Cloud Health Check

You moved to the cloud. Do you know what’s exposed?

Protectyr delivers an independent, evidence-based assessment of your Azure environment. We find the misconfigurations, prioritise by business risk, and give your team a clear roadmap to fix what matters first.

Book a Free Consultation See What You Get

Sound familiar?

Cloud environments grow fast. Security oversight doesn’t always keep up.

Security keeps getting pushed

Your team is busy keeping the lights on — security configuration review keeps sliding down the priority list.

Why this matters

Gartner predicts 99% of cloud security failures are the customer’s fault (2019). The NSA identifies misconfiguration as the #1 cloud vulnerability (2020). 80% of security exposures trace to identity and credential misconfigurations (XM Cyber, 2024).

Your insurer is asking questions you can’t answer

Cyber insurance renewals now demand evidence of MFA, endpoint protection, backup integrity, and cloud security posture. A checkbox isn’t enough anymore.

Why this matters

Major carriers (Coalition, Beazley, Chubb) now routinely ask: “Have you conducted an independent security assessment of your cloud environment in the past 12 months?” Coverage can be declined or sublimited without evidence of specific controls.

You passed the audit, but are you actually secure?

Compliance frameworks tell you what to check. They don’t tell you whether your Azure environment is actually configured to stop an attack.

Why this matters

Regulatory references — OSFI B-13 s.3.2, 4.2, 5.1 (cyber security testing, cloud-specific risk, independent testing); Quebec Law 25 s.3.2, 3.3 (mandatory PIA for cloud systems, proportional safeguards); PIPEDA Principle 4.7 (safeguards appropriate to sensitivity, accountability for cloud transfers).

How it works

Five steps from kickoff to actionable roadmap.

1

Scoping Call

30 minutes

We learn about your environment and tailor the assessment to your priorities.

Details

During the scoping call, we walk through a digital intake form covering your tenant structure, subscription count, key workloads, compliance requirements, and known concerns. This determines your assessment tier and ensures we focus on what matters to your organization.

2

Evidence Collection

Week 1–2

Read-only, non-intrusive. Your team grants temporary access — we handle the rest.

Details

We use automated collection scripts that extract configuration data from your Azure tenant via read-only RBAC roles (Reader + Security Reader). No agents installed, no production impact. We collect Entra ID configuration, Conditional Access policies, network topology, storage and database settings, Defender for Cloud assessments, sign-in telemetry, backup configuration, and more. Typical collection covers 200+ configuration data points across all subscriptions.

3

Analysis

Week 2–3

Our consultants evaluate every configuration against three industry frameworks.

Details

Each finding is mapped to MCSB v2 (Microsoft Cloud Security Benchmark), CIS Azure Benchmarks, and NIST 800-53. We classify findings by severity (Critical, High, Medium, Low) and estimate remediation effort (Small, Medium, Large). We cross-reference with sign-in telemetry, vulnerability assessment data, and Azure Advisor recommendations to identify real risk — not just theoretical gaps.

4

Workshop

60–90 minutes

We walk through findings together — your context shapes the priorities.

Details

This is not a one-way presentation. We share our findings, you share your operational context. Is that public SQL server intentional? Is that service account excluded from MFA for a reason? This conversation adjusts severity ratings, adds business context, and ensures the final report reflects reality — not just what the configuration says.

5

Report & Readout

Week 3–4

You receive the full deliverable package and a stakeholder-ready presentation.

Details

Deliverables are shared via secure file transfer. A final readout session (60–90 minutes) walks your stakeholders through the posture baseline, key findings, and the prioritised remediation roadmap. You leave with everything you need to brief leadership, satisfy auditors, and start fixing.

What you get

Every engagement includes the full deliverable package.

Current-State Posture Summary

PDF

An executive-level report covering your security posture across all assessed domains, with a visual dashboard, severity breakdown, and domain-by-domain findings.

Prioritised Remediation Roadmap

Excel

Every finding ranked by severity and business impact, with framework mappings, effort estimates, and remediation guidance. Ready for your team to start working through.

Stakeholder Readout Presentation

HTML / PDF

A presentation-ready deck summarising findings, strengths, and recommended next steps — designed for screen-sharing with leadership or your board.

Interactive Workshop Session

Live

A collaborative working session where our consultants walk through findings with your IT and security teams, gather context, and validate priorities together.

Evidence Pack

For auditors & insurers

The underlying assessment data organized for compliance reviews, audit requests, and cyber insurance renewals. Demonstrates due diligence with traceable evidence.

What the report looks like

Professional, structured, and ready for your stakeholders.

Protectyr

Cloud Security
Health Check

Current-State Posture Summary

[Your Organization]

Assessment Period: Month YYYY

Version 1.0

Confidential
See a sample finding
Critical

Production Database Publicly Accessible

MCSB v2 DP-2, NS-2CIS 4.1.1NIST SC-7
Business Context: An Azure SQL database serving production workloads is configured with a public endpoint and no virtual network service endpoint or private link. Firewall rules allow connections from any Azure service.
Risk Implication: This configuration exposes the database to network-based attacks from any Azure tenant. Combined with SQL authentication (username/password), a brute-force or credential-stuffing attack could result in full data exfiltration.

Every finding in your report follows this structure — severity-rated, framework-mapped, and translated into business risk.

Transparent pricing

Three tiers based on environment size. All deliverables included.

Small

$8,000

  • Subscriptions: 1–2
  • Users (Entra ID): Up to 500
  • Virtual Machines: Up to 15
  • Timeline: 2–3 weeks
  • All deliverables included
  • Workshop included
  • Readout included
Get Started
Most Popular

Medium

$10,000

  • Subscriptions: 3–5
  • Users (Entra ID): Up to 2,000
  • Virtual Machines: Up to 50
  • Timeline: 3–4 weeks
  • All deliverables included
  • Workshop included
  • Readout included
Get Started

Large

$12,000

  • Subscriptions: 6–10
  • Users (Entra ID): Up to 5,000
  • Virtual Machines: Up to 100
  • Timeline: 4–6 weeks
  • All deliverables included
  • Workshop included
  • Readout included
Get Started

Not sure which size fits? Book a free scoping call — we’ll assess your environment and recommend the right tier. No commitment.

Book a Free Scoping Call

Larger environments or multi-tenant assessments? Contact us for custom scoping.

What gets assessed

12 security domains. Hundreds of configuration checks.

NS

Network Security

Virtual networks, NSGs, subnets, route tables, DDoS protection, private endpoints, peering, flow logs

IM

Identity Management

Entra ID configuration, Conditional Access, MFA coverage, authentication methods, sign-in risk policies, guest accounts

PA

Privileged Access

Global Administrators, PIM configuration, RBAC assignments, root-scope roles, service principals

DP

Data Protection

Storage encryption, Key Vault configuration, SQL authentication, TLS enforcement, shared key access, customer-managed keys

AM

Asset Management

Resource inventory, tagging, management group hierarchy, subscription governance

LT

Logging & Threat Detection

Sentinel configuration, data connectors, analytics rules, diagnostic settings, log retention, alert rules

IR

Incident Response

Automation rules, playbooks, incident management configuration

PV

Posture & Vulnerability

Defender for Cloud plans, vulnerability assessments, security recommendations, policy compliance

ES

Endpoint Security

Defender for Endpoint coverage, VM extensions, guest configuration baselines

BR

Backup & Recovery

Recovery vaults, backup policies, immutability, soft delete, Site Recovery, disk encryption

DS

DevOps Security

App Service configuration, container security, CI/CD pipeline exposure

GV

Governance & Strategy

Azure Policy, management groups, cost controls, compliance posture, Secure Score

Why Protectyr

We translate findings into business risk

You won’t get a 200-page list of misconfigurations. Every finding includes business context and risk implication — so your leadership understands what’s at stake, not just what’s misconfigured.

Canadian-based, Canadian compliance expertise

We understand PIPEDA, OSFI B-13, Quebec Law 25, and the Canadian cyber insurance landscape. Your assessment is mapped to the frameworks your regulators and insurers actually reference.

A partner, not a PDF

The workshop isn’t a formality — it’s where we learn your operational reality and adjust our findings accordingly. You’re not buying a scan. You’re working with consultants who care whether the recommendations actually work for your team.

Framework-mapped for auditors and insurers

Every finding maps to MCSB v2, CIS Azure Benchmarks, and NIST 800-53. Hand the report to your auditor or insurance broker — the evidence is structured for their review.

Frequently asked questions

Is the assessment intrusive? Will it affect our production environment?

No. The assessment is entirely read-only. We use Reader and Security Reader RBAC roles — no write access, no agents installed, no production impact. We collect configuration data, not live traffic or user data.

What access do you need?

Temporary RBAC access (Reader + Security Reader) to the subscriptions in scope, plus read access to Entra ID for identity configuration review. All access is revoked at the end of the engagement.

How long does it take?

Typically 2–4 weeks from kickoff to final readout, depending on your environment size. The scoping call determines your tier and timeline.

Can this help with our cyber insurance renewal?

Yes. The assessment produces evidence for nearly every category insurers ask about — MFA enforcement, endpoint protection, backup integrity, privileged access, network segmentation, and logging coverage. Several carriers offer premium credits for organizations that can demonstrate proactive security posture management.

Do you support AWS or GCP?

Our current assessment methodology is optimised for Azure and Microsoft 365 environments. AWS and GCP support is on our roadmap. Contact us if you have a multi-cloud environment — we can discuss what’s possible today.

What if we’ve already done a CIS or SOC 2 audit?

Great — we’ll use that as context. A CIS or SOC 2 audit tells you whether you meet a control framework. Our assessment tells you whether your Azure environment is actually configured to stop the attacks targeting organizations like yours. They’re complementary, not redundant.

Do you offer remediation services?

Yes. After the assessment, we can help implement the top-priority findings through a targeted hardening engagement. Many clients start with the assessment and move to remediation for the critical and high findings.

What industries do you work with?

Any organization using Azure. We have particular depth with financial services (OSFI-regulated), healthcare, not-for-profits, and professional services. The methodology adapts to your regulatory and business context.

Ready to see what’s exposed?

Book a free 30-minute scoping call. We’ll assess your environment, recommend the right tier, and answer any questions. No commitment, no pressure.

Book a Free Consultation Or email us at hello@protectyr.com