service · security audits

"We've got Microsoft, so we're fine." Are you, though?

Most SMEs have no real picture of their exposure, until an insurer, a customer questionnaire or an incident forces the question. We give you the honest read: where you're at risk, what to fix first, and proof it stays fixed.

in plain terms

A Microsoft 365 security audit measures your Microsoft 365 and Entra tenant against recognised benchmarks - Microsoft Secure Score, the CIS Microsoft 365 Benchmark, and New Zealand guidance like the NCSC advice and the Essential Eight - to show exactly where you're exposed and what to fix first. Instead of assuming you're fine because you have Microsoft, you get a measured baseline: MFA coverage, legacy authentication, admin and privileged access, conditional access, email security and external sharing, each scored against the standard. The output is a plain-English report that ranks risks by impact and starts with the cheap, high-impact fixes, not a 90-page PDF. It's the evidence you can hand an insurer, an auditor or a customer questionnaire - and the same checks can run monthly so your posture stays proven, not just fixed once.

the usual gaps

What we tend to find.

  • No idea of actual exposure"We have Microsoft, so we're fine," with nothing measured to back it up.
  • Questions you can't answerCyber-insurance forms and customer security questionnaires that stall the deal.
  • Stale, over-privileged accessMFA gaps, legacy auth left open, admin rights that sprawled and never got cleaned up.
  • One-off reports that gather dustA pentest from two years ago that no one has re-checked since.

what we deliver

Posture you can see and prove.

01

Baseline audit

Your Microsoft 365 and Entra posture measured against recognised benchmarks: Microsoft Secure Score, the CIS Microsoft 365 Benchmark, NZ-relevant guidance (NCSC / Essential Eight). The real number, not a vibe.

02

Prioritised remediation

The cheap, high-impact fixes first. Close MFA gaps, kill legacy auth, rein in admin sprawl, tighten sharing. A plain-English list ordered by impact, not a 90-page PDF.

03

Recurring assurance

A monthly or quarterly report showing the posture trend and that access is still correct. The evidence you hand to an insurer, an auditor or a customer.

joined-up by design

Offboarding is a security control.

When someone leaves, that's not just HR. It's the most common way access goes stale. If we also run your joiners, movers and leavers, the leaver evidence feeds straight into "access is correct" every month. One joined-up answer: we manage your people changes and prove your access is right.

  • Read-only tenant posture pull
  • Same engine every client, your tenant
  • Identity assurance, monthly
  • Deep network pentest referred out

common questions

Security audits, answered straight.

What does a Microsoft 365 security audit check?
MFA coverage, legacy authentication, admin and privileged access, conditional access, email security (SPF, DKIM, DMARC), external sharing and guest access, and your overall Secure Score - measured against the CIS benchmark, not guessed.
How long does an audit take?
Usually a few days from access to report. You get a plain-English findings report with risks ranked by impact and a fix-the-cheap-high-impact-gaps-first plan, not a 90-page PDF that gathers dust.
Will this help with cyber insurance?
Yes. The report is written so you can answer an insurer's or a customer's security questionnaire and show what you've remediated - the questions they ask are the ones we measure.
Do you fix the issues or just report them?
Either. The audit stands alone, or we remediate the gaps and fold ongoing checks into managed IT so access stays correct month to month.

start a conversation

Start with the baseline.

A fixed-price baseline audit is the front door. You'll know exactly where you stand and what's worth fixing first. No scare tactics, no upsell to things you don't need.