baref00t.io

Automated Security Assessments, Packs & Intelligence Reports

The naked truth
about your security posture.

27 automated products — compliance assessments, deep-dive security packs, and board-ready intelligence reports across Essential Eight, NIST CSF, CMMC, NIS2, Cyber Essentials, MAS TRM, and more. Results in minutes, not weeks. No consultant. No agent installs.

27 Products across 4 tiersAU · US · EU · UK · SGResults < 10 minRead-only accessGlobal coverage
27
Security Products
500+
Controls Assessed
<10min
Time to Report
$0
Agent Installs Required

Trusted by organisations across

GovernmentFinancial ServicesHealthcareLegalDefence & AerospaceManaged Service Providers

Assessment Products

Choose your assessment

Each assessment runs against your Microsoft 365 tenant using read-only permissions. You grant access once, we do the rest.

ACSC Essential Eight | AU

Essential Eight
ML1, ML2 & ML3 Assessment

Assess your compliance with the ACSC Essential Eight Maturity Model. Mandatory for Australian Government entities under the PSPF. Know exactly where you stand before the auditors do.

  • All 8 pillars: Application Control, Patching, MFA, Backups + more
  • ML1, ML2, and ML3 scored separately per pillar
  • Conditional Access and privileged account analysis
  • Intune compliance and update ring verification
  • Prioritised remediation roadmap in your report
  • Optional monthly re-assessment subscription
$299
USD / report

or $149/month for continuous monitoring

Microsoft MCSB v2 | Global

Cloud Security Benchmark
v2 Assessment

Assess your Azure and Microsoft 365 environment against the Microsoft Cloud Security Benchmark v2 — 14 control domains covering Identity, Network, Data, AI, and DevOps security.

  • 14 domains: Identity, Network, Logging, Data, DevOps, AI + more
  • Azure Secure Score and Defender for Cloud integration
  • Conditional Access, PIM, and MFA gap analysis
  • Maps to ISO 27001, NIST CSF v2, SOC 2, PCI-DSS v4
  • JSON and CSV exports for integration into your GRC tool
  • MCSB v2 preview controls: AI security and DevOps
$399
USD / report

or $199/month for continuous monitoring

CIS Benchmark | Global

CIS Microsoft 365
Benchmark Assessment

Assess your Microsoft 365 tenant against the CIS Benchmark — the industry-standard security configuration guide recognised by auditors worldwide.

  • 7 domains: Identity, Apps, Data, Email, Auditing, Storage, Teams
  • CIS Level 1 and Level 2 controls scored separately
  • Conditional Access, MFA, and authentication method analysis
  • SharePoint sharing and Teams guest access review
  • Application consent and OAuth permission audit
  • Prioritised remediation with CIS control references
$349
USD / report

or $179/month for continuous monitoring

Copilot Readiness | Global

Microsoft Copilot
Readiness Assessment

Know your risk before enabling Copilot. We assess oversharing, sensitivity labels, DLP coverage, and identity controls to determine if your tenant is ready for AI.

  • 6 dimensions: Oversharing, Labels, DLP, Identity, Guest, Licensing
  • SharePoint site permission and public group analysis
  • Sensitivity label coverage and auto-labelling review
  • Conditional Access policies targeting Copilot
  • Weighted readiness score: Ready / Caveats / Not Ready
  • Pre-enablement and post-rollout remediation roadmap
$499
USD / report

or $249/month for continuous monitoring

APRA CPS 234 | AU

CPS 234
Information Security Assessment

Automated and governance-hybrid assessment against APRA's CPS 234 standard. Built for banks, insurers, and super funds that need to demonstrate compliance.

  • 6 CPS 234 sections: Capability, Policy, Assets, Controls, Incidents, Testing
  • Automated technical checks via Microsoft Graph and Defender
  • Governance questionnaire for board-level controls
  • Combined score: automated (60%) + questionnaire (40%)
  • APRA notification obligation assessment
  • Maps to CPG 234 guidance for remediation
$599
USD / report

or $299/month for continuous monitoring

Ransomware Resilience | Global

Ransomware
Resilience Score

Cross-cutting assessment of your ransomware defences. One score across identity, backup, endpoint, email, data, network, and detection readiness.

  • 7 dimensions: Identity, Backup, Endpoint, Email, Data, Network, Detection
  • Weighted composite resilience score (0-100%)
  • MFA, legacy auth, admin privilege, and PIM analysis
  • Backup immutability and break-glass account checks
  • Defender for Endpoint and Office 365 licensing verification
  • Rating: Strong / Moderate / Weak / Critical Risk
$349
USD / report

or $179/month for continuous monitoring

Power Platform | Global

Power Platform
Security Assessment

Assess your Power Platform governance posture. Environment controls, DLP policies, Power Automate security, Power Apps sharing, Power BI governance, and Copilot Studio controls.

  • 6 dimensions: Environments, DLP, Automate, Apps, BI, Copilot Studio
  • Weighted governance score with actionable remediation
  • DLP connector classification and gap analysis
  • Environment sprawl and managed environment checks
  • Power BI external sharing and sensitivity label review
  • Rating: Well Governed / Partially / Gaps / Ungoverned
$449
USD / report

or $229/month for continuous monitoring

NIST CSF 2.0 | US

NIST Cybersecurity
Framework Assessment

Assess your alignment to the NIST CSF 2.0 six functions. The de facto baseline for US federal contractors, critical infrastructure, and cyber-insurance underwriting.

  • All 6 functions: Govern, Identify, Protect, Detect, Respond, Recover
  • 22 categories with automated + questionnaire scoring
  • Identity & access, detection, and platform security fully automated
  • Governance and recovery via guided questionnaire
  • Maps to NIST SP 800-53 and SP 800-171 controls
  • Prioritised gap analysis with remediation roadmap
$349
USD / report

or $179/month for continuous monitoring

CMMC 2.0 | US

CMMC Level 1 & 2
Readiness Assessment

Prepare for Cybersecurity Maturity Model Certification. Required for all US Department of Defense contractors handling FCI or CUI. CMMC 2.0 final rule effective December 2024.

  • Level 1: 17 practices (FCI protection) — ~50% automated
  • Level 2: 110 practices mapping to NIST SP 800-171 Rev 2
  • 14 domains: Access Control, Audit, Config Mgmt, Incident Response + more
  • Automated checks on identity, authentication, logging, and endpoints
  • SSP/POA&M evidence mapping for audit preparation
  • Gap-to-certification roadmap with priority scoring
$399
USD / report

or $199/month for continuous monitoring

NIS2 Directive | EU

NIS2 Directive
Compliance Assessment

Assess your compliance with EU NIS2 Directive Article 21 cybersecurity risk-management measures. Mandatory for essential and important entities across the EU since October 2024.

  • All 10 Article 21 measures: risk analysis to MFA
  • Incident handling, business continuity, and supply chain checks
  • Automated identity, access control, and encryption validation
  • Network and information systems security posture
  • Governance questionnaire for policy and training evidence
  • Maps to ENISA guidance and national transposition requirements
$349
USD / report

or $179/month for continuous monitoring

Cyber Essentials | UK

UK Cyber Essentials
Readiness Assessment

Pre-assessment readiness check against the 5 Cyber Essentials technical controls. Required for UK government suppliers and increasingly expected by cyber insurers.

  • 5 controls: Firewalls, Secure Config, Access, Malware, Updates
  • Conditional Access and network boundary policy checks
  • Defender configuration and malware protection verification
  • Windows Update ring and patching posture analysis
  • Optional Cyber Essentials Plus extended checks
  • Readiness score with certification gap analysis
$299
USD / report

or $149/month for continuous monitoring

MAS TRM | Singapore

MAS Technology Risk
Management Assessment

Assess your alignment to the Monetary Authority of Singapore Technology Risk Management Guidelines. Required for all MAS-regulated financial institutions.

  • 12 domains: Governance, Risk Framework, Access Control, Crypto + more
  • Automated access control, cryptography, and security operations checks
  • IT resilience and service management posture
  • Cyber security operations and online financial services review
  • Governance questionnaire for board-level oversight evidence
  • Maps to MAS TRM 2021 revision and MAS Cyber Hygiene Notices
$399
USD / report

or $229/month for continuous monitoring

Security Packs

Deep-dive security packs

Unlike framework assessments that check breadth across many controls, packs go deep into a single attack surface. Same automated pipeline — deeper analysis.

Identity Pack | Global

Entra ID / Identity
Hardening Pack

Deep-dive into your identity attack surface — the #1 breach vector. Six dimensions covering every aspect of your Entra ID configuration, from MFA coverage to app registration hygiene.

  • MFA coverage: per-user status, phishing-resistant enforcement, auth methods
  • Conditional Access gap analysis across users, apps, and platforms
  • Privileged role hygiene: GA count, PIM adoption, standing vs eligible
  • App registration audit: expired secrets, excessive permissions, unused apps
  • Guest access exposure: stale guests, invite settings, B2B policy
  • Risk policy effectiveness: Identity Protection, Secure Score, alert review
$349
USD / report

or $229/month for continuous monitoring

Email Pack | Global

Email Security
Pack

Full email attack surface analysis — spoofing, phishing, data leakage, and mail flow hygiene across your Microsoft 365 tenant.

  • DNS authentication: DMARC policy, DKIM signing, SPF alignment
  • Anti-phishing posture: impersonation protection, safe links/attachments
  • Mail flow rules: external forwarding, auto-forward detection
  • Legacy auth: SMTP AUTH, POP, IMAP per-mailbox status
  • Quarantine and alert policy coverage review
  • Encryption: OME configuration, TLS enforcement, sensitivity labels
$299
USD / report

or $199/month for continuous monitoring

Data Pack | Global

SharePoint & Data
Oversharing Pack

Find where your sensitive data is exposed right now — misconfigured sharing, labelling gaps, guest sprawl, and excessive permissions.

  • External sharing: tenant settings, anonymous links, expiry policies
  • Site inventory: total sites, externally shared, orphaned sites
  • Sensitivity labels: coverage, encryption, auto-labelling policies
  • DLP policies: SharePoint/OneDrive rules, sensitive info type coverage
  • Guest access: stale guests, invite settings, B2B policy
  • Permissions hygiene: public groups, broken inheritance, OAuth grants
$349
USD / report

or $229/month for continuous monitoring

Finance Pack | Global

Finance / Fintech
Security Pack

Fraud controls, privileged access, data integrity, and regulatory evidence readiness for financial services organisations.

  • Privileged access: PIM enablement, standing admin roles, break-glass
  • Authentication: phishing-resistant MFA, FIDO2/TAP, legacy auth blocked
  • Data controls: DLP policies, sensitivity labels, external sharing
  • Email fraud: DMARC/DKIM/SPF, anti-phishing, impersonation protection
  • Audit trail: log retention, sign-in logs, admin activity logging
  • Endpoint: compliant devices, encryption, application control
$449
USD / report

or $299/month for continuous monitoring

Legal Pack | Global

Legal & Professional
Services Pack

Client confidentiality controls, matter data segregation, and privileged communication protections for law firms and professional services.

  • Data oversharing: external files, anonymous links, public sites
  • Email controls: forwarding rules, encryption, retention labels
  • Identity: MFA coverage, conditional access, guest management
  • Device posture: compliant device policy for client data access
  • Sensitivity labels: coverage, auto-labelling, mandatory labelling
  • Compliance: retention policies, litigation holds, eDiscovery readiness
$399
USD / report

or $249/month for continuous monitoring

Endpoint Pack | Global

Endpoint / Intune
Compliance Pack

Device posture is the second most common breach entry point. Deep-dive into your Intune enrolment, compliance, patching, and encryption coverage.

  • Enrolment coverage: enrolled vs detected devices, stale enrolments
  • Compliance policies: per-platform coverage, compliance state breakdown
  • Update rings: Windows Update for Business, feature/quality deferrals
  • Encryption: BitLocker enforcement, FileVault, device encryption %
  • Application control: approved app lists, WDAC, app protection policies
  • Configuration profiles: security baselines, antivirus, firewall policies
$349
USD / report

or $229/month for continuous monitoring

Healthcare Pack | Global

Healthcare
Security Pack

Patient data protection, device compliance, privileged access to clinical systems, and incident readiness for healthcare organisations.

  • Identity & access: MFA on clinical accounts, privileged roles, guest access
  • Device compliance: Intune enrolment, encryption, OS patching
  • Data protection: sensitivity labels on patient data, DLP, external sharing
  • Email security: PHI leakage via forwarding, anti-phishing, external recipients
  • Audit & logging: unified audit log, retention policies, alert coverage
  • Incident readiness: litigation holds, eDiscovery, response plan evidence
$399
USD / report

or $249/month for continuous monitoring

AICD Governance | Australia

AICD Governance
Assessment

Assess your board's cyber security governance against the AICD Cyber Security Governance Principles (Version 2, November 2024). Combines automated M365 tenant analysis with a governance questionnaire completed by a nominated governance contact — with full privacy separation from the IT consent process.

  • P1: Board roles, responsibilities, and committee oversight
  • P2: Cyber strategy, data governance, and digital asset protection
  • P3: Risk management, Zero Trust controls, and supply chain
  • P4: Cyber resilient culture, training, and leadership KPIs
  • P5: Incident response planning, simulation, and insurance
  • Governance questionnaire with board-confidential responses
$529
USD / report

or $349/quarter for board reporting cycles

Intelligence Reports

Board-ready security intelligence

Point-in-time reports designed for CFOs, boards, insurers, and investors — not IT teams. Same automated read-only pipeline. Business language, financial framing, executive delivery.

Insurance Intelligence | Global

Cyber Insurance
Readiness Report

Know your insurance approval likelihood before your broker does. Maps your Microsoft 365 security posture directly to the controls underwriters scrutinise — MFA, legacy auth, email defences, EDR, data protection, and audit logging.

  • MFA coverage and phishing-resistant enforcement status
  • Legacy authentication exposure scoring
  • Email security: SPF, DKIM, DMARC, anti-phishing
  • Endpoint detection and response posture
  • Data protection controls and encryption status
  • Audit logging completeness and retention
$329
USD / report

Single purchase — no subscription

Board Intelligence | Global

Board Cyber Risk
Report

Give your board the cyber risk picture they need to govern confidently. Translates your Microsoft 365 technical posture into a board-grade risk rating with business context, no jargon, and clear accountability.

  • Board-level risk rating: LOW / MEDIUM / HIGH / CRITICAL
  • Identity and access risk in plain business language
  • Threat prevention posture and detection effectiveness
  • Data protection and compliance exposure
  • Endpoint security and device governance status
  • Resilience readiness: backup, incident response, BCP
$529
USD / report

or $699/quarter for board reporting cycles

Investor Intelligence | Global

Investor-Ready
Security Report

De-risk your due diligence process. Provides investors, acquirers, and deal teams with an independent automated security assessment in deal language — Security Debt Score, Deal Risk Rating, and prioritised remediation cost estimates.

  • Security Debt Score with Deal Risk Rating (LOW to DEAL BREAKER)
  • Identity and access control findings mapped to deal risk
  • Email security posture and phishing exposure
  • Data protection controls and regulatory liability
  • Endpoint compliance and shadow IT exposure
  • Audit readiness and governance maturity
$999
USD / report

Single purchase — no subscription

Productivity Reports

Prove the value of your M365 investment

Licence waste, adoption gaps, Copilot ROI, and tenant hygiene — the questions your CFO and CIO ask but nobody can answer quickly. Same read-only pipeline. Financial framing, actionable output.

Productivity | Global

Licence Optimisation
Report

Find the Microsoft licences you're paying for but nobody's using. Identifies inactive users, premium-to-basic downgrade candidates, unassigned seats, duplicate SKUs, and unused Copilot licences with named users and dollar savings.

  • Inactive users with licences (>30 days no sign-in)
  • Premium licence holders with basic-only usage (E5 to E3 candidates)
  • Unassigned licence seats you're paying for
  • Duplicate/overlapping SKU assignments
  • Unused Copilot licences ($30/user/month waste)
  • Licensed guest accounts
$259
USD / report

or $129/month for continuous monitoring

Productivity | Global

Adoption & Usage
Report

See exactly who's using Microsoft 365 and who isn't. Per-workload, per-department adoption heatmap across Exchange, Teams, SharePoint, OneDrive, and Copilot with named zero-activity user lists.

  • Per-workload adoption scores (Exchange, Teams, SharePoint, OneDrive, Copilot)
  • Department-level adoption heatmap
  • Zero-activity users with last sign-in dates
  • Teams deep dive: meetings, chat, inactive Teams
  • Investment-at-risk estimate in dollar terms
  • Targeted intervention recommendations by department
$199
USD / report

or $99/month for continuous monitoring

Productivity | Global

Copilot ROI
Report

Prove your Copilot investment is working — or find out why it isn't. Per-user Copilot usage across Outlook, Teams, Word, Excel, PowerPoint, and Chat with estimated time saved, value generated, and a named reclaim list.

  • Active vs inactive Copilot licence holders
  • Per-app adoption: Outlook, Teams, Word, Excel, PowerPoint, Chat
  • Estimated time saved per active user (hours/month)
  • Financial ROI: value generated vs licence cost
  • Named zero-usage licence reclaim list with saving estimate
  • Board-ready executive summary
$329
USD / report

or $159/month for continuous monitoring

Productivity | Global

Tenant Health &
Governance Report

A full health check for your Microsoft 365 tenant. Surfaces accumulated technical debt — orphaned groups, stale guests, abandoned Teams, expired app secrets, stale devices — with a Tenant Health Score and prioritised cleanup list.

  • User hygiene: inactive accounts, never-signed-in users
  • Guest account hygiene: stale guests, licensed guests, open invitations
  • Group & Team hygiene: orphaned groups, empty Teams, external members
  • Application hygiene: expired secrets, unowned apps, excessive permissions
  • Device hygiene: stale objects, outdated OS, non-compliant devices
  • Tenant Health Score with prioritised remediation roadmap
$199
USD / report

or $99/month for continuous monitoring

Process

Four steps. Under ten minutes.

01 / Purchase

Pay securely

Select your assessment and pay via Stripe. Takes two minutes. You'll receive a setup email immediately.

02 / Consent

Grant read-only access

Click the link in your email. Sign in as Global Admin and click Accept on the Microsoft permission screen. That's it.

03 / Assessment

We do the work

Our platform runs the full assessment against your tenant automatically. No agents, no scripts to run, no consultant on-site.

04 / Report

Inbox delivery

Your scored HTML report arrives within 10 minutes. Per-pillar scores, all findings, and a prioritised remediation roadmap.

Security & Trust

We see your posture.
Nothing else.

baref00t requests the minimum permissions required to assess your configuration. We cannot modify, delete, or access your data.

Read-Only Permissions

We request only Directory.Read, Policy.Read, and DeviceManagement.Read scopes. We cannot write to your tenant in any way. Review the full permission list before consenting.

Revocable Instantly

Remove our access anytime from Entra ID → Enterprise Applications. Takes 30 seconds. No call required, no notice period.

Regional Data Processing

Assessments run in the Azure region closest to you — Australia East, US East, West Europe, or Southeast Asia. Your data never leaves the region it's processed in.

No Data Retention

We don't store your tenant configuration data. Only the report output is retained — accessible only via the secure link sent to you.

Transparency

Exactly what we request. Nothing more.

// Microsoft Graph — Application permissions
// Type: Read-only. Cannot write or delete.

Directory.Read.All        // users, groups, roles
Policy.Read.All            // Conditional Access
Organization.Read.All      // tenant info
AuditLog.Read.All          // sign-in logs
RoleManagement.Read.All    // PIM, role assigns
DeviceManagement
  .Configuration.Read.All  // Intune policies
UserAuthenticationMethod
  .Read.All                // MFA methods
IdentityRiskEvent.Read.All // risky sign-ins
Reports.Read.All           // usage reports
SecurityEvents.Read.All    // security alerts
Sites.Read.All             // SharePoint sites
SharePointTenantSettings
  .Read.All                // SP tenant config
GroupMember.Read.All        // group membership
Application.Read.All       // app registrations
InformationProtection
  .Read.All                // sensitivity labels

// Azure RBAC (optional — for Defender checks)
Security Reader            // read-only
Reader                     // read-only
  • READ
    Cannot write, modify, or deleteAll permissions are Application-type read-only scopes. There is no mechanism in our app registration to perform write operations.
  • READ
    Admin consent required onceA Global Administrator must click Accept on the Microsoft consent screen. This is standard practice for any third-party M365 integration.
  • READ
    Token stored encrypted in Key VaultYour tenant access credential is stored in Azure Key Vault with HSM-backed encryption. It's never logged or transmitted outside Azure.
  • READ
    Revoke from Entra ID at any timeEntra ID → Enterprise Applications → baref00t → Delete. Instant revocation. No support ticket required.

FAQ

Common questions

How is this different from Microsoft Secure Score?
Secure Score measures general configuration quality but doesn't map to specific regulatory frameworks or produce the compliance evidence auditors require. Our assessments produce framework-specific scores — E8 maturity levels, NIST CSF function ratings, CMMC practice gaps, NIS2 Article 21 coverage — with per-control pass/fail evidence and remediation guidance.
Which frameworks and regions do you cover?
We offer 23 products across 3 tiers. Assessments (12): Essential Eight, MCSB, CIS M365, Copilot Readiness, CPS 234, Ransomware Resilience, Power Platform, NIST CSF 2.0, CMMC, NIS2, Cyber Essentials, MAS TRM. Security Packs (7): Entra ID Hardening, Email Security, SharePoint Oversharing, Finance, Legal, Endpoint/Intune, Healthcare. Intelligence Reports (3): Cyber Insurance Readiness, Board Cyber Risk, Investor-Ready Security. Regions: AU, US, EU, UK, SG.
What happens if a check fails?
Every failed check includes a remediation action with the exact Intune, Entra, or Azure portal path to fix it. High-severity failures are called out at the top of the report. The monthly subscription shows your score trend over time so you can demonstrate improvement.
Can I bundle multiple assessments?
Yes — purchase assessments individually and they'll run as separate assessments against the same tenant. Bundle pricing available on request for two or more products. Contact assessments@baref00t.io.
Do you support multi-tenant or MSP use?
Yes. If you manage multiple tenants as an MSP, contact us for volume pricing. Each tenant requires a separate consent grant, but reports are delivered per-tenant and can be white-labelled for your clients.
How do I revoke access after the assessment?
Entra ID → Enterprise Applications → search "baref00t" → Delete. Done in 30 seconds. You can also do this from the Microsoft MyApps portal (myapps.microsoft.com). Access is revoked immediately — no notice period, no support ticket.
Where is my data processed?
Assessments run in the Azure region closest to you — Australia East, US East, West Europe, or Southeast Asia. Your tenant data never leaves the processing region and is not retained after the report is generated. Only the report output is stored, accessible via the secure link sent to you.
What currencies do you accept?
We accept USD, AUD, GBP, EUR, and SGD. Your currency is auto-detected based on location and can be changed using the currency selector in the navigation bar. All 23 products are priced in all 5 currencies. Payments are processed securely via Stripe.
Do I need CMMC Level 1 or Level 2?
Level 1 (17 practices) is for contractors handling Federal Contract Information (FCI). Level 2 (110 practices, mapped to NIST SP 800-171) is for those handling Controlled Unclassified Information (CUI). Most DoD contractors handling sensitive data need Level 2. Our assessment lets you select either level and identifies your gaps to certification.
Is the E8 assessment suitable for PSPF compliance?
The E8 assessment covers all controls in the ACSC Essential Eight Maturity Model at ML1, ML2, and ML3 — the framework assessed under the PSPF. Note: formal PSPF compliance at PROTECTED level requires an IRAP assessment. Our report is ideal for identifying gaps and preparing for one.
What does the NIS2 assessment cover?
It assesses all 10 Article 21 cybersecurity risk-management measures — from risk analysis and incident handling to supply chain security, encryption, and multi-factor authentication. Automated checks cover identity, access control, and detection. A governance questionnaire covers policy, training, and business continuity evidence.
How does the Ransomware Resilience score work?
We assess seven dimensions — Identity (20%), Backup (20%), Endpoint (15%), Email (15%), Data (10%), Network (10%), and Detection (10%) — with weighted scoring. Each dimension produces a percentage score, and the composite gives you an overall resilience rating: Strong, Moderate, Weak, or Critical Risk. The report highlights the highest-impact remediation actions first.

Ready to see the naked truth?

Get your security assessment report in under 10 minutes.
No consultant. No agent installs. No surprises.

Contact

Get in Touch

Have questions about our assessments? We’d love to hear from you.