Microsoft 365 and Entra ID security,
assessed against your compliance obligations.
Independent security assessment of your Microsoft 365 tenant and Entra ID identity layer. Built for organisations preparing to list, operating under regulation, or pursuing ISO 27001 or SOC 2. Not generic cloud security: identity, configuration, and the application layer, assessed in depth.
Pick the depth your compliance driver needs
Three distinct engagements, from a configuration review to active, assume-breach exploitation. They are deliberately separate so you can scope to your obligation and budget.
Configuration review
M365 Security Audit
A CIS Microsoft 365 Foundations Benchmark assessment of how your tenant is configured across identity, email, collaboration, data protection, and endpoint policy. The output is a findings report mapped to your compliance framework.
-
Benchmarked against CIS M365 controls
-
Identity, email, collaboration, data, endpoint policy
-
Findings mapped to your compliance framework
Attack-surface analysis
M365 Vulnerability Assessment
Enumeration and attack-surface analysis of the identity layer: Entra ID, app registrations, service principals, Conditional Access coverage, and OAuth consent grants. We map what an attacker could reach, without active exploitation.
-
Entra ID, app registrations, service principals
-
Conditional Access coverage gaps
-
OAuth consent grant review, no exploitation
Active, assume-breach
M365 Penetration Test
Active testing that starts from a compromised employee account and works outward: privilege escalation, lateral movement, Conditional Access bypass, and data exfiltration simulation. Every finding is tied to a specific control failure.
-
Assume-breach: simulates a compromised user
-
Privilege escalation and lateral movement
-
Each finding tied to a control failure
Assessment is not exploitation. The audit and vulnerability assessment observe and enumerate; they do not attack. The penetration test actively exploits, under an agreed scope and rules of engagement. The distinction is deliberate: it lets you match the engagement to what your compliance driver and risk appetite actually require.
The surface we assess
The M365 components and the identity, data, and endpoint layers that sit around them, where real attacks land.
Entra ID & Conditional Access
Identity configuration, role assignment, and the Conditional Access policies meant to enforce it.
Exchange Online & mail flow
Mailbox permissions, forwarding, transport rules, and authentication of inbound and outbound mail.
SharePoint & OneDrive sharing
External sharing posture, anonymous links, and over-exposed sites and document libraries.
Teams external access
Guest access, federation, and external collaboration settings that widen the trust boundary.
Intune device compliance
Compliance and configuration policies across Windows, macOS, iOS, and Android via MDM/MAM.
Purview audit & DLP
Audit logging coverage and data loss prevention policy: whether you could reconstruct an incident.
Microsoft Graph API surface
Application permissions, consented scopes, and the Graph API attack surface behind your tenant.
Endpoint & mobile layer
Mobile application and MDM/MAM security assessment across Windows, macOS, iOS, and Android.
Deliverables your board and your auditors can use
Executive summary
A board-level summary of posture and risk, in plain language, with no jargon to decode.
Technical findings report
Every finding with evidence, severity, and the reproduction or configuration detail behind it.
Framework gap table
A control-by-control mapping against your chosen compliance framework, showing exactly where the gaps sit.
Prioritised remediation roadmap
Fixes ranked by real risk and effort, so your team knows what to do first and why.
Remediation retest
Once you have remediated, we re-test to confirm each issue is genuinely closed.
Build it, break it, fix it
Having built on this stack ourselves, we assess it differently from testers who have only ever attacked it.
A builder's perspective
Most M365 reviews stop at tenant settings. An engineering background means the application-integration layer gets the same scrutiny: how app registrations, service principals, OAuth scopes, and Graph API permissions are wired in, and where developers cut corners. We understand how these integrations are built, not just how the tenant is configured.
Mapped to your framework
Findings are mapped to your specific compliance framework, not handed over as a generic report you then have to translate for an auditor.
Independent validation
Independent, third-party assessment carries weight with auditors and procurement in a way an internal review cannot.
A focused specialism
We specialise in web, mobile, API, and M365 / identity security: a narrow remit we know deeply, rather than a generalist offering stretched thin. See our web, API, and mobile testing.
Book a scoping call
Before any fixed quote, a short call to define tenant size, licence tier, and the compliance driver behind the work. That scope is what the engagement and the price are built on.