M365 security review against CIS benchmarks, internal penetration testing, and a findings report that tells you exactly what to fix and in what order.
Security assumptions are not a security posture. Most organisations that have been breached were confident they were protected — right up until the moment they were not. Loki Secure Networks is a structured, evidence-based security assessment service covering two of the most critical attack surfaces for Berlin-based businesses: your Microsoft 365 and Azure tenant configuration, and your internal network. The output is not a traffic-light dashboard or a generic findings PDF. It is a prioritised remediation plan that your IT team — internal or outsourced — can act on immediately.
M365 / Azure Security Review
- CIS M365 Benchmark v6.0 Assessment — Your tenant configuration measured against the full CIS Microsoft 365 Foundations Benchmark v6.0 control set. Every control scored Pass / Fail / Partial, with remediation guidance for every non-pass finding.
- Entra ID Identity Audit — User account review: stale accounts, accounts without MFA, service accounts with excessive permissions, guest user access, and external collaboration settings.
- Conditional Access Policy Review — Your existing CA policies assessed against current Microsoft security best practices. Gaps in coverage — unprotected admin roles, missing device compliance requirements, missing location controls — are explicitly called out.
- Privilege Audit — Every Global Administrator, Privileged Role Administrator, and Exchange Administrator identified. Over-privileged accounts documented with recommended remediation.
- Guest and External Access Review — External sharing settings in SharePoint, Teams, and OneDrive reviewed. Unknown or unmanaged guest accounts inventoried.
Internal Penetration Test
- Active Directory Enumeration — Identification of privilege escalation paths, Kerberoastable accounts, AS-REP roastable accounts, and misconfigured group policies from the perspective of a standard domain user.
- Network Segmentation Check (Meraki / VLAN) — Validation that VLANs are enforced correctly and that lateral movement between network segments is blocked as intended. Common misconfigurations in Meraki environments are explicitly tested.
- Firewall Rule Review — Inbound and outbound rules assessed for unnecessary exposure, overly permissive any-to-any rules, and legacy rules no longer serving a business purpose.
- External Attack Surface Scan — Open ports, exposed services, TLS configuration, and known CVEs against your public-facing infrastructure. Enumerated from the perspective of an external attacker with no prior access.
- Findings Report with Prioritised Remediation Plan — A structured report covering every finding, its severity (Critical / High / Medium / Low), business impact, and a recommended remediation action with enough specificity to act on without further interpretation.
Why It Matters in Berlin
NIS-2 (in German law: NIS-2-Umsetzungsgesetz, effective 2024) requires organisations in scope to perform regular risk assessments and implement technical measures proportionate to the risk. A documented security assessment is both a baseline obligation and a defence against regulatory liability — if you are breached and cannot demonstrate that you had a current, evidence-based security posture, the regulatory exposure compounds. The BSI IT-Grundschutz (ORP.4, NET.1, APP.5 building blocks) provides the technical framework; our assessments map findings directly to it. For organisations holding EU citizen data under DSGVO, a demonstrable and documented security posture is a prerequisite, not an optional extra.
Security assessments conducted at this level require understanding how privilege escalation, identity misconfiguration, and network segmentation failures play out in real enterprise environments — the environments Anthony has designed and secured at Merrill Lynch, the World Bank, and in aviation logistics at FDH Aero.
Get Started
Book a 30-minute security scoping call
We clarify scope, timelines, and what access is required. No tools run without your explicit sign-off.
Send us your requirements
Describe your environment (tenant size, network complexity, compliance obligations) and we will return a scoped proposal.