Multiple monitors displaying source code in a dark office

Home / IT Security / Security Assessment

You cannot prioritize what you have not measured.

Asset inventory, configuration review and risk analysis — ending in a short, ranked plan of what to fix first and why.

What this is

The starting point of every serious security program — and the cheapest mistake-preventer we sell.

A 300-page report of automated findings is not an assessment. It is a scan with a cover page.

An assessment answers four questions in plain language: what do you actually have, what is most critical to the business, where are the weaknesses an attacker would use, and what should be fixed first given a finite budget. Everything in the deliverable serves one of those four.

We assess against published baselines — CIS Controls v8.1 and NIST CSF 2.0 — so the result is comparable and defensible, not a matter of taste. And we write it twice: once for your engineers, once, in one page, for whoever signs the checks.


How it runs

Two to four weeks for a typical 10–250-person environment. Mostly read-only; nothing changes without your sign-off.

You get findings as we confirm them — not a silence followed by a PDF. If we find something urgent in week one, you hear about it in week one.

01 — SCOPE

Agree the question

Which systems, which locations, which threats worry you, and what the business cannot afford to lose.

02 — INVENTORY

Find everything

Servers, endpoints, cloud accounts, SaaS, identities, data stores — including the ones nobody remembered.

03 — EXAMINE

Review & verify

Configurations against CIS baselines, access rights, patching reality, backup reality, exposure from the internet.

04 — RATE

Analyze risk

Likelihood against business impact, rated honestly — including the risks we suggest you accept.

05 — REPORT

Rank the fixes

A prioritized remediation plan with effort estimates, quick wins separated from projects.

What we examine

The short version. Scope is agreed in writing before we start.

  • Internet-facing exposure: what an attacker sees first
  • Identity: MFA coverage, admin accounts, leaver access
  • Endpoint and server configuration vs. CIS Benchmarks
  • Patching: policy versus what is actually installed
  • Backups: existence, isolation, and evidence of restores
  • Network segmentation and remote access paths
  • Microsoft 365 / Google Workspace tenant configuration
  • Cloud accounts: IAM, public storage, logging
  • Logging and detection: what would you even see?
  • Vendor and SaaS access into your environment
  • Data: where the crown jewels live and who reaches them
  • Existing policies versus observed practice
What you receive

Fixed deliverables, agreed before we start.

Executive summary
One to two pages. The posture, the top risks in business terms, and the recommended spend order. Written for a non-technical reader without being padded.
Technical findings
Each finding with evidence, affected systems, realistic impact, and a concrete fix — verified by a person, not pasted from a scanner.
Asset & access inventory
The systems, accounts and data stores we found, including unmanaged ones. Usually worth the fee by itself.
Remediation roadmap
Ranked by risk and effort: what to do this week, this quarter, this year — and what to consciously accept.
Baseline for re-testing
A scored snapshot against CIS Controls, so next year's assessment measures progress instead of restating problems.

Afterwards

Three honest paths. All three are fine with us.

A

You fix it yourself

The report is written so your team or your existing provider can execute it. We answer questions for free for 30 days.

B

We fix the top items

A fixed-scope remediation project on the highest-risk findings, then a verification pass to confirm they are closed.

C

We take it on managed

The roadmap becomes the first quarter of a managed engagement, with the assessment as the documented starting line.

Measured against

Published baselines, so the result is checkable.

CIS Controls v8.1CIS BenchmarksNIST CSF 2.0NIST SP 800-53ISO/IEC 27001CISA Cyber Performance Goals

When were you last assessed by someone with no product to sell you?

We do not resell licenses, so the findings have no sales quota behind them. Tell us roughly what you run and we will scope it.

Contact us
Response
Within one business day
Typical duration
Two to four weeks, mostly read-only