// Service

Cloud security review

Most cloud breaches aren't exotic exploits; they're a public bucket, an over-privileged role, or a forgotten access key. We review your AWS, Azure or Google Cloud environment before someone else does.

Illustration of a cloud connected to storage, a locked database and a server
// Coverage

What we test

A configuration and architecture review of your cloud accounts, benchmarked against vendor best practice and CIS Benchmarks.

  • Identity and access management. Over-privileged users and roles, unused credentials, missing MFA, risky trust relationships and privilege escalation paths.
  • Network exposure. Security groups and firewall rules, public IPs, peering and transit paths, and services reachable from the internet that shouldn't be.
  • Storage and data. Bucket and blob permissions, snapshot exposure, encryption at rest and in transit, and database access paths.
  • Secrets and keys. Hardcoded credentials, key rotation, KMS usage and secrets sprawl across services and pipelines.
  • Logging and detection. CloudTrail/Activity Log coverage, alerting on high-risk actions, and whether you'd actually notice the attack paths we find.
  • Kubernetes and containers. Cluster RBAC, workload privileges, image provenance and exposed control planes, where in scope.
// Approach

How we test it

We work from read-only auditor credentials you provision, combining automated benchmark tooling with manual review of the paths tools can't judge: role trust chains, cross-account access and the blast radius of each finding.

Findings are prioritised by exploitability from an attacker's position, not just benchmark severity. A public S3 bucket full of logos is noted; an assumable role that reaches your production database is a headline.

The review can stand alone or pair with an application or network pentest to validate the exposures end to end.

The full process, severity ratings and reporting format are described in our methodology.

// Deliverables

What you get

  • Executive summary. Risk posture and priorities in plain English, readable by non-technical stakeholders.
  • Technical findings. Every issue with a CVSS rating, evidence, exact reproduction steps and a concrete remediation.
  • Immediate alerts. Anything critical is raised with you the day we find it, not held back for the report.
  • Free retest. Once you've fixed the findings, we verify the fixes and issue an updated report and attestation letter.

Get a fixed quote

Send us a rough description of the target and we'll come back with a sensible scope and a fixed price, usually within two business days.