Beyond the external scan — a full authenticated assessment.
The free passive external scan gives a score in 60 seconds. The full assessment authenticates against your tenant, validates with evidence, and produces a roadmap your board can approve.
What's included in a full assessment
Authenticated identity review
Microsoft Entra / Okta / Google Workspace — Conditional Access, MFA coverage, privileged access, service accounts, guest sprawl, sign-in risk.
Endpoint posture sampling
Live agent telemetry from EDR, OS version, patch state, disk encryption, application allowlisting. Sampled across user, server, and BYO tiers.
Email + DNS deep-dive
SPF, DKIM, DMARC, MTA-STS, TLS-RPT, BIMI maturity. Plus message-trace forensics, anti-phishing policy, attachment filtering, impersonation rules.
Policy + procedure review
Acceptable use, BYOD, vendor management, incident response, data classification, retention. Compared against your industry baseline.
Findings register with evidence
Each finding has a unique ID, evidence hash, severity, likelihood, business impact, technical impact, recommended remediation, estimated effort, validation steps.
Prioritized roadmap with budget
P1 (≤7 days) · P2 (≤30 days) · P3 (30-90 days) · P4 (90-180 days). Each item costed against typical implementation effort.
How the engagement runs
Scope + authorization
- Rules of engagement signed
- Read-only tenant access provisioned
- Asset list and crown-jewel review
- Communication channels and escalation contacts
Evidence collection
- Configuration export from tenants
- Endpoint sampling
- DNS, email, and web posture validation
- Policy and procedure review
Synthesis + draft report
- Findings register with evidence hashes
- MITRE ATT&CK mapping where applicable
- Standards mapping (NIST CSF, ISO 27001, CIS Controls)
- Internal peer review of critical / high findings
Delivery + handoff
- Executive presentation
- Dual-layer PDF report (Executive + Technical)
- Remediation roadmap with budget
- Re-test plan and validation criteria
What the deliverable looks like
Per-category scores, an overall posture grade, a prioritised finding example. Sample shown, anonymized.
Recommended: move to p=quarantine within 14 days after a 30-day aggregate-report review, then to p=reject. Owner: IT lead. Effort: 2 hours.
Standard versions should be verified from the official source before contractual reliance.
Questions before we start.
How is this different from the free 60-second scan?
The free scan is passive and external — public DNS, mail, and TLS only. The full assessment authenticates against your tenant, samples endpoints, reviews policies, and maps findings to compliance frameworks with evidence. The free scan gives a score; the full assessment gives a defensible report.
Do you exploit anything during the assessment?
No exploitation is attempted in a standard assessment engagement. Further validation requires written authorization. If exploitation is in scope, that's a separate red-team engagement with explicit rules of engagement.
What credentials do you need?
Read-only auditor or global-reader equivalent on the tenants in scope. Sample-level endpoint access via your existing EDR or MDM. We never request, store, or use end-user passwords.
Will the findings hold up in front of an auditor?
Every finding is anchored to a specific evidence ID and SHA-256. Reproduction steps in the report can be re-run independently from the recorded artifacts at any time. This is the same standard that survives SOC 2 Type II and ISO 27001 audit cycles.
Start with your domain.
Free passive external assessment. 60 seconds. No signup to start.