Security Testing
Deep-dive review of your firewall rulesets, configurations and policies — tightening the first line of defence and cutting the rules nobody remembers writing.
Firewall rulesets grow the way attics fill up: rule by rule, exception by exception, until nobody is quite sure what is in there or why. A firewall security assessment is the clear-out — a deep-dive review of your rulesets, configurations and policies that identifies the weaknesses, redundancies and quiet risks accumulating in your first line of defence.
Our consultants examine the configuration in full: rule sets, access control lists, network address translation settings and wider firewall policies. Each rule is analysed for necessity, correctness and security implications — overly permissive or forgotten rules are prime attacker real estate — alongside checks for policy consistency, rule ordering and conflicts that create unexpected gaps.
Beyond the ruleset itself, the assessment reviews how the firewall is operated: logging and monitoring coverage, so incidents are actually recorded; change management, so rule changes are controlled and documented; and alignment with security best practice and the standards you are held to. Where useful, we work with your team to rationalise the ruleset — removing redundant, obsolete and conflicting rules so the estate becomes simpler to manage and harder to breach.
The engagement runs through Sentry: scoped via questionnaire and call, evidence gathered from configuration exports with no changes made to your devices, findings raised as they are identified and prioritised by impact, then a clear report with remediation guidance and a debrief. Findings remain in Sentry for tracking, and repeat assessments are compared so improvement is measurable.
Firewall reviews are a compliance staple — PCI DSS expects ruleset reviews at least every six months, and ISO 27001 and Cyber Essentials both lean on well-managed boundary controls. The assessment pairs naturally with PCI DSS segmentation testing, which actively verifies the isolation your firewalls are supposed to enforce, and with external infrastructure testing to see the perimeter as an attacker does.
Rule-by-rule analysis finds the permissive, redundant and forgotten entries that attackers hunt for.
Rationalised rulesets remove unnecessary paths into your network — and are easier to manage safely.
Logging, monitoring and change management assessed alongside the configuration itself.
Supports PCI DSS ruleset review requirements, ISO 27001 and Cyber Essentials boundary controls.
Works from configuration exports — no changes and no risk to your live devices.
A short questionnaire and scoping call confirm the platforms, tenants or devices in scope and the standards that matter to you. You receive a clear Statement of Work and your project is created in Sentry.
We arrange read-only access or configuration exports, along with architecture diagrams and relevant policies. Nothing is changed in your environment.
A consultant assesses your configuration against CIS Benchmarks and vendor best practice, prioritising findings by impact and likelihood. Findings are raised in Sentry as they are identified, not weeks later.
You receive a prioritised report with clear remediation guidance and a debrief session with your consultant. Findings stay in Sentry so you can track fixes and compare future reviews.
Straight answers to what prospective clients ask us most.
A full review of rulesets, access control lists, NAT settings and policies; rule-by-rule analysis for necessity and correctness; consistency, conflict and ordering checks; and a review of logging, monitoring and change management — all prioritised in a clear remediation report.
A penetration test probes your perimeter from outside to find what is exploitable; a firewall assessment reviews the configuration from inside to find what is wrong, weak or unnecessary. The review often explains the findings a test surfaces — and prevents the next ones.
PCI DSS expects ruleset reviews at least every six months, and that is a sensible rhythm for any organisation — rulesets drift quickly. At minimum, review annually and after significant network changes.
Configuration exports from the in-scope devices, network diagrams and any relevant policies — gathered through our scoping questionnaire. We work from the exports, so nothing touches your live devices during the review.
Get a fixed-scope quote, usually the same working day.