Automated Security Assessments

The naked truth
about your security posture.

Essential Eight, MCSB, CIS M365, Copilot Readiness, CPS 234, and Ransomware Resilience assessments for Australian organisations. Results in minutes, not weeks. No consultant. No agent installs.

View Assessments How it works →
6 Assessment Products
E8 · MCSB · CIS · Copilot · CPS 234 · Ransomware
Results < 10 min
Read-only access
AU data sovereignty
0
E8 Pillars Assessed
0
MCSB Control Domains
<10min
Time to Report
$0
Agent Installs Required
Assessment Products

Choose your assessment

Each assessment runs against your Microsoft 365 tenant using read-only permissions. You grant access once, we do the rest.

ACSC Essential Eight

Essential Eight
ML1, ML2 & ML3 Assessment

Assess your compliance with the ACSC Essential Eight Maturity Model. Mandatory for Australian Government entities under the PSPF. Know exactly where you stand before the auditors do.

  • All 8 pillars: Application Control, Patching, MFA, Backups + more
  • ML1, ML2, and ML3 scored separately per pillar
  • Conditional Access and privileged account analysis
  • Intune compliance and update ring verification
  • Prioritised remediation roadmap in your report
  • Optional monthly re-assessment subscription
$299
AUD / report
or $149/month for continuous monitoring
Microsoft MCSB v2

Cloud Security Benchmark
v2 Assessment

Assess your Azure and Microsoft 365 environment against the Microsoft Cloud Security Benchmark v2 — 14 control domains covering Identity, Network, Data, AI, and DevOps security.

  • 14 domains: Identity, Network, Logging, Data, DevOps, AI + more
  • Azure Secure Score and Defender for Cloud integration
  • Conditional Access, PIM, and MFA gap analysis
  • Maps to ISO 27001, NIST CSF v2, SOC 2, PCI-DSS v4
  • JSON and CSV exports for integration into your GRC tool
  • MCSB v2 preview controls: AI security and DevOps
$399
AUD / report
or $199/month for continuous monitoring
CIS Benchmark

CIS Microsoft 365
Benchmark Assessment

Assess your Microsoft 365 tenant against the CIS Benchmark — the industry-standard security configuration guide recognised by auditors worldwide.

  • 7 domains: Identity, Apps, Data, Email, Auditing, Storage, Teams
  • CIS Level 1 and Level 2 controls scored separately
  • Conditional Access, MFA, and authentication method analysis
  • SharePoint sharing and Teams guest access review
  • Application consent and OAuth permission audit
  • Prioritised remediation with CIS control references
$349
AUD / report
or $179/month for continuous monitoring
Copilot Readiness

Microsoft Copilot
Readiness Assessment

Know your risk before enabling Copilot. We assess oversharing, sensitivity labels, DLP coverage, and identity controls to determine if your tenant is ready for AI.

  • 6 dimensions: Oversharing, Labels, DLP, Identity, Guest, Licensing
  • SharePoint site permission and public group analysis
  • Sensitivity label coverage and auto-labelling review
  • Conditional Access policies targeting Copilot
  • Weighted readiness score: Ready / Caveats / Not Ready
  • Pre-enablement and post-rollout remediation roadmap
$499
AUD / report
or $249/month for continuous monitoring
APRA CPS 234

CPS 234
Information Security Assessment

Automated and governance-hybrid assessment against APRA's CPS 234 standard. Built for banks, insurers, and super funds that need to demonstrate compliance.

  • 6 CPS 234 sections: Capability, Policy, Assets, Controls, Incidents, Testing
  • Automated technical checks via Microsoft Graph and Defender
  • Governance questionnaire for board-level controls
  • Combined score: automated (60%) + questionnaire (40%)
  • APRA notification obligation assessment
  • Maps to CPG 234 guidance for remediation
$599
AUD / report
or $299/month for continuous monitoring
Ransomware Resilience

Ransomware
Resilience Score

Cross-cutting assessment of your ransomware defences. One score across identity, backup, endpoint, email, data, network, and detection readiness.

  • 7 dimensions: Identity, Backup, Endpoint, Email, Data, Network, Detection
  • Weighted composite resilience score (0-100%)
  • MFA, legacy auth, admin privilege, and PIM analysis
  • Backup immutability and break-glass account checks
  • Defender for Endpoint and Office 365 licensing verification
  • Rating: Strong / Moderate / Weak / Critical Risk
$349
AUD / report
or $179/month for continuous monitoring
Process

Four steps. Under ten minutes.

01 / Purchase

Pay securely

Select your assessment and pay via Stripe. Takes two minutes. You'll receive a setup email immediately.

02 / Consent

Grant read-only access

Click the link in your email. Sign in as Global Admin and click Accept on the Microsoft permission screen. That's it.

03 / Assessment

We do the work

Our platform runs the full assessment against your tenant automatically. No agents, no scripts to run, no consultant on-site.

04 / Report

Inbox delivery

Your scored HTML report arrives within 10 minutes. Per-pillar scores, all findings, and a prioritised remediation roadmap.

Security & Trust

We see your posture.
Nothing else.

baref00t requests the minimum permissions required to assess your configuration. We cannot modify, delete, or access your data.

Read-Only Permissions

We request only Directory.Read, Policy.Read, and DeviceManagement.Read scopes. We cannot write to your tenant in any way. Review the full permission list before consenting.

Revocable Instantly

Remove our access anytime from Entra ID → Enterprise Applications. Takes 30 seconds. No call required, no notice period.

Australia East Only

All processing runs in Azure Australia East. Your report is stored in Australian data centres and delivered directly to your inbox.

No Data Retention

We don't store your tenant configuration data. Only the report output is retained — accessible only via the secure link sent to you.

Transparency

Exactly what we request. Nothing more.

// Microsoft Graph — Application permissions // Type: Read-only. Cannot write or delete. Directory.Read.All // users, groups, roles Policy.Read.All // Conditional Access Organization.Read.All // tenant info AuditLog.Read.All // sign-in logs RoleManagement.Read.All // PIM, role assigns DeviceManagement .Configuration.Read.All // Intune policies UserAuthenticationMethod .Read.All // MFA methods IdentityRiskEvent.Read.All // risky sign-ins Reports.Read.All // usage reports SecurityEvents.Read.All // security alerts Sites.Read.All // SharePoint sites SharePointTenantSettings .Read.All // SP tenant config GroupMember.Read.All // group membership Application.Read.All // app registrations InformationProtection .Read.All // sensitivity labels // Azure RBAC (optional — for Defender checks) Security Reader // read-only Reader // read-only
  • READ
    Cannot write, modify, or delete All permissions are Application-type read-only scopes. There is no mechanism in our app registration to perform write operations.
  • READ
    Admin consent required once A Global Administrator must click Accept on the Microsoft consent screen. This is standard practice for any third-party M365 integration.
  • READ
    Token stored encrypted in Key Vault Your tenant access credential is stored in Azure Key Vault with HSM-backed encryption. It's never logged or transmitted outside Azure.
  • READ
    Revoke from Entra ID at any time Entra ID → Enterprise Applications → baref00t → Delete. Instant revocation. No support ticket required.
FAQ

Common questions

Is this suitable for PSPF compliance reporting? +
The E8 assessment covers all controls in the ACSC Essential Eight Maturity Model at ML1 and ML2 — the same framework assessed under the PSPF for non-corporate Commonwealth entities. Note: formal PSPF compliance at PROTECTED level requires an IRAP assessment. Our report is ideal for identifying gaps and preparing for one.
How is this different from Microsoft Secure Score? +
Microsoft Secure Score measures configuration quality but doesn't map to Australian frameworks or produce a maturity level score per pillar. Our assessment produces what auditors and the PSPF actually require: a per-pillar ML1/ML2/ML3 maturity rating with specific pass/fail evidence for each control.
What happens if a check fails? +
Every failed check includes a remediation action with the exact Intune, Entra, or Azure portal path to fix it. High-severity failures are called out at the top of the report. The monthly subscription shows your score trend over time so you can demonstrate improvement.
Can I bundle multiple assessments? +
Yes — purchase assessments individually and they'll run as separate assessments against the same tenant. Bundle pricing available on request for two or more products. Contact hello@baref00t.io.
Do you support multi-tenant or MSP use? +
Yes. If you manage multiple tenants as an MSP, contact us for volume pricing. Each tenant requires a separate consent grant, but reports are delivered per-tenant and can be white-labelled for your clients.
How do I revoke access after the assessment? +
Entra ID → Enterprise Applications → search "baref00t" → Delete. Done in 30 seconds. You can also do this from the Microsoft MyApps portal (myapps.microsoft.com). Access is revoked immediately — no notice period, no support ticket.
What's the difference between E8 ML1, ML2, and ML3? +
ML1 is the baseline — application control allow-listing, patching, MFA, and backups. ML2 adds hardened configurations like PowerShell logging, Intune compliance, and privileged access controls. ML3 is the most restrictive: WDAC enforcement on all servers, phishing-resistant MFA for all users, 48-hour patching for all applications, immutable backups, and credential guard. Your report scores each pillar at the maturity level you select.
What does the Copilot Readiness assessment check? +
It evaluates six dimensions that determine whether your tenant is safe to enable Microsoft Copilot: data oversharing (public groups, broad SharePoint permissions), sensitivity label coverage, DLP policy gaps, identity controls (MFA, Conditional Access targeting Copilot), guest/external access exposure, and Copilot licensing prerequisites. You get a weighted readiness score and a remediation plan to close gaps before rollout.
Is the CPS 234 assessment suitable for APRA-regulated entities? +
Yes — it's designed specifically for banks, insurers, and super funds subject to APRA CPS 234. It combines automated technical checks (identity, endpoint, data controls) with a governance questionnaire covering board-level obligations, incident management, and testing requirements. The report maps findings to CPG 234 guidance and flags potential notification obligations.
How does the Ransomware Resilience score work? +
We assess seven dimensions — Identity (20%), Backup (20%), Endpoint (15%), Email (15%), Data (10%), Network (10%), and Detection (10%) — with weighted scoring. Each dimension produces a percentage score, and the composite gives you an overall resilience rating: Strong (≥80%), Moderate (≥60%), Weak (≥40%), or Critical Risk (<40%). The report highlights the highest-impact remediation actions first.

Ready to see the naked truth?

Get your security assessment report in under 10 minutes.
No consultant. No agent installs. No surprises.