Security Audit
A one-week assessment of where your Microsoft estate actually stands against modern security baselines. Identity, endpoint, data, email, and overall posture, with a scored report and a remediation plan you can put in front of your board.
Why most mid-market firms cannot get clarity on their security.
Most mid-market firms know they should have stronger security, do not know what specifically is missing, and cannot get budget for blanket 'do everything' projects. The audit produces the missing piece: a prioritised, evidenced list of where you are exposed, what the fix costs, and what the consequence of not fixing it looks like. Senior leadership can read the report and make funded decisions; IT teams can take the remediation plan and work through it; auditors and procurement-grade buyers can see the controls you have in place.
The audit is also the first conversation we have with most security-conscious clients. It is the cheapest, most honest way to learn what we are like to work with before committing to a larger engagement.
What the audit covers.
Five pillars, each scored against the relevant Microsoft baseline and against current threat patterns.
1
Identity
MFA + Conditional Access design
Privileged access management
Dormant + guest accounts
Identity Protection signals
2
Endpoint
Intune enrolment + compliance
Defender for Endpoint config
BitLocker + app control
OS patching cadence
3
Data
Purview classification
Sensitivity labels
DLP across M365 + Teams
Retention + oversharing
4
Anti-phishing + anti-spam
Safe Links + Safe Attachments
Mail flow rules
External sender warnings
5
Posture
Microsoft Secure Score baseline
Audit logging configuration
Incident response readiness
Recent incident review
Deliverables you can hold us to.
✓
Scored report covering all five pillars (red-amber-green per control area)
✓
Gap analysis vs Microsoft baseline, Cyber Essentials Plus alignment, and where relevant ISO 27001
✓
Prioritised remediation plan with effort estimates for each item
✓
Executive summary fit to share with senior leadership or the board
✓
Technical findings document your IT team can work from directly
✓
60-minute walkthrough with one of our senior engineers
✓
30 days of follow-up support as your team starts the remediation
Mid-market firms with Microsoft 365 Business Premium, E3, or E5 who want to know how their security position actually stands. Especially valuable if you are preparing for Cyber Essentials Plus or ISO 27001, you have grown by acquisition and inherited unknown tenant configurations, you are about to roll out Copilot (which requires the underlying security to be in shape first), or your audit committee has asked for an independent view.
How it runs.
1
Kickoff
Monday, 30 minutes. We get read-only audit access, agree the scope, and identify any sector-specific considerations.
2
Audit work
Monday to Thursday. We run discovery tooling, review configurations across the five pillars, cross-reference findings, and build the scored report.
3
Walkthrough
Friday, 60 minutes. We walk you through the findings with your IT lead and any other stakeholders you want present.
4
Follow-up
30 days. The Teams channel stays open for clarification questions as you start the remediation.
The price band, and how it lands.
Up to 100 users
£1,200
Standard licence mix
100–250 users
£2,200
Multi-domain ok
250–500 users
£2,800
Includes E5 advanced features
500+ or complex E5
£3,500
Sentinel, advanced Purview, Defender for Cloud Apps
Related work
Often paired with this accelerator.
Common questions.
How much access do you need to our tenant?
Read-only audit access. A service account with Global Reader, Security Reader, and Reports Reader roles in Entra ID plus the equivalent in the M365 admin centres. We do not need write access; you action the remediation after the report.
Will the audit disrupt anything?
No. Everything we do is read-only. No policies are changed, no users are affected, no alerts are triggered. We do run discovery tooling against your tenant which generates some sign-in activity (logged as the audit account); we let you know in advance so it does not look anomalous to your monitoring.
Is this the same as a penetration test?
No. A penetration test is an active attempt to exploit your environment; we do a configuration audit. The two are complementary — run our audit first to fix the obvious misconfigurations, then a pen test once those are remediated. We partner with UK pen testing specialists and can manage that engagement on your behalf.
We are on E5. Do we still need an audit?
Almost certainly yes. The vast majority of E5 tenants we audit are using a fraction of what they pay for. Defender configured to defaults, Purview labels defined but not deployed, Sentinel licensed but not ingesting the right data, conditional access that has not been reviewed since it was set up. The audit identifies what you have already paid for that is not switched on properly.
What if the audit finds something serious?
We tell you immediately, not at the end of the week. Critical findings — active exposure, recent compromise indicators, dormant high-privilege accounts — are flagged the day we find them with our recommended immediate action.