The final report will be delivered as a PDF, based on a visually appealing PPTX format to ease your consumption of the information. It will contain the following key sections, some of which will repeat depending upon the nature of the engagement undertaken:
Management Summary
Overview & Strategic Recommendations
Assessment Conduct
Summary of findings – (repeated for each phase)
Remediation Road Map – (repeated for each phase)
Findings – (Repeated for each phase)
Issue write-up (repeated for each issue)
Supplementary Data
Screenshots and output of tools that further support the detailed findings
The Management Summary at the front of the report will include a page for each phase of the engagement, clearly highlighting the severity of the risk the issues present along with our recommended timeframe for remediation.
Each issue is hyperlinked to the relevant detailed write-up to ease your consumption of the report.
We believe security issues should be presented in as clear and and as simple a manner as possible, not everyone enjoys the technical minutiae and the majority of our clients simply want to know – how bad is it, how do I fix it and how rapidly. We do however provide references for further reading material should you be that way inclined. Key highlights of our approach include:
A simple High / Medium / Low categorisation of risk – you are not wanting to be arguing over whether something is a critical or a high, nor skimming pages and pages of “informational” findings.
Our recommendation on a remediation timeframe – 30 days / 90 days / beyond – this is based on not just the severity of the threat, but also factors in the planning and implementation effort.
Hyperlinks to the issue summary and remediation plans for that phase of the engagement to allow for easy and rapid navigation of the report.
At the end of the day, our value to you is imparting succinct, accurate and insightful information so you can improve the security of your environment. We are not charging by the word – and you certainly do not want to read a report crafted on that basis!
Each phase of the engagement will have a recommended remediation timeframe within the Management Summary, a graphical representation of how you should go about improving your security posture. Unlike the individual issue write-ups that treat the issue in isolation, this page addresses the issues as a collective whole and as such may move the priority of issues around to address quick wins and issues that may require more planning than typical to implement.
Again, all issues are hyperlinked to ease your consumption of the report.
All our engagements are presented as a fixed price offer. We do not quote based on days of effort as we believe this does not best present the value of our services, encouraging negative behaviours on both sides of the agreement such as:
Comparing day rates of different suppliers to the detriment of analysing the value they provide
Delaying delivery of an engagement to fill out pre-commited test window
Rushing testing of completing the full scope of testing due to running out days
We do of course have the concept internally of roughly much effort is required to complete the engagement i.e. 4 days of testing and 2 of analysis of reporting. We would then work with you to agree a suitable test window, in this case it would likely be 10 working days with a commitment to deliver the report on the final day. This approach gives us may advantages:
Technical issues with the environment or supplied test accounts can be handled gracefully.
Any slightly delayed workshops or interviews do not impact the final delivery date.
Any unforeseen and minor increases in scope can be addressed without the back and forth of change control, potential price increases and general friction.
Ultimately we believe our approach works well for both you and us and allows for a pleasant and smooth engagement.
All aspects of the engagement are delivered remotely across the Internet with no access to physical locations required.
Configuration reviews that are typical for the Azure and M365 environments may be performed at any time of the day or week to support multiple timezones and to minimise any load impact on your environment. However any active testing such as vulnerability scanning or exploitation will be performed during pre-agreed hours to ensure we have access to your technical staff should an issue arise.
Any desired update calls, interviews or workshops will agreed in advance to suit your schedule.
In all cases where we require an account to be created we would request two, this is to allow us to continue our assessment uninterrupted should we encounter access issues such as an account lockout.
For Microsoft 365 Assessments, we require a test account with access to the tenant(s) in-scope with the following permissions:
Global Reader
Security Reader
The majority of technical engagement require minimal support from yourselves, typically taking the form of:
Support of test accounts you have provided, resolving issues such a lockouts
Having a point of contact to report any immediate high risk issues as you require
Attending any agreed update calls as you so require
The risk management and governance aspects of certain engagements may require your staff to complete some documentation, provide copies or access to policies, processes and procedures. Furthermore, this will be supplanted with workshops and or interviews to clarify any queries that may arise.
Remediation and Breach Attack Simulation engagements are bespoke and will likely require more interaction with your staff than is typical for assessment engagements.
