Use this when you’re rolling out a new landing zone, joining accounts into an organisation, opening new external services, or hardening for an audit. It’s also a good step before or after a penetration test so fixes are grounded in how your cloud actually works.

The process is simple. Short kick off to agree the scope and what access you’re comfortable with. We prefer read only roles or exported configs, then we verify in the console so recommendations aren’t hypothetical. If the estate is big, we agree a sampling plan so we start with the riskiest areas, internet facing services, high privilege roles, noisy storage, and anything that links production to development. We raise issues in your tracker with clear steps, stay available while you fix, then we retest the important items.

What you get is practical. A prioritised fix list with quick wins first, notes on why it matters in your context, and example guardrails. Where it helps, we include a simple attack path diagram to show how misconfigurations chain together. You also get a short summary you can share with managers. Retest is included.

Options are flexible. One time baseline, a check before a major release, or a quarterly review to keep drift in check. If you want some automation alongside humans, we can add lightweight checks in your build and release pipeline so common mistakes are caught early.

We deliver remotely by default. We use read only access where possible, keep minimal artefacts, raise issues in your tracker, and delete artefacts after delivery. We align with UK GDPR and can support NHS DSPT expectations. If you handle special category data, we’ll run DPIAs where needed. If you want us onsite for a workshop or handover, we can plan that in.

If you need testing from the outside, see Penetration Testing. If you want a code level read, see Code Review. If you need small utilities and pipeline checks, see Tooling.