | Yes | No | No | No | Enterprise |
| Rule cleanup recommendations | Yes | Basic | No | No | Useful |
| Change provisioning (push) | Yes | No | No | No | Enterprise |
| ITSM integration | Yes | No | No | No | Enterprise |
7. Config Conversion & Migration#
Nobody does this well. Our whitespace opportunity.
| Feature | Tier 1 | Tier 2 | Tier 3 | opnD | Notes |
|---|---|---|---|---|---|
| pfSense → OPNsense conversion | No | No | Partial (broken) | Planned | 461 upvotes on Reddit |
| OPNsense → pfSense conversion | No | No | No | Planned | Bidirectional |
| Cross-vendor migration | No | No | No | No | Very hard |
| Migration validation / pre-check | No | No | Partial | Planned | Safety check |
8. Deployment & Operations#
| Feature | Tier 1 | Tier 2 | Tier 3 | opnD | Notes |
|---|---|---|---|---|---|
| Desktop app (local) | No | Yes | CLI | CLI | Local install |
| GUI (desktop) | Web | Yes | No | Planned (Wails) | Later |
| CLI interface | No | No | Yes | Yes | Primary interface |
| Air-gap / offline | Some | Yes | Yes | Yes | Critical for security |
| License key (offline) | N/A | Yes | Free | Planned | Monetization |
The Decision Matrix#
| Category | Core (must have for Pro) | Stretch (maybe later) | Not Us (leave to enterprise) |
|---|---|---|---|
| Parsing | OPNsense, pfSense, offline | Cisco ASA, Fortinet | Live polling, cloud groups |
| Security Audit | Misconfig, unused rules, shadowed rules | Risk scoring, CVE matching | Attack surface, network-context |
| Compliance | CIS, STIGs, PCI-DSS, custom rules | NIST 800-171/CMMC | SOX, NERC CIP, continuous |
| Reporting | PDF, HTML, JSON, SARIF, remediation | White-label, executive summary | SIEM export, dashboards |
| Topology | — | Basic single-config topology | Multi-device, traffic sim |
| Conversion | pfSense ↔ OPNsense | Cisco → pfSense/OPNsense | Generic cross-vendor |
| Deployment | CLI, offline, license key | Desktop GUI (Wails) | Web server, multi-user, SSO |
The Bottom Line#
opnDossier is Nipper for the open-source firewall world — with things Nipper doesn't do (config conversion, SARIF export, open-source transparency).
The 5–8 features that make someone pay $20/month instead of reading XML by hand:
- Parse OPNsense + pfSense configs into readable output (mostly done)
- CIS Benchmark compliance checks (the reason people buy Nipper)
- Risk-prioritized findings with remediation guidance
- PDF reports (the deliverable pen testers hand to clients)
- pfSense ↔ OPNsense config conversion (unique, validated demand)
- STIG compliance checks (government/military market)
- White-label reports (pen testers want their logo)
- Offline license key (monetization mechanism)
