Account Contact Build your IT department

Services / 365 Security Reviews — Standard

365 Security Reviews — Standard

Continuous, evidence-grade review of your Microsoft 365 tenant. Quarterly written assessment plus monthly drift checks — the report your cyber-insurance underwriter actually wants to see.

Starting at — annual prepay, 25% off

$225.00 / tenant / month

Or $300.00 / tenant / month on a month-to-month plan, no commitment. Plus a one-time $500.00 onboarding fee. Fixed rate — term discounts apply, no volume discounts on this product.

Build your plan Talk to us first

Why this matters

M365 is the operational nerve center for most growing companies — identity, mail, files, collaboration, all in one tenant. The default M365 configuration is permissive by design (Microsoft optimizes for ease-of-onboarding, not security). After 6–12 months of unmanaged use, almost every tenant accumulates the same set of preventable security issues: legacy authentication enabled, conditional access gaps, oversharing in SharePoint, MFA holes, audit logging not configured. 365 Security Reviews — Standard finds them, prioritizes them, and tracks remediation — quarterly, with monthly drift checks in between.

Who buys this

  • Companies preparing for SOC 2 / HIPAA / cyber-insurance audits
  • Companies whose cyber-insurance underwriter asks "when did you last review your M365 security posture"
  • Companies that inherited an M365 tenant from a previous admin and have no idea what is configured
  • Companies post-incident, where the IR report flagged M365 misconfigurations

What is included

In every 365 Security Reviews — Standard subscription.

  • Initial baseline capture of your tenant (one-time, included in $500 onboarding)
  • Quarterly written assessment of M365 security posture (full report)
  • Monthly drift check + alert when configuration regresses
  • Remediation roadmap prioritized by risk reduction × implementation effort
  • Executive summary suitable for cyber-insurance underwriting + SOC 2 / HIPAA evidence
  • AISA-tracked remediation follow-through (with status visible in your portal)
  • Annual control-mapping refresh (CIS M365 Foundations, Microsoft Secure Score baseline)

How we deliver

The operating shape, end to end.

01

One-time onboarding ($500)

Tenant baseline-capture, role-mapping, current-posture assessment, first remediation backlog. One-time, billed at activation.

02

Quarterly written assessment

Full M365 security review every 90 days: identity, Exchange, SharePoint, OneDrive, Teams, audit logs. Written report with remediation roadmap prioritized by risk × effort.

03

Monthly drift check

Between quarterly reviews, an automated configuration scan looks for regressions — alerts you when something drifts from the established baseline.

04

Executive summary for evidence

Each quarterly report includes a one-page executive summary suitable for sharing with auditors, insurance underwriters, board, or leadership.

Education

What you should actually understand before buying.

We sell a lot of these. The buyers who are happiest two years in are the ones who understood the why before they signed. So here is the why.

Why M365 needs a separate security practice

M365 has hundreds of configuration surfaces — identity policies, conditional access rules, mail-flow rules, sharing settings, app permissions, audit-log retention, and more. Microsoft Secure Score gives you a single number; it does not tell you what to fix in what order. A skilled M365 security practice translates the configuration sprawl into a prioritized remediation roadmap your IT lead can actually execute.

Why fixed-rate, not per-user

The work to review an M365 tenant is roughly fixed regardless of how many users you have — the same identity policies, the same conditional access surface, the same SharePoint sharing config. A 15-person tenant takes the same time to review properly as a 150-person tenant (within a band). Per-tenant pricing reflects the real workload. No volume discounts on this product because the workload does not actually decrease at scale.

What "drift check" actually checks

Between quarterly reviews, an automated scan checks roughly 80 critical configurations against the baseline established at onboarding: MFA coverage on every account, conditional access policy presence + scope, SharePoint external-sharing surface, Exchange transport rules, audit-log retention settings, privileged-role membership, app-consent posture. When a drift is detected, you get an alert with the change details and a recommended remediation. The drift check catches the silent regressions — a new admin removing a CA policy, a new app getting consented to that should not have been, a SharePoint site getting opened to "anyone with the link."

How this fits into a SOC 2 / HIPAA evidence package

Auditors want to see two things: a documented baseline and evidence the baseline is reviewed regularly. The quarterly written report is the documentation; the executive summary is the evidence the work happened. Auditors who have seen our reports usually accept them at face value.

Common questions

Questions buyers actually ask us.

Why a one-time setup fee?
The first review is meaningfully more work than the subsequent ones — we have to capture the full baseline, map every role, identify every existing policy. The $500 covers that one-time deep work.
Why no volume discount?
The per-tenant work is roughly fixed regardless of headcount. A 15-person tenant has the same configuration surface as a 150-person tenant. Volume discounts would mean undercharging the small ones or overcharging the large ones — we prefer to charge fairly.
Do term discounts apply?
Yes. Annual commitment, billed monthly: 15% off. Annual prepay: 25% off. Same as the rest of the catalog.
Can you fix what you find?
Yes — remediation is delivered by Pro2 (standard config) or Pro3 Master (architectural changes), separately scoped. The review identifies what needs to happen; the remediation engagement makes it happen.

Ready to add 365 Security Reviews — Standard to your stack?

Three minutes in the build flow turns this into a real plan with a real price you can act on. Or talk to a human first — discovery call, no commitment.

Build your plan Talk to us first