Book a call

Cyber readiness · Microsoft 365 · Fixed scope · From AU $799 - Microsoft 365 Security Posture Evidence Pack

A fixed-scope cyber readiness review for Australian SMBs and MSPs who need clear, practical evidence of their Microsoft 365 security posture — without the cost or complexity of a full security audit.

Book a Cyber Readiness CallView what is included

Human-reviewed findings · Evidence-aligned to Essential Eight themes · Not legal advice · Not a formal certification

Australian SMB focused
Built for 20–200 staff businesses
Human-reviewed findings
No raw tool output — every finding validated
Fixed-scope delivery
Evidence-first reporting · Clear remediation roadmap

Why this matters - Most M365 tenants drift from secure defaults over time.

Microsoft 365 is the backbone of most Australian SMB operations — email, file storage, collaboration, and identity. But security settings accumulate debt quietly: MFA gaps appear as staff join and leave, Conditional Access policies go untested, admin accounts multiply, and legacy authentication stays enabled long after it should have been retired.

Common issues we find in Australian SMB tenants

MFA gaps

Not all users or admins have MFA enforced — especially accounts added during growth phases.

Risky admin accounts

Global admin accounts used for daily work, no break-glass account hygiene, or stale admin assignments.

Weak Conditional Access

Policies exist but have gaps — legacy authentication not blocked, risky sign-ins not challenged.

Over-permissioned apps

Third-party M365-connected apps granted broad permissions that have never been reviewed.

Insecure defaults

Legacy protocols enabled, secure score low, and Microsoft's own secure baseline recommendations not applied.

Limited audit-ready evidence

No documented posture baseline — difficult to demonstrate diligence to insurers, clients, or leadership.

None of these are signs of negligence — they are the normal result of a growing business using M365 without a dedicated security function. The Cyber Readiness review surfaces them clearly so you can act.

Deliverables - What you receive.

Eight components delivered as a single evidence pack — practical, plain-English, and ready for internal use.

Executive Summary

Plain English · 1–2 pages
  • Plain-language overview of your current M365 security posture
  • Top findings and what they mean for your business
  • Suitable for leadership review without a technical background

Microsoft 365 Posture Findings

Tenant-level · Configuration-focused
  • Review of your M365 tenant security configuration
  • Identification of common gaps against secure baseline settings
  • Each finding documented with observed state and recommended action

Identity and Access Risk Summary

Admin accounts · Guest access · Permissions
  • Admin account exposure and privilege hygiene observations
  • Guest and external access configuration review
  • Over-permissioned application and service account flags

MFA and Conditional Access Observations

MFA coverage · Policy gaps
  • MFA enrolment and enforcement posture across your tenant
  • Conditional Access policy coverage and observable gaps
  • Risky sign-in and legacy authentication exposure

Secure Configuration Baseline Comparison

CIS / ACSC-informed · Not a formal audit
  • Comparison of observed settings against common secure baseline guidance
  • Aligned to industry-recognised configuration references
  • Not a formal certification — practical evidence for internal use

Essential Eight-Aligned Technical Evidence Appendix

Appendix · Evidence-first
  • Technical evidence mapped to relevant Essential Eight themes
  • Suitable for use in cyber insurance applications or internal governance reviews
  • Does not constitute formal Essential Eight maturity certification

Prioritised Remediation Roadmap

Now / Next / Later · Effort-ranked
  • Findings ranked by risk severity and remediation effort
  • Each item: clear description, recommended action, and expected outcome
  • Actionable by your IT team or MSP without further translation

60-Minute Walkthrough Call

Live · Recorded
  • We walk through every finding with your team or IT provider
  • Answer questions and clarify remediation priorities
  • Recording provided for internal reference

Who it is for - Built for Australian SMBs that rely on Microsoft 365.

Accounting and legal firms

  • Client data and trust obligations under Privacy Act and sector guidance
  • Common targets for business email compromise (BEC)
  • Cyber insurance increasingly requires documented posture evidence

Healthcare and education providers

  • My Health Records Act obligations and patient data sensitivity
  • High-value targets for ransomware due to operational criticality
  • Staff access management often under-reviewed

Construction and trade businesses

  • Invoice fraud and BEC a growing risk in project-based billing
  • M365 adoption high but security hygiene often not a priority
  • Practical, plain-English evidence pack fits non-technical teams

Professional services firms

  • Client data and IP protection under M365 collaboration tools
  • External sharing and guest access configuration often overlooked
  • Evidence pack useful for client trust and enterprise procurement

MSPs and IT providers

  • Deliver structured M365 posture evidence to your SMB clients
  • Supplement your own tooling with a human-reviewed evidence layer
  • Contact us to discuss white-label or referral arrangements

How it works - Five steps. Read-only access. No disruption to your team.

Step 1

You — 30 min

Discovery call

We confirm your M365 tenant scope, number of users, key business context, and any specific concerns (e.g. upcoming insurance renewal, incident response, or compliance review).

Step 2

You + us

Secure intake and scope confirmation

We send a secure intake form and confirm read-only access requirements. No admin credentials shared — we use delegated read-only access via a temporary secure channel.

Step 3

Us

Read-only posture review

Our consultant reviews your M365 tenant configuration, identity settings, MFA posture, Conditional Access policies, and secure configuration gaps using read-only access only.

Step 4

Us

Human review of findings

Every finding is reviewed by our consultant before it appears in your report. We do not ship automated output without human validation — false positives are removed, context is added.

Step 5

You + us — 60 min

Evidence pack and walkthrough

Your completed evidence pack is delivered securely. We walk through findings, answer questions, and confirm your remediation priorities in a recorded 60-minute call.

Pricing - Three tiers. Scope confirmed after discovery call.

AU $1,495ex GST

M365 Security Posture Evidence Pack — Core

Best for businesses needing a practical report and prioritised remediation roadmap. Includes the full eight-component evidence pack and 60-minute walkthrough call. Payment on acceptance of scope. Early validation pricing — final scope confirmed after discovery call.

Book a Cyber Readiness CallTalk to our consultant

Also available:

Starter — $799

M365 Hygiene Snapshot. Best for a quick baseline check — executive summary, key findings, and a short remediation list. No full appendix.

Advanced — from $2,500

M365 + Cloud Posture Evidence Pack. Adds AWS, Azure, or GCP posture review where applicable. Scope confirmed after discovery call.

Methodology - Evidence-first. Human-reviewed. Practically focused.

How we review

  • Read-only access only — we never request admin credentials or write access
  • Secure configuration checks against recognised baseline guidance
  • Microsoft 365 posture assessment across identity, access, and configuration layers
  • Open-source and industry-recognised tooling may be used where appropriate
  • Every customer-facing finding is human-reviewed before delivery
  • False positives removed — context added before any finding is included

What we align to

  • ACSC Essential Eight themes (not a formal maturity assessment)
  • Microsoft Secure Score and M365 secure baseline recommendations
  • CIS Microsoft 365 Foundations Benchmark (reference only)
  • Australian Privacy Act and sector-specific guidance where applicable
  • Findings are evidence — not a legal opinion or compliance certification

Important — what this service is and is not

This service provides technical cyber readiness evidence and practical remediation guidance. It is not legal advice, not a formal Essential Eight maturity certification, and not a substitute for a regulated compliance audit. We do not guarantee insurer acceptance, government approval, or regulatory compliance outcomes. The evidence pack is designed to support your internal governance, cyber insurance application process, or remediation planning — not to replace professional legal or compliance advice.

Want clearer evidence of your Microsoft 365 security posture?

Book a 30-minute discovery call. We will confirm scope, access requirements, and timeline — and tell you honestly whether this is the right next step for your business.

Book a Cyber Readiness CallOr send a quick note →

From AU $799 ex GST · Fixed scope · Human-reviewed · Read-only access · Not a formal certification

More fixed-scope services

Pulse Check

A 5-day website and CX audit that ranks what's leaking enquiries, with a 90-day action plan. Fixed AU $1,490.

Read more about Pulse Check

Implementation Sprint

A focused 3-week sprint to ship the conversion fixes from your Pulse Check. Up to 5 pages rebuilt, copy rewritten, tracking installed. From AU $4,900.

Read more about Implementation Sprint

Book a call to scope your next website or CX improvement

We’ll clarify your goals, define a fixed scope, and outline next steps.

Book a call

Our office

[object Object]
  • Wollongong
    NSW, Australia