Methodology
How we work
Five phases, scoped up front. You always know which one you are paying for, what “done” looks like, and how to undo it if a policy bites.
Assess
Read the tenant before touching it.
We export the current state from Entra, Defender and Purview — Conditional Access coverage, MFA registration, privileged roles, alert routing, label and DLP status — and map it against where you are actually exposed.
- +Tenant configuration export
- +Conditional Access gap matrix
- +Privileged-role inventory
- +Risk & exposure ranking
Design
Agree the target state on paper, with you in the room.
A policy architecture you sign off before anything ships: the Conditional Access model, role and PIM design, detection priorities and the data-protection scheme — sequenced so every change can be rolled back.
- +Conditional Access policy set
- +Role & PIM model
- +Detection & response plan
- +Rollout sequence + rollback
Deploy
Ship in report-only first, then enforce.
Changes land in waves behind report-only and pilot rings, so we measure impact before it reaches everyone. Enforcement flips on only once the telemetry says it is safe — and break-glass access is proven first.
- +Report-only validation
- +Pilot ring rollout
- +Staged enforcement
- +Break-glass verified
Enable
Hand it over so it survives us.
Your admins get the runbooks, the queries and the reasoning behind each policy. The measure of success is that you can operate and change this configuration without calling us for every tweak.
- +Admin runbooks
- +Analyst playbooks
- +KQL query pack
- +Knowledge-transfer sessions
Operate
Tune against real signal.
Optional ongoing work: review incidents and false positives, tighten policies as the estate changes, and report posture in language a board reads. Scoped monthly — not an open-ended tap.
- +Incident & false-positive review
- +Policy tuning
- +Posture reporting
- +Quarterly access reviews