Penetration tests

Approved policy surfaces for information security, access control, acceptable use, change management, incident response, backup/restore, vendor management, and HR security.

Security posture map for identity, MFA, RBAC, tenant scoping, encryption expectations, logging, monitoring, and secure SDLC evidence.

Vendor lifecycle evidence for platform providers, subprocessors, SOC 2 reports, DPAs, BAAs where applicable, renewal review, and vendor incident handling.

People-compliance evidence for security awareness, policy acknowledgment, privileged-role onboarding, background-check tracking, and annual refresh requirements.

Traceability for production changes from request to PR, review, CI, deployment, verification, rollback planning, and emergency-change retrospective.

Incident lifecycle evidence for severity classification, communications, post-incident review, corrective and preventive actions, and customer/regulatory notification decisions.

Quarterly access review evidence for users, privileged roles, MFA compliance, stale accounts, API keys, service accounts, and vendor-console admins.

Backup and disaster-recovery evidence for approved RTO/RPO, daily backup health, provider retention proof, restore drills, and tabletop validation.

Logging and monitoring evidence for failed logins, MFA changes, permission changes, production access, admin actions, security alerts, and audit retention.