Skip to main content

Cloud Security & Identity Review

Where an attacker gets into your Microsoft tenant, found before they do.

A fixed-fee assessment of your Entra ID, Conditional Access, and exposure across Microsoft 365 and Azure. You get the gaps ranked by how an attacker would use them, with the remediation your team can act on.

Fixed fee
€7,500
Duration
2 weeks
Format
Remote-first

At a glance

Fixed fee
€7,500
Duration
2 weeks
Format
Remote-first
Fee credit
Creditable in full within 8 weeks
Markets served
DACH and Benelux

Who it's for

  • A cyber-insurance renewal or a customer audit is asking for your identity and access posture in writing.
  • You turned on Microsoft 365 and Azure over years and no one has read the whole attack surface since.
  • You had a near-miss, or a peer in your sector did, and you want an independent read before the next one.
  • A recent breach at a peer company, or in the news, moved this from someday to this quarter on your risk register.
  • You are renewing cyber insurance and the underwriter is asking harder questions about identity controls than last year.

Scope and format

Two weeks, remote-first, with one optional on-site working session. We assess your identity and access setup in Entra ID, your Conditional Access and MFA coverage, privileged access and PIM, your exposure across Microsoft 365 and Azure, your Key Vault and secrets posture, and your backup and recovery position. We map the gaps to how an attacker would chain them. Senior architects do the work, one AZ-500 certified, with Zero Trust and PKI delivery across IT and OT behind them. That IT/OT programme is running at €750,000 a year in avoided spend, on a live production estate, not a proof of concept. You give us read-only access to the tenant in scope and one point of contact.

What you get

Identity and access assessment

Your Entra ID, Conditional Access, MFA, and privileged access posture, with the gaps named.

Attack-path read

The gaps ranked by how an attacker would chain them, not by tool severity score alone.

Exposure across Microsoft 365 and Azure

The data, sharing, and configuration exposure across the estate, per workload.

Guest and external access audit

Every guest account and external sharing link across Microsoft 365, checked against who actually still needs it.

Prioritised remediation backlog

Every finding ranked by risk and effort, written so your team can pick it up without us.

Readout session

A working session with your team to walk the findings and agree what gets hardened first.

Pricing

A fixed fee of €7,500. The scope above is the scope.

The full fee is creditable against a follow-on remediation or platform engagement booked within eight weeks of the readout.

Where your data sits

We work in your tenant with read-only access scoped to the review and revoked on completion. No data leaves your environment. Where data residency matters, the review covers your configuration in the Germany West Central Azure region, and we sign your data processing agreement before we start.

Governance & compliance

  • Read-only access, scoped to the review and revoked on completion.
  • No exploitation or changes to live systems. This is an assessment, not a penetration test.
  • GDPR Article 32 security-of-processing obligations assessed as part of the review.
  • A signed data processing agreement before kickoff, and findings documented to the standard your auditor cites.
Read our governance approach

Common questions

How long does it take?

Two weeks, from access granted to the readout session.

Is this a penetration test?

No. This is a configuration and identity posture assessment. We read how the tenant is set up and where the gaps are; we do not exploit them against live systems. A pen test answers a different question, and we can point you to one if that is what you need.

How is this different from the Azure Architecture Review?

The Azure Architecture Review scores the whole estate against the five Well-Architected pillars, security being one. This review goes deep on identity and the Microsoft attack surface alone. Start here when security is the question driving you.

Do you fix the gaps too?

The review hands your team a ranked backlog. If you want us to do the remediation, the fee is creditable in full against that engagement if you book within eight weeks.

Who actually does the work?

Senior architects, not an analyst reading a vulnerability scanner's output. The lead on identity and access work is AZ-500 certified and has delivered Zero Trust and PKI programmes across IT and OT environments. The person who runs the assessment is the person who sits in your readout session.

Does this cover our OT environment too?

Not in scope here. This review covers Entra ID, Microsoft 365, and Azure, the cloud tenant, not operational technology. OT/IT boundary architecture is a separate question, and if that is what you are actually asking, our Zero Trust and PKI work spans both IT and OT so we can scope that as its own engagement.

What happens if you find something critical before the readout?

We tell you immediately, not at the two-week mark. This is a read-only assessment, so we cannot fix it for you on the spot, but if we find an exposed credential or a Conditional Access gap that is actively exploitable, you hear about it the same day, in writing, ahead of the full report.

Does the review include our email security and phishing defences?

Yes, as part of the Microsoft 365 exposure read: mail flow rules, external sender tagging, and Defender for Office 365 policy configuration are in scope. Simulated phishing campaigns are not; that is a separate exercise if you want one run.

Can the review run on a tenant with multiple domains or subsidiaries?

Yes, as long as they sit in the same Entra ID tenant. Separate tenants for separate subsidiaries usually need a short scoping call to size the two weeks correctly.

What certifications back the findings if our auditor asks?

The lead architect on identity work holds AZ-500. Findings are written against named controls, a CIS benchmark item or a GDPR Article 32 obligation, so your auditor can trace each one back to a standard, not just to our judgment.

Request the review