Assess · Cloud security
Cloud estates drift. A bucket goes public, a role gets over-scoped, a default is never changed, and no one notices until it is a finding or a breach. We assess your accounts against the CIS Benchmarks and the CSA Cloud Controls Matrix, rank what we find by exploitability and blast radius, and hand you a remediation order your engineers can act on this sprint.
Scope agreed in writing before any work. No obligation.
You moved fast onto AWS, Azure, or GCP and the security review never caught up. Nobody can say, with confidence, what your accounts currently expose. The review replaces that uncertainty with an evidenced list.
A public bucket, an exposed key, or a pentest finding has made cloud configuration suddenly urgent. You want the full picture, not just the one issue someone happened to spot.
Accounts, subscriptions, and projects have multiplied faster than the guardrails, and each is a slightly different snowflake. You need a posture read across the estate, not account by account in your head.
What you are commissioning
One named engagement from the Assess track backs this page. Scope is sized to your estate and agreed in writing before any access is granted.
Assess trackTypically 2–4 weeks, sized to the estate
Find what your cloud is actually exposing.
Best for cloud-first teams unsure what their accounts expose.
Includes
Deliverables
The method
We assess configuration against the CIS Benchmarks for your platforms and the CSA Cloud Controls Matrix, using read-only access scoped to what we agree. The standard is named and citable, not a consultant's personal checklist.
Public exposure, over-privileged roles and keys, unencrypted or world-readable data, missing logging, and the network paths that should not exist. The review follows where cloud risk concentrates, not a generic top-ten.
Findings are ordered by what an attacker could actually reach and how far it would spread, not by a scanner's default severity. A misconfiguration on an isolated sandbox is not one on your production data plane, and the report says so.
Where your cloud processes personal data, the cloud-specific controls in ISO/IEC 27017 and 27018 come into scope, so the review serves your privacy obligations alongside your security ones.
Beyond the snapshot
A point-in-time posture review is useful once; cloud drifts back. Run within the Assess track, the findings set up a durable answer.
Findings land in the same risk-ranked register format as the wider diagnostic
Remediation can be delivered under Build, then the configuration held as code
Under Operate, posture is monitored continuously, so drift is caught as it happens
Questions
AWS, Azure, and Google Cloud, individually or across a multi-cloud estate, plus the identity and management layers above them. Kubernetes and the major managed services are in scope where they carry your workloads. The exact accounts and services are agreed before any access is granted.
Read-only access scoped to the accounts in scope, typically a dedicated audit role rather than standing credentials. We work to your access process, and where you would rather export the configuration yourself, we can assess from that. Nothing is changed in your environment during the review.
A posture tool produces a stream of findings; this produces a prioritised, evidenced read with the blast radius and the remediation order worked out by someone who has seen the estate. We will happily start from your tool's output and tell you which of its hundreds of alerts actually matter.
No. The review is read-only and passive by default. Where you want active validation of a specific exposure, that is agreed explicitly with rules of engagement, the same way a penetration test is scoped.
A posture findings report and a prioritised remediation order, in the same register format as the wider Assess diagnostic, so the work flows straight into remediation under Build or continuous monitoring under Operate if you choose to go further.
One conversation, then the scope and the price in writing. Your enquiry arrives already marked for cloud security posture.