Skip to content

Your cloud is only as safe as its settings.

A focused review of your Microsoft 365 and cloud configuration to close the gaps default settings leave open.

One-time reviewMicrosoft 365Azure / AWS add-onPrioritized fixes

Your cloud is configured — but is it configured securely?

Most businesses moved to Microsoft 365 for productivity, not security. The default settings are built to get you working fast, not to protect you. MFA might be on for some accounts but not all. External sharing might be wide open. Admin accounts might have no conditional access. Old, weak sign-in methods might still be allowed.

These are not exotic flaws. They are everyday configuration gaps, and they are the first thing an attacker looks for. A review tells you exactly where you stand and what to do about it.

What we review

We examine your cloud environment across the areas that matter most. We start with Microsoft 365 — where most teams live — and extend into Azure or AWS when those platforms are part of your setup.

  • MFA and admin access — are all accounts protected, especially admin and service accounts?
  • Email security and anti-phishing — SPF, DKIM, DMARC, and safe-attachment rules
  • External sharing and guest access — who can share what, with whom, outside your organization?
  • Device compliance and endpoint posture — are devices meeting a sensible baseline?
  • Logging and alerting — are you capturing the right events and getting notified when they matter?
  • A findings report with plain-English severity ratings (critical, high, medium, low)
  • A prioritized remediation plan with step-by-step guidance
  • An executive summary written for leadership, not just IT

How a review fits the bigger picture

A cloud security review is a focused, one-time engagement. For businesses that want ongoing oversight, the review is included in the first 30 days of a vCISO retainer at no extra cost — because understanding your cloud configuration is the starting point for managing a security program well.

It also pairs naturally with a broader security assessment. The review tells you whether your cloud is set up safely; an assessment looks across your wider environment. Both feed the same prioritized plan, so you are not left with two disconnected lists.

Frequently asked questions

Yes — we need read-only admin access to review your configuration. We give you specific instructions for granting temporary access, and you can revoke it as soon as the review is complete. We never change your environment without your approval.

Our standard review is built for Microsoft 365 environments. If you're on Google Workspace, we can talk through a custom engagement, but the review framework is tuned for the Microsoft stack first.

Usually one to two weeks from the time we get access to the findings report. The review itself takes a few days; the rest is documenting what we found and building the remediation plan.

We hand you a remediation plan with step-by-step guidance, and your IT team or managed services partner makes the changes. For vCISO retainer clients, we coordinate the work with your IT team as part of the retainer. For one-time engagements, we can provide implementation oversight if you want a second set of eyes.

No. A cloud security review is focused on how your Microsoft 365 and cloud platforms are configured. A security assessment looks more broadly across your network, endpoints, and processes. Many businesses pair the two for fuller coverage, and both feed the same prioritized plan.

Want to talk it through?

Every engagement starts with a working conversation, not a pitch. We learn about your business, you tell us what’s on your mind, and we tell you honestly whether we are the right fit.