Services · ASSESS
SOC 2 in 90 days. HIPAA in 60. An enterprise customer asking for evidence. We produce the answer.
Two-to-four-week security audit scored against a recognised framework — CIS, NIST, ISO 27001, SOC 2, HIPAA, or PCI-DSS. Evidence packets your auditors accept and a remediation roadmap your engineers can act on. For a broad cost-and-ops-focused review, see our Infrastructure Audit.
How we deliver this: AI handles the routine analysis (audits, IaC drafts, runbook scaffolds, alert triage). A senior engineer reviews every change before it touches your production. Consultancy speed at consultancy quality.
Read more →When you need this
Security questionnaires becoming a deal blocker
Enterprise prospects want SOC 2, ISO, or HIPAA before signing. Without recent security evidence, deals stall. We produce the evidence and the gap-closure plan.
A board ask for a "security posture review"
After an industry breach or a board-level prompt, leadership wants a credible answer. Generic "we use AWS" doesn't hold up. We produce a scored report against a recognized baseline (CIS, NIST, ISO).
Suspected misconfigurations you can't pinpoint
IAM sprawl, public S3 buckets, exposed dev environments — you suspect they exist but can't quantify. Our automated + manual review produces the inventory.
How it works
-
Phase 01
Scoping
30-minute call to define scope (cloud accounts in scope, code repositories, frameworks to assess against). Fixed-fee quote within 48 hours.
-
Phase 02
Discovery and inventory
Read-only access to cloud accounts, repos, and CI/CD. Automated scans (Prowler, Checkov, Trivy, GitHub native scanning) plus targeted manual review.
-
Phase 03
Multi-domain analysis
Cloud configuration, IAM, network exposure, secrets handling, dependency hygiene, container/K8s security, and supply-chain integrity — each scored against framework controls.
-
Phase 04
Findings + roadmap workshop
Working session with engineering and security leadership. Findings prioritized by severity × exploitability. 30/60/90-day remediation plan with owners and effort estimates.
What you get
- → Executive summary (5–10 pages, board-ready)
- → Detailed findings against the framework (CIS / NIST CSF / ISO 27001 / SOC 2)
- → Evidence packet for controls that pass
- → Per-finding remediation guide (commands, runbooks, code samples where useful)
- → Prioritized 30/60/90-day roadmap
- → Optional follow-on remediation engagement scope
What changes for you
A defensible answer for prospects and the board
Scored report against a recognized framework — quotable in security questionnaires and at board meetings without further translation.
A roadmap engineering can act on
Findings include the actual fix, not just "this is bad." Engineers can pick up tickets without a separate research phase.
Compliance gap clarity
Specific controls that fail, evidence available for those that pass, and a closure path with owners and effort.
No vendor pressure
We don't resell scanners or tools. The findings are honest about your existing setup, not a sales motion for someone else's product.
Knowledge transfer
Scripts, dashboards, and reports we build are yours. Documented walk-through means your team can re-run sections later.
Optional remediation
If you want help executing the roadmap, we scope it. If not, the audit stands on its own.
What clients say
"CloudWizz rebuilt our delivery pipeline in eight weeks. Deploys went from a Friday-night ritual to a non-event we ship four times a day."
Director of Engineering
Fintech, Series C · 2025-11
"They turned a CFO emergency into a board-ready story in 12 weeks. The dashboards alone changed how engineering thinks about cost."
VP Engineering
Series B SaaS · 2026-01
Frequently asked questions
How is this different from your Infrastructure Audit? +
Infrastructure Audit is broad (cost, reliability, delivery, security baseline). Security Audit is depth-on-security only. Choose Security Audit when you need defensible evidence for a specific framework or stakeholder.
Which frameworks can you audit against? +
CIS Benchmarks, NIST CSF, NIST 800-53, ISO 27001, SOC 2, HIPAA, PCI-DSS. We can also do custom rubrics for industry-specific requirements.
How long does the audit take? +
Two to four weeks of elapsed time depending on scope. Roughly 80–160 engineering hours from us; 8–15 hours of interviews and access setup from your side.
What access do you need? +
Read-only IAM roles in cloud accounts, repository read access, CI/CD viewer roles, and observability viewer roles. We provide the least-privilege role definition you can review.
Will you read application data? +
No. The audit is configuration, code, and metadata. Specifically excluded scope is documented up front.
How does pricing work? +
Fixed-fee, billed at engagement start. Pricing varies by scope; typical range is $20–60k. Quoted after a 30-minute scoping call.
Can you do a SOC 2 readiness assessment? +
Yes — that's a common scope. We focus on technical controls (CC6, CC7, CC8 most often) and pair with your auditor or compliance partner for policy work.
Do you cover penetration testing? +
We don't run pentests in-house; we partner with specialist firms. We can scope a pentest, manage the engagement, and run remediation if you want a single point of contact.
What about cloud-native and Kubernetes security specifically? +
Yes — pod security standards, network policies, RBAC review, admission control, image scanning posture. We assess against CIS Kubernetes Benchmark.
Do you audit AI/LLM workloads? +
Yes — model artefact provenance, prompt injection exposure, training data lineage, and inference-time data isolation. AI security is moving fast; we update our checklist quarterly.
How does the AI-driven, human-reviewed model apply to security audits? +
Carefully. AI accelerates the broad-coverage parts — automated scans across thousands of cloud resources, IAM-policy graph analysis, secret-leak detection, dependency CVE matching, evidence-collection drafts. A senior engineer reviews every finding for two things AI alone cannot do well: (1) judging which findings are real risk vs. theatre given your specific threat model; (2) writing the executive summary that an auditor or board will accept. AI never determines the final scoring or signs the report. We disclose tooling and methodology in writing as part of every engagement.