
Home / IT Security / Security Assessment
You cannot prioritize what you have not measured.
Asset inventory, configuration review and risk analysis — ending in a short, ranked plan of what to fix first and why.
The starting point of every serious security program — and the cheapest mistake-preventer we sell.
A 300-page report of automated findings is not an assessment. It is a scan with a cover page.
An assessment answers four questions in plain language: what do you actually have, what is most critical to the business, where are the weaknesses an attacker would use, and what should be fixed first given a finite budget. Everything in the deliverable serves one of those four.
We assess against published baselines — CIS Controls v8.1 and NIST CSF 2.0 — so the result is comparable and defensible, not a matter of taste. And we write it twice: once for your engineers, once, in one page, for whoever signs the checks.
Two to four weeks for a typical 10–250-person environment. Mostly read-only; nothing changes without your sign-off.
You get findings as we confirm them — not a silence followed by a PDF. If we find something urgent in week one, you hear about it in week one.
Agree the question
Which systems, which locations, which threats worry you, and what the business cannot afford to lose.
Find everything
Servers, endpoints, cloud accounts, SaaS, identities, data stores — including the ones nobody remembered.
Review & verify
Configurations against CIS baselines, access rights, patching reality, backup reality, exposure from the internet.
Analyze risk
Likelihood against business impact, rated honestly — including the risks we suggest you accept.
Rank the fixes
A prioritized remediation plan with effort estimates, quick wins separated from projects.
The short version. Scope is agreed in writing before we start.
- Internet-facing exposure: what an attacker sees first
- Identity: MFA coverage, admin accounts, leaver access
- Endpoint and server configuration vs. CIS Benchmarks
- Patching: policy versus what is actually installed
- Backups: existence, isolation, and evidence of restores
- Network segmentation and remote access paths
- Microsoft 365 / Google Workspace tenant configuration
- Cloud accounts: IAM, public storage, logging
- Logging and detection: what would you even see?
- Vendor and SaaS access into your environment
- Data: where the crown jewels live and who reaches them
- Existing policies versus observed practice
Fixed deliverables, agreed before we start.
- Executive summary
- One to two pages. The posture, the top risks in business terms, and the recommended spend order. Written for a non-technical reader without being padded.
- Technical findings
- Each finding with evidence, affected systems, realistic impact, and a concrete fix — verified by a person, not pasted from a scanner.
- Asset & access inventory
- The systems, accounts and data stores we found, including unmanaged ones. Usually worth the fee by itself.
- Remediation roadmap
- Ranked by risk and effort: what to do this week, this quarter, this year — and what to consciously accept.
- Baseline for re-testing
- A scored snapshot against CIS Controls, so next year's assessment measures progress instead of restating problems.
Three honest paths. All three are fine with us.
You fix it yourself
The report is written so your team or your existing provider can execute it. We answer questions for free for 30 days.
We fix the top items
A fixed-scope remediation project on the highest-risk findings, then a verification pass to confirm they are closed.
We take it on managed
The roadmap becomes the first quarter of a managed engagement, with the assessment as the documented starting line.
Published baselines, so the result is checkable.
When were you last assessed by someone with no product to sell you?
We do not resell licenses, so the findings have no sales quota behind them. Tell us roughly what you run and we will scope it.
Contact us- info@bstedge.com
- Response
- Within one business day
- Typical duration
- Two to four weeks, mostly read-only