Security Testing

Configuration Reviews

Expert review of your cloud, SaaS and firewall configurations against CIS Benchmarks and best practice — because most breaches start with a setting, not a zero-day.

Most breaches do not start with a sophisticated exploit. They start with a setting: a storage bucket left open, an admin account without MFA, a firewall rule nobody remembers writing. A security configuration review finds those settings before an attacker does — an expert, point-in-time examination of how your platforms are actually configured, measured against CIS Benchmarks and vendor best practice.

We review the three estates where misconfiguration does the most damage: cloud platforms (AWS, Azure and GCP), SaaS tenants (Microsoft 365 and Google Workspace), and firewalls. Each review is delivered by consultants who work with these platforms daily and know the difference between a theoretical deviation and a finding that genuinely matters. Reviews can cover a single platform or your whole estate, scaling from one firewall pair to a multi-account, multi-cloud environment.

What a security configuration review involves

We start by identifying the right benchmarks and baselines for your platforms, then gather what we need — read-only access or configuration exports, architecture diagrams, existing policies. Your consultant reviews the configuration in detail, identifying gaps and deviations and prioritising them by impact and likelihood of exploitation, so the report tells you what to fix first rather than burying you in a hundred equal-weight observations.

Like all our engagements, reviews are delivered through Sentry: scoped via questionnaire and call, findings raised as they are identified, and a clear report with remediation guidance followed by a debrief session. Where a finding needs discussion — a deviation that is deliberate, or a fix with operational side-effects — your consultant is available through Sentry messaging throughout. Findings stay in Sentry afterwards for remediation tracking, and repeat reviews are compared against your previous results so improvement is visible.

A configuration review is the natural complement to both penetration testing and continuous scanning. Testing shows what an attacker can exploit from outside; a review shows whether the platform beneath is built on solid ground; and our continuous vulnerability management service keeps watch between the point-in-time engagements. Together with the compliance value — CIS-aligned evidence for ISO 27001, PCI DSS and Cyber Essentials Plus — a regular review cycle is one of the highest-return security exercises you can run: it hardens what you already own, often pays for itself in security features you are licensed for but not yet using, and gives leadership a defensible answer to 'are we configured securely?' backed by recognised benchmarks rather than opinion.

What you get

CIS Benchmark-aligned

Reviews measured against the industry's most widely adopted configuration standards, plus vendor best practice.

Expert judgement, not tool dumps

Consultants who know the platforms prioritise findings by real impact and likelihood — not alphabetically.

Cloud, SaaS and firewalls

The three estates where misconfiguration causes the most breaches, reviewed by specialists.

Non-intrusive by design

Read-only access and configuration exports mean nothing changes in your environment during the review.

Prioritised remediation plan

A clear, ranked report tells you what to fix first and how, with findings tracked in Sentry.

Better use of what you own

Reviews routinely surface security features you already pay for but have not switched on.

How it works

  1. 01

    Scoping

    A short questionnaire and scoping call confirm the platforms, tenants or devices in scope and the standards that matter to you. You receive a clear Statement of Work and your project is created in Sentry.

  2. 02

    Evidence gathering

    We arrange read-only access or configuration exports, along with architecture diagrams and relevant policies. Nothing is changed in your environment.

  3. 03

    Expert review

    A consultant assesses your configuration against CIS Benchmarks and vendor best practice, prioritising findings by impact and likelihood. Findings are raised in Sentry as they are identified, not weeks later.

  4. 04

    Report and debrief

    You receive a prioritised report with clear remediation guidance and a debrief session with your consultant. Findings stay in Sentry so you can track fixes and compare future reviews.

Frequently asked questions

Straight answers to what prospective clients ask us most.

How is a configuration review different from a penetration test?

A penetration test attacks your systems from the outside to find exploitable weaknesses; a configuration review examines the settings inside the platform against benchmarks and best practice. The two find different problems, and mature programmes use both.

How does this relate to continuous vulnerability scanning?

A configuration review is a deep, expert, point-in-time examination; continuous scanning is automated, ongoing coverage between reviews. Our Sentry CVM service handles the continuous side — a review tells you the platform is built right, scanning tells you quickly when something changes.

What access do you need?

Read-only access or configuration exports, plus architecture diagrams and relevant policies. We never need — or ask for — the ability to change anything in your environment.

How often should configurations be reviewed?

Annually as a baseline, and after significant changes such as migrations, mergers or major platform redesigns. Cloud and SaaS platforms evolve quickly, so many clients pair an annual review with continuous scanning in between.

Ready to talk about configuration reviews?

Get a fixed-scope quote, usually the same working day.