DevelopmentRadar AppsConsultingAuditingAbout
Contact
Home/Auditing
Verify

An independent look at
where you actually stand.

We examine your technology environment from the outside in, find where the real risk lives, measure it against recognized practice, and hand you a clear, prioritized picture of what to fix first.

Schedule an audit See how an audit runs
Scroll
OUR APPROACH

You cannot fix what you cannot see.

Most organizations have a rough sense that their security could be better, but not a clear picture of where the gaps actually are or which ones matter. An audit replaces that uncertainty with facts.

We look at your systems the way an outsider would: what is exposed, what is misconfigured, where access is too broad, and where a single failure would cascade. Then we measure what we find against the standards your industry is held to.

We are deliberately independent. We do not sell you the products we recommend, and the team that audits you is never the team that built the thing being audited. The point is an honest answer, not a longer invoice.

An audit is worth nothing if it only tells you what you wanted to hear.Tomita auditing principle
POSTURE · MATURITY

Your security posture, scored by area and measured against where it should be. The gap between the bar and the marker is the work.

Assessed against
  • ISO 27001
  • NIST CSF
  • CIS Controls v8
  • SOC 2
  • OWASP Top 10
  • PCI DSS
  • GDPR
  • Essential Eight
  • MITRE ATT&CK
  • NIST 800 53
SYSTEM REVIEW

First, an honest inventory of what you actually have.

You cannot secure what you do not know about. We start by mapping the real environment: the systems, the accounts, the data, the third parties, and the connections between them, including the ones nobody documented.

The result is an accurate picture of your attack surface, with particular attention to what is reachable from outside. Shadow systems and forgotten services are where a surprising amount of risk quietly hides.

  • Systems & asset inventoryWhat exists, who owns it, and what it is responsible for.
  • Accounts & access mappingWho can reach what, and where that access is broader than it should be.
  • Data flow reviewWhere sensitive data lives, moves, and leaves the building.
  • External exposureWhat of yours is reachable from the public internet, intended or not.
ATTACK SURFACE

Your environment as an outsider sees it. The flagged nodes are reachable from outside, and they get looked at first.

RISK IDENTIFICATION

Then, where the exposure is, and how much it matters.

A list of every theoretical weakness is noise. The value is in judgement: which issues are genuinely likely to be exploited, and which would actually hurt if they were. We weigh both, not just one.

We look for the usual sources of real risk: misconfiguration, missing patches, weak or shared access, unencrypted data, and single points of failure. Each finding is placed on a likelihood and impact scale, so the priorities become obvious.

  • Vulnerability identificationMisconfiguration, missing patches, and known weaknesses.
  • Access & privilege riskOver broad permissions, shared logins, and stale accounts.
  • Single points of failureWhere one failure quietly takes everything else with it.
  • Likelihood & impact scoringEvery risk rated, so the order of work is not a guess.
RISK · LIKELIHOOD × IMPACT

Every finding placed by likelihood and impact. The top right corner is where attention goes first.

POSTURE & CONTROLS

How your defences measure up, control by control.

Having a control is not the same as having it working. We assess whether the protections you rely on are actually present, configured correctly, and doing their job, across the families of controls that recognized frameworks expect.

The output is a coverage picture: where you are strong, where you are only partial, and where a control you assumed was in place simply is not. Honest percentages, not a single pass or fail badge.

  • Control coverageWhich expected controls are present, and to what degree.
  • Configuration reviewWhether what is in place is configured the way it should be.
  • Posture benchmarkingA measured comparison against recognized practice.
  • Gap analysisWhat is missing, and what it would take to close it.
CONTROL · COVERAGE
Access
86%
Network
74%
Data
61%
Logging
45%
Backup
92%
Response
52%

Coverage across the control families a framework expects. Amber and red are where the gaps are.

FINDINGS & REPORTING

A report you can act on, not a PDF that gathers dust.

The deliverable is a written report that a technical team and a board can both use. Every finding is described plainly, rated by severity, and paired with a concrete recommendation, not a vague warning.

We lead with what matters. A short executive summary for the people who decide, a prioritized remediation plan for the people who fix, and the full detail underneath for the people who verify.

  • Executive summaryThe state of things in plain language, for the people who decide.
  • Severity rated findingsEach issue scored, so nothing important is buried in the noise.
  • Prioritized remediation planWhat to fix first, and what can reasonably wait.
  • Evidence & detailThe full technical record behind every finding we raise.
FINDINGS · REPORT
Findings summary
3 critical6 high9 medium11 low
  • CRITAdmin interface exposed to the public internet
  • CRITBackups never tested for restore
  • HIGHNo multi factor on privileged accounts
  • HIGHVPN gateway two versions behind

Findings grouped by severity, with the critical few called out. The summary tells you exactly where to start.

HOW AN AUDIT RUNS

Scope, discover, test, assess, report.

An audit should be predictable and low disruption. You know what we are doing, when, and exactly what you will have at the end of it.

01

Scope

We agree exactly what is in scope, what is off limits, and what a good outcome looks like, in writing, before anything starts. No surprises in either direction.

Deliverable Agreed scope & rules of engagement
02

Discover

We map the environment and gather the facts: inventory, accounts, configuration, and exposure. The picture of what actually exists, not what the diagram claims.

Deliverable Environment & exposure map
03

Test

We probe for real weaknesses safely, within the agreed scope, and confirm what is genuinely exploitable rather than just theoretical. Evidence, not speculation.

Deliverable Verified findings
04

Assess

We rate each finding by likelihood and impact, and measure the whole environment against recognized practice, so the priorities are grounded rather than felt.

Deliverable Risk & posture assessment
05

Report

We deliver the written report and walk you through it, so the findings and the plan are understood and owned, not just filed away somewhere safe.

Deliverable Audit report & walkthrough
AFTER THE REPORT

A finding is only useful once it is fixed.

An audit that ends at the report has done half the job. We stay available to help you close the findings, in the order the risk ratings suggest, at whatever pace your team can sustain.

Where the fixes are infrastructure work, they hand cleanly to our Consulting division, with the auditor and the engineer working from the same findings. And when the work is done, we are happy to retest and confirm it.

REMEDIATION · PLAN
P1
Close exposed admin interfacehigh impact · low effort
In progress
P2
Add multi factor to adminhigh impact · low effort
Planned
P3
Patch the VPN gatewayhigh impact · medium effort
Planned
P4
Tighten overbroad file sharesmedium impact · medium effort
Planned

Findings turned into a plan: ordered by risk, sized by effort, and tracked until they are closed.

01 · INDEPENDENT

No conflict

We do not sell the products we recommend, so the advice is about your risk, not our margin. An audit you can actually trust.

02 · PRIORITIZED

First things first

Every finding is ranked, so limited time and budget go to the issues that genuinely matter, not the easiest ones to write up.

03 · ACTIONABLE

A way forward

Each issue comes with a concrete fix and, if you want it, the team to carry it out. The report is a starting point, not the end.

START HERE

Want to know where you stand?

Tell us what you are protecting and what worries you. We will scope an audit that fits, and tell you honestly what it will and will not cover.

Schedule an audit