SecureLoop
🔍 Security audit & risk review

Know where you are exposed —
before attackers do.

Most small businesses find out they have a security problem after an incident. A SecureLoop security audit gives you the full picture before that happens — a plain-English risk report with a prioritised fix list, not a 50-page compliance document written for a CISO.

Book a free call firstFree M365 security check

From $900 fixed price · 2–3 day delivery · No hourly billing

Essential EightRisk registerISO 27001NIST CSFASD ISMFixed price
$46K+Average cost of one cyber incident for an Aussie SME
70%Of data breaches target small business
2–3 daysTypical delivery, fixed price
$900Starting price — Essential Eight audit

How it works

Four steps. Plain English. Fixed price.

01

Discovery call

We learn how your business operates, what tools and cloud services you use, and where you feel most exposed. No preparation required on your end.

02

Environment review

We assess your cloud configuration, identity setup, device management, email security, and backup posture against the ACSC Essential Eight. Findings can also be mapped to ISO 27001, NIST CSF, ASD ISM, or CIS Controls depending on your reporting requirements.

03

Risk report

Plain-English document: what we found, what it means for your business, and what to fix first. Severity-rated findings, not a 50-page compliance document. Written for business owners, not security engineers.

04

Debrief & Q&A

30-minute walkthrough of findings with your team. No jargon. No upselling. Just honest answers about what matters and what can wait.

What's included

Everything you need. Nothing you don't.

Essential Eight gap analysis

All eight controls assessed against your current environment at your target maturity level

Risk register

Prioritised list of findings by severity — Critical, High, Medium, Low

Remediation plan

Specific actions for each finding, in priority order, with estimated effort

Maturity level scoring

Your current ML score for each of the eight controls

Framework mapping

Optional: findings mapped to ISO 27001, NIST CSF, ASD ISM, or CIS Controls

Written report

Formal PDF document suitable for insurance, client due diligence, or tender pre-qualification

30-min debrief

Walkthrough with your team — questions answered, priorities clarified

Implementation options

We can remediate the findings, or hand off to your existing IT team — your choice

Audit scope

What gets reviewed

☁️

Microsoft 365 & Azure

  • Admin account privileges and MFA enforcement
  • Conditional access policies
  • Legacy authentication status
  • External sharing in SharePoint and OneDrive
  • Email security (DMARC, DKIM, SPF)
  • Entra ID configuration
  • Defender for 365 baseline
💻

Devices & endpoints

  • Windows update and patch status
  • Endpoint protection configuration
  • Local admin account exposure
  • Application control posture
  • Device encryption status
  • Remote access security
🔑

Identity & access

  • Privilege audit — who has admin access
  • Service account review
  • MFA coverage across all users
  • Password policy configuration
  • Stale account identification
  • Third-party app permissions
💾

Backup & recovery

  • M365 backup coverage (email, SharePoint, Teams)
  • Azure backup configuration
  • Offsite / offline backup verification
  • Recovery time objective assessment
  • Ransomware resilience check

Why get audited

Common reasons businesses book an audit

Cyber insurance application

Insurers increasingly require evidence of security controls before issuing cyber policies. Our audit report gives you the documentation they need, and our findings help you close gaps that reduce your premium.

Government tender pre-qualification

Many Australian government contracts now require Essential Eight compliance attestation. Our formal gap report and maturity level scores satisfy most tender pre-qualification requirements for Commonwealth and state government work.

Client due diligence

Enterprise and government clients increasingly audit their supply chain for security posture. A formal Essential Eight assessment demonstrates that you take security seriously — with documentation to prove it.

You've never had a security review

Most small businesses have never had a formal security review. They're running with default settings, unknown exposures, and no clear picture of where they stand. This audit gives you that picture — and a clear plan to improve it.

“SecureLoop identified misconfigurations in our Azure and M365 environment we had no idea existed — admin accounts with excessive privileges, legacy authentication still enabled. The report was delivered in plain English our whole team could understand. Fixed price, on time, no surprises.”

KM

Karl

Business Owner, Australia · Cloud Security Review, ACSC Essential Eight

Pricing

Fixed price. No surprises.

Every engagement is quoted at a fixed price before work begins. No hourly rates. No retainers. No scope creep invoices. If you need a formal written quote for internal approval or procurement, we provide one before work starts.

Security Audit

From $900

2–3 days · Fixed price

  • Essential Eight gap analysis
  • Risk register
  • Remediation plan
  • Written report
  • 30-min debrief

Most popular

Audit + M365 Hardening

From $1,900

5–7 days · Fixed price

  • Everything in Security Audit
  • M365 configuration remediation
  • MFA and conditional access
  • Legacy auth disabled
  • Email security configured

Audit + Full Remediation

From $2,800

7–10 days · Fixed price

  • Everything in Audit + M365
  • Azure security hardening
  • Identity and access cleanup
  • Backup verification
  • Written compliance attestation

Common questions

What access do you need to conduct the audit?

Read-only access to your Microsoft 365 admin centre and Azure subscription. We don't need credentials to individual user accounts, financial systems, or client data. We'll send you a checklist of exactly what access is required before we begin.

How disruptive is the audit to our operations?

Not at all. The assessment is conducted remotely by reviewing your configuration — we are not running active scans or penetration tests that could affect system stability. Your team continues working normally throughout.

What is the difference between a security audit and a penetration test?

A security audit reviews your configuration and posture against a framework — it tells you what is misconfigured or missing. A penetration test actively attempts to exploit vulnerabilities to see how far an attacker could get. For most small businesses, the audit is the right starting point — there is little value in testing how exploitable your gaps are before you close them.

Can the report be used for cyber insurance?

Yes. The formal written report includes your Essential Eight maturity level scores, a risk register, and a remediation plan. Most Australian cyber insurers accept this format. We can also add specific framework mappings if your insurer requires them.

What happens after the audit?

You have two options. We can implement the remediation plan ourselves at fixed price — typically $1,200–$1,500 for M365 hardening, more for Azure. Or we can hand off the detailed remediation plan to your existing IT team or MSP. No lock-in either way.

Do you work with businesses outside Brisbane?

Yes. The entire audit is conducted remotely. We work with businesses across all of Australia. Brisbane clients also have the option of in-person debrief sessions.

How often should we do a security audit?

For most small businesses, an annual audit is appropriate. If you undergo significant changes — new cloud services, a merger, a change of IT provider, or a security incident — an out-of-cycle review is worthwhile. Many clients also use our ongoing monitoring service between formal audits.

Find out where your biggest risk actually is

30 minutes. No sales pitch. Just an honest conversation about where you are, what's exposed, and what's worth fixing first.

Book a free callHow much does an audit cost?

Brisbane QLD · Serving all of Australia · Fixed price from $900