The naked truth
about your security posture.
27 automated products — compliance assessments, deep-dive security packs, and board-ready intelligence reports across Essential Eight, NIST CSF, CMMC, NIS2, Cyber Essentials, MAS TRM, and more. Results in minutes, not weeks. No consultant. No agent installs.
Choose your assessment
Each assessment runs against your Microsoft 365 tenant using read-only permissions. You grant access once, we do the rest.
Essential Eight
ML1, ML2 & ML3 Assessment
Assess your compliance with the ACSC Essential Eight Maturity Model. Mandatory for Australian Government entities under the PSPF. Know exactly where you stand before the auditors do.
- All 8 pillars: Application Control, Patching, MFA, Backups + more
- ML1, ML2, and ML3 scored separately per pillar
- Conditional Access and privileged account analysis
- Intune compliance and update ring verification
- Prioritised remediation roadmap in your report
- Optional monthly re-assessment subscription
Cloud Security Benchmark
v2 Assessment
Assess your Azure and Microsoft 365 environment against the Microsoft Cloud Security Benchmark v2 — 14 control domains covering Identity, Network, Data, AI, and DevOps security.
- 14 domains: Identity, Network, Logging, Data, DevOps, AI + more
- Azure Secure Score and Defender for Cloud integration
- Conditional Access, PIM, and MFA gap analysis
- Maps to ISO 27001, NIST CSF v2, SOC 2, PCI-DSS v4
- JSON and CSV exports for integration into your GRC tool
- MCSB v2 preview controls: AI security and DevOps
CIS Microsoft 365
Benchmark Assessment
Assess your Microsoft 365 tenant against the CIS Benchmark — the industry-standard security configuration guide recognised by auditors worldwide.
- 7 domains: Identity, Apps, Data, Email, Auditing, Storage, Teams
- CIS Level 1 and Level 2 controls scored separately
- Conditional Access, MFA, and authentication method analysis
- SharePoint sharing and Teams guest access review
- Application consent and OAuth permission audit
- Prioritised remediation with CIS control references
Microsoft Copilot
Readiness Assessment
Know your risk before enabling Copilot. We assess oversharing, sensitivity labels, DLP coverage, and identity controls to determine if your tenant is ready for AI.
- 6 dimensions: Oversharing, Labels, DLP, Identity, Guest, Licensing
- SharePoint site permission and public group analysis
- Sensitivity label coverage and auto-labelling review
- Conditional Access policies targeting Copilot
- Weighted readiness score: Ready / Caveats / Not Ready
- Pre-enablement and post-rollout remediation roadmap
CPS 234
Information Security Assessment
Automated and governance-hybrid assessment against APRA's CPS 234 standard. Built for banks, insurers, and super funds that need to demonstrate compliance.
- 6 CPS 234 sections: Capability, Policy, Assets, Controls, Incidents, Testing
- Automated technical checks via Microsoft Graph and Defender
- Governance questionnaire for board-level controls
- Combined score: automated (60%) + questionnaire (40%)
- APRA notification obligation assessment
- Maps to CPG 234 guidance for remediation
Ransomware
Resilience Score
Cross-cutting assessment of your ransomware defences. One score across identity, backup, endpoint, email, data, network, and detection readiness.
- 7 dimensions: Identity, Backup, Endpoint, Email, Data, Network, Detection
- Weighted composite resilience score (0-100%)
- MFA, legacy auth, admin privilege, and PIM analysis
- Backup immutability and break-glass account checks
- Defender for Endpoint and Office 365 licensing verification
- Rating: Strong / Moderate / Weak / Critical Risk
Power Platform
Security Assessment
Assess your Power Platform governance posture. Environment controls, DLP policies, Power Automate security, Power Apps sharing, Power BI governance, and Copilot Studio controls.
- 6 dimensions: Environments, DLP, Automate, Apps, BI, Copilot Studio
- Weighted governance score with actionable remediation
- DLP connector classification and gap analysis
- Environment sprawl and managed environment checks
- Power BI external sharing and sensitivity label review
- Rating: Well Governed / Partially / Gaps / Ungoverned
NIST Cybersecurity
Framework Assessment
Assess your alignment to the NIST CSF 2.0 six functions. The de facto baseline for US federal contractors, critical infrastructure, and cyber-insurance underwriting.
- All 6 functions: Govern, Identify, Protect, Detect, Respond, Recover
- 22 categories with automated + questionnaire scoring
- Identity & access, detection, and platform security fully automated
- Governance and recovery via guided questionnaire
- Maps to NIST SP 800-53 and SP 800-171 controls
- Prioritised gap analysis with remediation roadmap
CMMC Level 1 & 2
Readiness Assessment
Prepare for Cybersecurity Maturity Model Certification. Required for all US Department of Defense contractors handling FCI or CUI. CMMC 2.0 final rule effective December 2024.
- Level 1: 17 practices (FCI protection) — ~50% automated
- Level 2: 110 practices mapping to NIST SP 800-171 Rev 2
- 14 domains: Access Control, Audit, Config Mgmt, Incident Response + more
- Automated checks on identity, authentication, logging, and endpoints
- SSP/POA&M evidence mapping for audit preparation
- Gap-to-certification roadmap with priority scoring
NIS2 Directive
Compliance Assessment
Assess your compliance with EU NIS2 Directive Article 21 cybersecurity risk-management measures. Mandatory for essential and important entities across the EU since October 2024.
- All 10 Article 21 measures: risk analysis to MFA
- Incident handling, business continuity, and supply chain checks
- Automated identity, access control, and encryption validation
- Network and information systems security posture
- Governance questionnaire for policy and training evidence
- Maps to ENISA guidance and national transposition requirements
UK Cyber Essentials
Readiness Assessment
Pre-assessment readiness check against the 5 Cyber Essentials technical controls. Required for UK government suppliers and increasingly expected by cyber insurers.
- 5 controls: Firewalls, Secure Config, Access, Malware, Updates
- Conditional Access and network boundary policy checks
- Defender configuration and malware protection verification
- Windows Update ring and patching posture analysis
- Optional Cyber Essentials Plus extended checks
- Readiness score with certification gap analysis
MAS Technology Risk
Management Assessment
Assess your alignment to the Monetary Authority of Singapore Technology Risk Management Guidelines. Required for all MAS-regulated financial institutions.
- 12 domains: Governance, Risk Framework, Access Control, Crypto + more
- Automated access control, cryptography, and security operations checks
- IT resilience and service management posture
- Cyber security operations and online financial services review
- Governance questionnaire for board-level oversight evidence
- Maps to MAS TRM 2021 revision and MAS Cyber Hygiene Notices
Deep-dive security packs
Unlike framework assessments that check breadth across many controls, packs go deep into a single attack surface. Same automated pipeline — deeper analysis.
Entra ID / Identity
Hardening Pack
Deep-dive into your identity attack surface — the #1 breach vector. Six dimensions covering every aspect of your Entra ID configuration, from MFA coverage to app registration hygiene.
- MFA coverage: per-user status, phishing-resistant enforcement, auth methods
- Conditional Access gap analysis across users, apps, and platforms
- Privileged role hygiene: GA count, PIM adoption, standing vs eligible
- App registration audit: expired secrets, excessive permissions, unused apps
- Guest access exposure: stale guests, invite settings, B2B policy
- Risk policy effectiveness: Identity Protection, Secure Score, alert review
Email Security
Pack
Full email attack surface analysis — spoofing, phishing, data leakage, and mail flow hygiene across your Microsoft 365 tenant.
- DNS authentication: DMARC policy, DKIM signing, SPF alignment
- Anti-phishing posture: impersonation protection, safe links/attachments
- Mail flow rules: external forwarding, auto-forward detection
- Legacy auth: SMTP AUTH, POP, IMAP per-mailbox status
- Quarantine and alert policy coverage review
- Encryption: OME configuration, TLS enforcement, sensitivity labels
SharePoint & Data
Oversharing Pack
Find where your sensitive data is exposed right now — misconfigured sharing, labelling gaps, guest sprawl, and excessive permissions.
- External sharing: tenant settings, anonymous links, expiry policies
- Site inventory: total sites, externally shared, orphaned sites
- Sensitivity labels: coverage, encryption, auto-labelling policies
- DLP policies: SharePoint/OneDrive rules, sensitive info type coverage
- Guest access: stale guests, invite settings, B2B policy
- Permissions hygiene: public groups, broken inheritance, OAuth grants
Finance / Fintech
Security Pack
Fraud controls, privileged access, data integrity, and regulatory evidence readiness for financial services organisations.
- Privileged access: PIM enablement, standing admin roles, break-glass
- Authentication: phishing-resistant MFA, FIDO2/TAP, legacy auth blocked
- Data controls: DLP policies, sensitivity labels, external sharing
- Email fraud: DMARC/DKIM/SPF, anti-phishing, impersonation protection
- Audit trail: log retention, sign-in logs, admin activity logging
- Endpoint: compliant devices, encryption, application control
Legal & Professional
Services Pack
Client confidentiality controls, matter data segregation, and privileged communication protections for law firms and professional services.
- Data oversharing: external files, anonymous links, public sites
- Email controls: forwarding rules, encryption, retention labels
- Identity: MFA coverage, conditional access, guest management
- Device posture: compliant device policy for client data access
- Sensitivity labels: coverage, auto-labelling, mandatory labelling
- Compliance: retention policies, litigation holds, eDiscovery readiness
Endpoint / Intune
Compliance Pack
Device posture is the second most common breach entry point. Deep-dive into your Intune enrolment, compliance, patching, and encryption coverage.
- Enrolment coverage: enrolled vs detected devices, stale enrolments
- Compliance policies: per-platform coverage, compliance state breakdown
- Update rings: Windows Update for Business, feature/quality deferrals
- Encryption: BitLocker enforcement, FileVault, device encryption %
- Application control: approved app lists, WDAC, app protection policies
- Configuration profiles: security baselines, antivirus, firewall policies
Healthcare
Security Pack
Patient data protection, device compliance, privileged access to clinical systems, and incident readiness for healthcare organisations.
- Identity & access: MFA on clinical accounts, privileged roles, guest access
- Device compliance: Intune enrolment, encryption, OS patching
- Data protection: sensitivity labels on patient data, DLP, external sharing
- Email security: PHI leakage via forwarding, anti-phishing, external recipients
- Audit & logging: unified audit log, retention policies, alert coverage
- Incident readiness: litigation holds, eDiscovery, response plan evidence
AICD Governance
Assessment
Assess your board's cyber security governance against the AICD Cyber Security Governance Principles (Version 2, November 2024). Combines automated M365 tenant analysis with a governance questionnaire completed by a nominated governance contact — with full privacy separation from the IT consent process.
- P1: Board roles, responsibilities, and committee oversight
- P2: Cyber strategy, data governance, and digital asset protection
- P3: Risk management, Zero Trust controls, and supply chain
- P4: Cyber resilient culture, training, and leadership KPIs
- P5: Incident response planning, simulation, and insurance
- Governance questionnaire with board-confidential responses
Board-ready security intelligence
Point-in-time reports designed for CFOs, boards, insurers, and investors — not IT teams. Same automated read-only pipeline. Business language, financial framing, executive delivery.
Cyber Insurance
Readiness Report
Know your insurance approval likelihood before your broker does. Maps your Microsoft 365 security posture directly to the controls underwriters scrutinise — MFA, legacy auth, email defences, EDR, data protection, and audit logging.
- MFA coverage and phishing-resistant enforcement status
- Legacy authentication exposure scoring
- Email security: SPF, DKIM, DMARC, anti-phishing
- Endpoint detection and response posture
- Data protection controls and encryption status
- Audit logging completeness and retention
Board Cyber Risk
Report
Give your board the cyber risk picture they need to govern confidently. Translates your Microsoft 365 technical posture into a board-grade risk rating with business context, no jargon, and clear accountability.
- Board-level risk rating: LOW / MEDIUM / HIGH / CRITICAL
- Identity and access risk in plain business language
- Threat prevention posture and detection effectiveness
- Data protection and compliance exposure
- Endpoint security and device governance status
- Resilience readiness: backup, incident response, BCP
Investor-Ready
Security Report
De-risk your due diligence process. Provides investors, acquirers, and deal teams with an independent automated security assessment in deal language — Security Debt Score, Deal Risk Rating, and prioritised remediation cost estimates.
- Security Debt Score with Deal Risk Rating (LOW to DEAL BREAKER)
- Identity and access control findings mapped to deal risk
- Email security posture and phishing exposure
- Data protection controls and regulatory liability
- Endpoint compliance and shadow IT exposure
- Audit readiness and governance maturity
Prove the value of your M365 investment
Licence waste, adoption gaps, Copilot ROI, and tenant hygiene — the questions your CFO and CIO ask but nobody can answer quickly. Same read-only pipeline. Financial framing, actionable output.
Licence Optimisation
Report
Find the Microsoft licences you're paying for but nobody's using. Identifies inactive users, premium-to-basic downgrade candidates, unassigned seats, duplicate SKUs, and unused Copilot licences with named users and dollar savings.
- Inactive users with licences (>30 days no sign-in)
- Premium licence holders with basic-only usage (E5 to E3 candidates)
- Unassigned licence seats you're paying for
- Duplicate/overlapping SKU assignments
- Unused Copilot licences ($30/user/month waste)
- Licensed guest accounts
Adoption & Usage
Report
See exactly who's using Microsoft 365 and who isn't. Per-workload, per-department adoption heatmap across Exchange, Teams, SharePoint, OneDrive, and Copilot with named zero-activity user lists.
- Per-workload adoption scores (Exchange, Teams, SharePoint, OneDrive, Copilot)
- Department-level adoption heatmap
- Zero-activity users with last sign-in dates
- Teams deep dive: meetings, chat, inactive Teams
- Investment-at-risk estimate in dollar terms
- Targeted intervention recommendations by department
Copilot ROI
Report
Prove your Copilot investment is working — or find out why it isn't. Per-user Copilot usage across Outlook, Teams, Word, Excel, PowerPoint, and Chat with estimated time saved, value generated, and a named reclaim list.
- Active vs inactive Copilot licence holders
- Per-app adoption: Outlook, Teams, Word, Excel, PowerPoint, Chat
- Estimated time saved per active user (hours/month)
- Financial ROI: value generated vs licence cost
- Named zero-usage licence reclaim list with saving estimate
- Board-ready executive summary
Tenant Health &
Governance Report
A full health check for your Microsoft 365 tenant. Surfaces accumulated technical debt — orphaned groups, stale guests, abandoned Teams, expired app secrets, stale devices — with a Tenant Health Score and prioritised cleanup list.
- User hygiene: inactive accounts, never-signed-in users
- Guest account hygiene: stale guests, licensed guests, open invitations
- Group & Team hygiene: orphaned groups, empty Teams, external members
- Application hygiene: expired secrets, unowned apps, excessive permissions
- Device hygiene: stale objects, outdated OS, non-compliant devices
- Tenant Health Score with prioritised remediation roadmap
Four steps. Under ten minutes.
Pay securely
Select your assessment and pay via Stripe. Takes two minutes. You'll receive a setup email immediately.
Grant read-only access
Click the link in your email. Sign in as Global Admin and click Accept on the Microsoft permission screen. That's it.
We do the work
Our platform runs the full assessment against your tenant automatically. No agents, no scripts to run, no consultant on-site.
Inbox delivery
Your scored HTML report arrives within 10 minutes. Per-pillar scores, all findings, and a prioritised remediation roadmap.
We see your posture.
Nothing else.
baref00t requests the minimum permissions required to assess your configuration. We cannot modify, delete, or access your data.
Read-Only Permissions
We request only Directory.Read, Policy.Read, and DeviceManagement.Read scopes. We cannot write to your tenant in any way. Review the full permission list before consenting.
Revocable Instantly
Remove our access anytime from Entra ID → Enterprise Applications. Takes 30 seconds. No call required, no notice period.
Regional Data Processing
Assessments run in the Azure region closest to you — Australia East, US East, West Europe, or Southeast Asia. Your data never leaves the region it's processed in.
No Data Retention
We don't store your tenant configuration data. Only the report output is retained — accessible only via the secure link sent to you.
Exactly what we request. Nothing more.
-
READ
Cannot write, modify, or delete All permissions are Application-type read-only scopes. There is no mechanism in our app registration to perform write operations.
-
READ
Admin consent required once A Global Administrator must click Accept on the Microsoft consent screen. This is standard practice for any third-party M365 integration.
-
READ
Token stored encrypted in Key Vault Your tenant access credential is stored in Azure Key Vault with HSM-backed encryption. It's never logged or transmitted outside Azure.
-
READ
Revoke from Entra ID at any time Entra ID → Enterprise Applications → baref00t → Delete. Instant revocation. No support ticket required.
Common questions
Ready to see the naked truth?
Get your security assessment report in under 10 minutes.
No consultant. No agent installs. No surprises.
Get in Touch
Have questions about our assessments? We'd love to hear from you.