Reusable audit programs you can run today.

You can not trust an AI system you have not tried to break. Audit of red-team capability covering prompt injection, jailbreaks, data exfil and grounding failures.

Copilot / Cursor / Claude Code / Codeium / equivalent — quick audit of how AI code assistants are deployed in your engineering org.

Quick check on the privacy + lawfulness side of using or building AI — training-data provenance, lawful basis, DSARs against models, and synthetic data alternatives.

Most "AI risk" is really 3rd-party risk: data egress to OpenAI/Anthropic/Google + training opt-outs + retention. Quick check.

Whether you train, fine-tune or just consume models, you need governance — inventory, risk classification, human oversight, evaluation.

Leaked API tokens are a top breach vector. Check inventory, scoping, storage and rotation of personal access tokens and machine secrets.

Single sign-on is only as strong as the apps it covers and the policies behind it. Quick check on coverage, MFA, conditional access and session controls.

Service accounts get over-privileged and never rotated — quick health check on inventory, scoping and credential rotation.

Check your password rules against modern NIST guidance — length, rotation, complexity, password manager use.

A 6-question snapshot of privileged-account hygiene: shared admins, breakglass, vaulting, JIT, session recording.

Screening, training, NDAs, remote work — all 8 A.6 people controls in 3 minutes.

A short audit of your k8s cluster against the high-impact controls — RBAC, secrets, network policies, image trust.

Tenant-wide hardening for Azure subscriptions — identity, networking, logging and Defender for Cloud baseline.

Audit your M365 tenant for the controls that actually matter: identity, mail flow, sharing, audit logging and admin separation.

How well is your SaaS estate protected — SSO, MFA enforcement, offboarding, third-party app review?

Quick check of public-access, encryption, logging and lifecycle on your S3 estate. Built around the CIS AWS benchmark for S3.

Find gaps in your cloud security posture.

The three scanners every CI/CD should run, with finding triage and trend tracking.

Most apps are 90% open-source dependencies. Quick check on SBOM, scanning, pinning, and what happens when a high-CVE library drops.

Are security activities baked into the development lifecycle, or are they bolted on at the end? A focused maturity snapshot.

TLS configuration + cert lifecycle — every breach starts with somebody not noticing a cert expired or a weak cipher enabled.

Office Wi-Fi quick audit — segmentation, encryption, guest network and rogue AP detection.

Audit your VPN: who can connect, with what, from where, and what they can reach.

SPF, DKIM, DMARC, DNSSEC and recursive-resolver hardening — the basics of internet plumbing you probably forgot to check.

Are your firewall rules documented, reviewed and free of any-any? A 7-question hygiene audit for perimeter + segmentation rules.

What does the internet know about your organisation that you don't? 5 minutes.

USB drives, SD cards and external SSDs are the easiest exfil and infection vector. A focused control set.

Are your laptops actually hardened — disk encryption, local admin, screen lock, USB control?

Mobile devices accessing corporate data should be managed. Quick audit on enrolment, posture and wipe capability.

Are all endpoints actually covered by EDR, and is response automated? Quick coverage + tuning check.

How fast are you patching workstations, servers, network gear and third-party apps? 8-question maturity check.

How well does your VM programme find, prioritise, and fix what matters? 5 minutes.

Endpoint, identity, network, data, dev, monitoring — A.8 in 4 minutes.

NTFS / SharePoint / Drive permissions silently drift over years. A focused audit on excess access, group cleanliness, owners and stale data.

You cannot protect what you cannot find. Quick check of PII discovery, mapping and minimisation.

Do you actually classify data — and is the classification reflected in access control, encryption and retention? Quick snapshot.

Most cyber-insurance applications now ask the same 30 questions. Pre-empt them and avoid claim disputes.

Whether you run a SOC in-house or use an MSSP — a quick check on coverage, tooling, response time and reporting.

Is your IR plan more than a PDF? Test for tabletop exercises, RACI, comms templates, escalation paths and lessons-learned.

When did you last actually restore a backup? Audit your backup cadence, immutability, off-site copies and recovery time.

Quick check on whether you are reviewing vendor SOC 2 reports properly — not just collecting them.

How mature is the operating model behind your third-party risk management programme? 4 minutes.

How well do you assess, contract, and monitor your suppliers? 5 minutes.

Safety Instrumented Systems (SIS) and vendor remote access are the two paths most likely to take a plant offline. Targeted audit.

Inventory for OT looks nothing like IT. Quick check on coverage, criticality, vendor-approved patch windows and risk-acceptance for unpatchable assets.

The Purdue model still matters. Quick check on the boundary between IT and OT, the OT DMZ, and what crosses it.

Lookalike domains, typo-squatting and brand abuse outside your own perimeter. The cheap part of "attack surface" most people skip.

CEO / CFO LinkedIn clones, executive deepfakes and impersonation accounts targeting your customers and staff. Detect and respond.

The Twitter, LinkedIn, Instagram and TikTok accounts your brand depends on get over-shared, under-protected and almost never audited. Quick check.

Even if you are a SAQ-A merchant, a quick check of CHD scope, segmentation, vendor responsibilities and key PCI controls.

A practical 30-minute self-check on the GDPR controls that fail most audits — not a full DPIA.

If you have on-prem racks anywhere, walk the physical security controls — badge access, CCTV, environment, visitor log.

IT general controls readiness for SOC 1 / SOC 2 (formerly SAS 70) audits — in 4 minutes.

Perimeter, entry, monitoring, equipment, disposal — the physical side of ISO 27001 in 3 minutes.

How well your governance, supplier and incident controls map to ISO 27001:2022 Annex A.5.