Engagement 08 · Security
Close the gaps before someone else finds them. Identity hardening, network controls, Defender for Cloud properly configured, a compliance baseline, and an incident response plan your team can actually follow.
Why this exists
Compromised credentials, exposed storage accounts, over-privileged service principals, missing MFA, flat networks. The basics matter — and most teams don't have time to do them properly. The Security Posture engagement closes those gaps systematically: identity tightened, network properly segmented, Defender configured for signal not noise, compliance baseline measurable, and an IR plan that doesn't only exist as a Word doc.
What's included
MFA / conditional access policies, PIM for privileged roles, break-glass accounts, service principal cleanup, guest account review, and managed identity migration.
Public exposure removed where possible, private endpoints, NSG and Azure Firewall rules tightened, DDoS protection, and a documented network security model.
Properly configured: which plans you need, how recommendations are routed, secure score targets, and noise tuned out so alerts mean something.
CIS / Microsoft cloud security benchmark applied via Azure Policy, with measured score and remediation plan for the gaps. Targeted to your real compliance obligations.
Encryption at rest with customer-managed keys where required, Key Vault access policies, public storage cleanup, and backup configuration validated.
An IR runbook your team can actually follow — detection sources, severity definitions, escalation paths, and a tabletop exercise to validate it.
Deliverables
Timeline
Current state across identity, network, data, monitoring, and compliance. Risk-prioritised gap list before any change.
Changes made in priority order, tested, and validated. Rollback paths documented for anything sensitive.
IR runbook walked through, tabletop exercise run with your team, monitoring and reporting handed over.
FAQ
Should we do an audit first?
If you're not sure where the gaps are, the Azure Audit & Drift Control surfaces them with prioritisation. If you already know roughly what's wrong, this engagement goes straight to fixing it.
We're prepping for SOC 2 / ISO 27001 — does this cover it?
It gets your Azure environment in shape for those audits. The wider compliance work (policies, evidence, training, vendor management) sits outside Azure and outside this engagement — we'll be honest about what's in scope on the discovery call.
Will hardening break things?
Some changes have user-visible impact (MFA enforcement, conditional access). We sequence them carefully, communicate before each, and roll back fast if needed. Nothing happens without your approval.
Do you do penetration testing?
No — pen testing is a separate discipline and we don't pretend otherwise. We'll happily work alongside a pen test team, and the hardening done here often forms the recommendations from a pen test report.
What about ongoing security operations?
This engagement gets you to a strong baseline. Maintaining it as your environment changes is a fit for Ongoing Platform Support if you don't have an in-house security function.
Next step
Book a 30-minute discovery call. We'll talk through your compliance drivers, current state, and any specific concerns before agreeing scope.
Related engagements