baref00t.io

Automated Security Assessments, Packs & Intelligence Reports

The naked truth
about your security posture.

31 automated products — compliance assessments, deep-dive security packs, board-ready intelligence reports, and a new Copilot Assessments tier covering agent inventory, interaction compliance, and meeting insights. Essential Eight, NIST CSF, CMMC, NIS2, Cyber Essentials, MAS TRM, and more. Results in minutes, not weeks. No consultant. No agent installs.

Browse:CompliancePacksIntelligenceProductivityCopilot Assessments
31 Products across 5 tiersAU · US · EU · UK · SGResults < 10 minRead-only accessGlobal coverage
31
Security Products
500+
Controls Assessed
<10min
Time to Report
$0
Agent Installs Required

Trusted by organisations across

GovernmentFinancial ServicesHealthcareLegalDefence & AerospaceManaged Service Providers

Compliance Assessments

Choose your assessment

Framework-aligned automated assessments — Essential Eight, MCSB, CIS, NIST CSF, CMMC, NIS2, CPS 234, MAS TRM, Cyber Essentials. Each report maps to the framework auditors and regulators expect.

Essential Eight ML1, ML2 & ML3 Assessment

AU
A$449 one-off · A$229/mo

Assess your compliance with the ACSC Essential Eight Maturity Model. Mandatory for Australian Government entities under the PSPF. Know exactly where you stand before the auditors do.

Cloud Security Benchmark v2 Assessment

Global
A$599 one-off · A$299/mo

Assess your Azure and Microsoft 365 environment against the Microsoft Cloud Security Benchmark v2 — 14 control domains covering Identity, Network, Data, AI, and DevOps security.

CIS Microsoft 365 Benchmark Assessment

Global
A$529 one-off · A$269/mo

Assess your Microsoft 365 tenant against the CIS Benchmark — the industry-standard security configuration guide recognised by auditors worldwide.

Microsoft Copilot Readiness Assessment

Global
A$749 one-off · A$379/mo

Know your risk before enabling Copilot. We assess oversharing, sensitivity labels, DLP coverage, and identity controls to determine if your tenant is ready for AI.

CPS 234 Information Security Assessment

AU
A$899 one-off · A$449/mo

Automated and governance-hybrid assessment against APRA's CPS 234 standard. Built for banks, insurers, and super funds that need to demonstrate compliance.

Ransomware Resilience Score

Global
A$529 one-off · A$269/mo

Cross-cutting assessment of your ransomware defences. One score across identity, backup, endpoint, email, data, network, and detection readiness.

Power Platform Security Assessment

Global
A$679 one-off · A$349/mo

Assess your Power Platform governance posture. Environment controls, DLP policies, Power Automate security, Power Apps sharing, Power BI governance, and Copilot Studio controls.

NIST Cybersecurity Framework Assessment

US
A$529 one-off · A$269/mo

Assess your alignment to the NIST CSF 2.0 six functions. The de facto baseline for US federal contractors, critical infrastructure, and cyber-insurance underwriting.

CMMC Level 1 & 2 Readiness Assessment

US
A$599 one-off · A$299/mo

Prepare for Cybersecurity Maturity Model Certification. Required for all US Department of Defense contractors handling FCI or CUI. CMMC 2.0 final rule effective December 2024.

NIS2 Directive Compliance Assessment

EU
A$529 one-off · A$269/mo

Assess your compliance with EU NIS2 Directive Article 21 cybersecurity risk-management measures. Mandatory for essential and important entities across the EU since October 2024.

UK Cyber Essentials Readiness Assessment

UK
A$449 one-off · A$229/mo

Pre-assessment readiness check against the 5 Cyber Essentials technical controls. Required for UK government suppliers and increasingly expected by cyber insurers.

MAS Technology Risk Management Assessment

SG
A$599 one-off · A$349/mo

Assess your alignment to the Monetary Authority of Singapore Technology Risk Management Guidelines. Required for all MAS-regulated financial institutions.

Security & Industry Packs

Deep-dive security packs

Deep-dive packs by attack surface (identity, email, data, endpoint) or by industry vertical (finance, legal, healthcare). One score, one report, focused on the topic your team is being asked about.

Entra ID / Identity Hardening Pack

Global
A$529 one-off · A$349/mo

Deep-dive into your identity attack surface — the #1 breach vector. Six dimensions covering every aspect of your Entra ID configuration, from MFA coverage to app registration hygiene.

Email Security Pack

Global
A$449 one-off · A$299/mo

Full email attack surface analysis — spoofing, phishing, data leakage, and mail flow hygiene across your Microsoft 365 tenant.

SharePoint & Data Oversharing Pack

Global
A$529 one-off · A$349/mo

Find where your sensitive data is exposed right now — misconfigured sharing, labelling gaps, guest sprawl, and excessive permissions.

Finance / Fintech Security Pack

Global
A$679 one-off · A$449/mo

Fraud controls, privileged access, data integrity, and regulatory evidence readiness for financial services organisations.

Legal & Professional Services Pack

Global
A$599 one-off · A$379/mo

Client confidentiality controls, matter data segregation, and privileged communication protections for law firms and professional services.

Endpoint / Intune Compliance Pack

Global
A$529 one-off · A$349/mo

Device posture is the second most common breach entry point. Deep-dive into your Intune enrolment, compliance, patching, and encryption coverage.

Healthcare Security Pack

Global
A$599 one-off · A$379/mo

Patient data protection, device compliance, privileged access to clinical systems, and incident readiness for healthcare organisations.

AICD Governance Assessment

AU
A$799 one-off · A$529/qtr

Assess your board's cyber security governance against the AICD Cyber Security Governance Principles (Version 2, November 2024). Combines automated M365 tenant analysis with a governance questionnaire completed by a nominated governance contact — with full privacy separation from the IT consent process.

Intelligence Reports

Board-ready security intelligence

Business-language reports for non-IT audiences — cyber insurance readiness, board cyber risk briefings, and investor-grade security due diligence.

Cyber Insurance Readiness Report

Global
A$499 one-off

Know your insurance approval likelihood before your broker does. Maps your Microsoft 365 security posture directly to the controls underwriters scrutinise — MFA, legacy auth, email defences, EDR, data protection, and audit logging.

Board Cyber Risk Report

Global
A$799 one-off · A$1,049/qtr

Give your board the cyber risk picture they need to govern confidently. Translates your Microsoft 365 technical posture into a board-grade risk rating with business context, no jargon, and clear accountability.

Investor-Ready Security Report

Global
A$1,499 one-off

De-risk your due diligence process. Provides investors, acquirers, and deal teams with an independent automated security assessment in deal language — Security Debt Score, Deal Risk Rating, and prioritised remediation cost estimates.

Productivity Analytics

Prove the value of your M365 investment

M365 usage, licence waste, adoption heatmaps, and Copilot ROI — see exactly where your investment is paying off and where it isn't.

Licence Optimisation Report

Global
A$399 one-off · A$199/mo

Find the Microsoft licences you're paying for but nobody's using. Identifies inactive users, premium-to-basic downgrade candidates, unassigned seats, duplicate SKUs, and unused Copilot licences with named users and dollar savings.

Adoption & Usage Report

Global
A$299 one-off · A$149/mo

See exactly who's using Microsoft 365 and who isn't. Per-workload, per-department adoption heatmap across Exchange, Teams, SharePoint, OneDrive, and Copilot with named zero-activity user lists.

Copilot ROI Report

Global
A$499 one-off · A$249/mo

Prove your Copilot investment is working — or find out why it isn't. Per-user Copilot usage across Outlook, Teams, Word, Excel, PowerPoint, and Chat with estimated time saved, value generated, and a named reclaim list.

Tenant Health & Governance Report

Global
A$299 one-off · A$149/mo

A full health check for your Microsoft 365 tenant. Surfaces accumulated technical debt — orphaned groups, stale guests, abandoned Teams, expired app secrets, stale devices — with a Tenant Health Score and prioritised cleanup list.

Copilot Assessments

Six audits for Microsoft 365 Copilot

Microsoft published a unified Copilot APIs surface — Package Management, Interaction Export, Chat, Retrieval, Meeting AI Insights. We turned each into a focused governance audit you can run on a customer tenant in under 15 minutes.

Copilot Readiness Audit

EXTENDED
A$749 one-off · A$379/mo

Pre-deployment data hygiene scoring across 7 dimensions plus live retrieval-surface measurement and an agent catalogue teaser.

Copilot ROI Report

A$499 one-off · A$249/mo

Per-user, per-surface Copilot activity vs licence spend — with named-user reclaim list.

Copilot Agent Inventory & Governance Audit

NEW
A$1,299 one-off · A$149/mo

Risk-scored inventory of every Entra Agent ID (Copilot Studio etc.), the tenant-wide Copilot tool catalogue (MCP servers), and the full Copilot Package Management catalogue (third-party add-ins + Teams apps) once a probe account is connected.

Copilot Interaction Compliance Audit

NEW
A$1,999 one-off · A$249/mo

Sample Copilot prompts and responses, PII-scan them, score compliance posture.

Copilot Synthetic Red-Team Probe

NEW
A$2,499 one-off · A$299/mo

Fire adversarial prompts at Copilot. Measure refusal rate, PII leakage, citation faithfulness, retrieval hygiene.

Copilot Meeting Insights Privacy & Coverage Audit

NEW
A$799 one-off · A$99/mo

Audit Teams meeting AI insight coverage, external-attendee exposure, retention, and action-item hygiene.

Process

Four steps. Under ten minutes.

01 / Purchase

Pay securely

Select your assessment and pay via Stripe. Takes two minutes. You'll receive a setup email immediately.

02 / Consent

Grant read-only access

Click the link in your email. Sign in as Global Admin and click Accept on the Microsoft permission screen. That's it.

03 / Assessment

We do the work

Our platform runs the full assessment against your tenant automatically. No agents, no scripts to run, no consultant on-site.

04 / Report

Inbox delivery

Your scored HTML report arrives within 10 minutes. Per-pillar scores, all findings, and a prioritised remediation roadmap.

Security & Trust

We see your posture.
Nothing else.

baref00t requests the minimum permissions required to assess your configuration. We cannot modify, delete, or access your data.

Read-Only Permissions

We request only Directory.Read, Policy.Read, and DeviceManagement.Read scopes. We cannot write to your tenant in any way. Review the full permission list before consenting.

Revocable Instantly

Remove our access anytime from Entra ID → Enterprise Applications. Takes 30 seconds. No call required, no notice period.

Regional Data Processing

Assessments run in the Azure region closest to you — Australia East, US East, West Europe, or Southeast Asia. Your data never leaves the region it's processed in.

No Data Retention

We don't store your tenant configuration data. Only the report output is retained — accessible only via the secure link sent to you.

Transparency

Exactly what we request. Nothing more.

// Microsoft Graph — Application permissions
// Type: Read-only. Cannot write or delete.

Directory.Read.All        // users, groups, roles
Policy.Read.All            // Conditional Access
Organization.Read.All      // tenant info
AuditLog.Read.All          // sign-in logs
RoleManagement.Read.All    // PIM, role assigns
DeviceManagement
  .Configuration.Read.All  // Intune policies
UserAuthenticationMethod
  .Read.All                // MFA methods
IdentityRiskEvent.Read.All // risky sign-ins
Reports.Read.All           // usage reports
SecurityEvents.Read.All    // security alerts
Sites.Read.All             // SharePoint sites
SharePointTenantSettings
  .Read.All                // SP tenant config
GroupMember.Read.All        // group membership
Application.Read.All       // app registrations
InformationProtection
  .Read.All                // sensitivity labels

// Azure RBAC (optional — for Defender checks)
Security Reader            // read-only
Reader                     // read-only
  • READ
    Cannot write, modify, or deleteAll permissions are Application-type read-only scopes. There is no mechanism in our app registration to perform write operations.
  • READ
    Admin consent required onceA Global Administrator must click Accept on the Microsoft consent screen. This is standard practice for any third-party M365 integration.
  • READ
    Token stored encrypted in Key VaultYour tenant access credential is stored in Azure Key Vault with HSM-backed encryption. It's never logged or transmitted outside Azure.
  • READ
    Revoke from Entra ID at any timeEntra ID → Enterprise Applications → baref00t → Delete. Instant revocation. No support ticket required.

FAQ

Common questions

How is this different from Microsoft Secure Score?
Secure Score measures general configuration quality but doesn't map to specific regulatory frameworks or produce the compliance evidence auditors require. Our assessments produce framework-specific scores — E8 maturity levels, NIST CSF function ratings, CMMC practice gaps, NIS2 Article 21 coverage — with per-control pass/fail evidence and remediation guidance.
Which frameworks and regions do you cover?
We offer 31 products across 5 tiers. Assessments (12): Essential Eight, MCSB, CIS M365, Copilot Readiness, CPS 234, Ransomware Resilience, Power Platform, NIST CSF 2.0, CMMC, NIS2, Cyber Essentials, MAS TRM. Security Packs (7): Entra ID Hardening, Email Security, SharePoint Oversharing, Finance, Legal, Endpoint/Intune, Healthcare. Intelligence Reports (4): Cyber Insurance Readiness, Board Cyber Risk, Investor-Ready Security, AICD Governance. Productivity Modules (4): Licence Optimisation, Adoption & Usage, Copilot ROI, Tenant Health. Copilot Assessments(4): Agent Inventory & Governance, Interaction Compliance, Synthetic Red-Team Probe, Meeting Insights Privacy & Coverage. Regions: AU, US, EU, UK, SG.
What is a Copilot "probe account" and when do I need one?
Two Copilot Assessments read Microsoft APIs that Microsoft documents as delegated-only— application (app-only) access is "Not supported": the Synthetic Red-Team Probe (Copilot Chat & Retrieval) and the Package Management coverage of the Agent Inventory audit. To run those, you connect a dedicated, Copilot-licensed probe user once: create a user in Entra ID, assign a Microsoft 365 Copilot licence (and Global Reader for full Package Management coverage), then sign it in at /consent/probe-account — a Global Admin grants consent on first sign-in. baref00t stores only an encrypted refresh token (in Azure Key Vault) and mints short-lived read-only delegated tokens on demand; no standing password. One connection covers both products, and you can revoke it any time from Entra ID → Enterprise Applications. The other assessments don't need this — they run app-only with standard admin consent.
What happens if a check fails?
Every failed check includes a remediation action with the exact Intune, Entra, or Azure portal path to fix it. High-severity failures are called out at the top of the report. The monthly subscription shows your score trend over time so you can demonstrate improvement.
Can I bundle multiple assessments?
Yes — purchase assessments individually and they'll run as separate assessments against the same tenant. Bundle pricing available on request for two or more products. Contact assessments@baref00t.io.
Do you support multi-tenant or MSP use?
Yes. If you manage multiple tenants as an MSP, contact us for volume pricing. Each tenant requires a separate consent grant, but reports are delivered per-tenant and can be white-labelled for your clients.
How do I revoke access after the assessment?
Entra ID → Enterprise Applications → search "baref00t" → Delete. Done in 30 seconds. You can also do this from the Microsoft MyApps portal (myapps.microsoft.com). Access is revoked immediately — no notice period, no support ticket.
Where is my data processed?
Assessments run in the Azure region closest to you — Australia East, US East, West Europe, or Southeast Asia. Your tenant data never leaves the processing region and is not retained after the report is generated. Only the report output is stored, accessible via the secure link sent to you.
What currencies do you accept?
We accept USD, AUD, GBP, EUR, and SGD. Your currency is auto-detected based on location and can be changed using the currency selector in the navigation bar. All 31 products are priced in all 5 currencies. Payments are processed securely via Stripe.
Do I need CMMC Level 1 or Level 2?
Level 1 (17 practices) is for contractors handling Federal Contract Information (FCI). Level 2 (110 practices, mapped to NIST SP 800-171) is for those handling Controlled Unclassified Information (CUI). Most DoD contractors handling sensitive data need Level 2. Our assessment lets you select either level and identifies your gaps to certification.
Is the E8 assessment suitable for PSPF compliance?
The E8 assessment covers all controls in the ACSC Essential Eight Maturity Model at ML1, ML2, and ML3 — the framework assessed under the PSPF. Note: formal PSPF compliance at PROTECTED level requires an IRAP assessment. Our report is ideal for identifying gaps and preparing for one.
What does the NIS2 assessment cover?
It assesses all 10 Article 21 cybersecurity risk-management measures — from risk analysis and incident handling to supply chain security, encryption, and multi-factor authentication. Automated checks cover identity, access control, and detection. A governance questionnaire covers policy, training, and business continuity evidence.
How does the Ransomware Resilience score work?
We assess seven dimensions — Identity (20%), Backup (20%), Endpoint (15%), Email (15%), Data (10%), Network (10%), and Detection (10%) — with weighted scoring. Each dimension produces a percentage score, and the composite gives you an overall resilience rating: Strong, Moderate, Weak, or Critical Risk. The report highlights the highest-impact remediation actions first.

Ready to see the naked truth?

Get your security assessment report in under 10 minutes.
No consultant. No agent installs. No surprises.

Contact

Get in Touch

Have questions about our assessments? We’d love to hear from you.