Scan your M365 and Google Workspace tenants against CIS, CISA SCuBA, EIDSCA, Core Security, ORCA, CIS GWS and CISA SCuBA GWS. Auditor-ready in minutes. One-click remediation with human-in-the-loop approval.
| Finding | Framework | Severity | Remediation | |
|---|---|---|---|---|
| Legacy authentication not blocked SMTP AUTH, POP3, IMAP enabled for 4 mailboxes |
CIS · EIDSCA | CRITICAL | One-click · Terraform | |
| No CA policy for admin MFA Global Admins have no enforced MFA policy |
CIS · EIDSCA · Core | CRITICAL | One-click · CA policy | |
| SharePoint anonymous link sharing enabled External sharing scope = "Anyone" at tenant level |
CISA SCuBA | HIGH | One-click · Graph | |
| Audit log retention < 1 year Current retention: 90 days · Recommended: 365 |
Core · ORCA | HIGH | Guided · manual | |
| DKIM signing not enabled for 2 domains contoso.co.uk · sub.contoso.co.uk |
CIS · CISA | MEDIUM | One-click · DNS + Exchange |
Live demo — toggle chips or click Scan to see the results view.
Every check is mapped to a specific, named control in a published benchmark. No made-up internal scoring.
Center for Internet Security M365 Foundations Benchmark. The auditor's go-to. Scanner covers L1 and L2 controls.
Secure Cloud Business Applications baseline from US Homeland Security. Mandatory for US federal agencies; trusted everywhere.
EIDSCA: the gold-standard configuration analyser for Azure AD / Entra ID. Deep identity posture.
Our opinionated baseline, derived from real incident response across fintech, banking and healthcare. Usability, manageability and security in balance.
Community-driven cloud posture framework. Catches things the commercial benchmarks miss.
Center for Internet Security benchmark for Google Workspace. Identity, Gmail, Drive, Meet, Groups.
US government baseline adapted for Google Workspace tenants. 12 security domains, auditor-aligned.
Security frameworks are often treated as unmovable hard requirements. They are not. The CIS themselves state in the preface to every benchmark:
"It is acceptable if 100% of the benchmark is not applied, as it is the responsibility and decision of each organization to determine which settings are applicable to their unique needs."
SocSage's baselines aren't a blind aggregation of published controls. They are informed by the best public frameworks — and refined through hundreds of real deployments where admin manageability, user experience and business context matter as much as CIS score.
No one framework covers every case. We read them all, weighted them by lived experience, and codified the result as Terraform. You deploy it. You can override any policy. You always see the diff.
Attackers now use LLMs to write phishing kits, fuzz Entra ID tenants, and chain misconfigurations faster than any human analyst can review. The bar has moved. Novel zero-days are not the common case — over 80% of the incidents we respond to still start with a misconfiguration: a Conditional Access gap, a lingering legacy-auth protocol, a shared mailbox without MFA, a Workspace OU that inherited a permissive default.
You cannot out-hunt an LLM. You can out-configure it. SocSage continuously benchmarks your tenant against the same public best-practice frameworks the attackers test against — and closes the gaps before they are exploited.
Deploy a vetted starting configuration — Conditional Access, Intune, Workspace OUs — derived from NCSC, CIS, CISA SCuBA and Microsoft's own guidance. Terraform-backed, previewable, reversible.
Every config change re-runs the full 330+ check catalogue. A loosened CA exclusion, a new forwarding rule, an over-permissive app consent — flagged within minutes, not at the next quarterly review.
Each finding ships with the exact control from the named benchmark, the Terraform or Graph call that closes it, and a user-impact preview. One-click apply, or a guided playbook when the fix touches UX.
Every check, every change, every approval is signed and timestamped. Point-in-time evidence for CE+, ISO 27001 and SOC 2, plus a live score you can show the client in their next QBR.
Every policy ships as Terraform — previewable, reversible, auditable. Pick a pack. Review the diff. Approve in Slack. Done.
Windows device compliance, configuration profiles, app protection, Autopilot enrolment, Defender for Endpoint integration.
Admin MFA, ASR rules, legacy auth block, data-protection CAs, insider-risk gates. Built on Microsoft's well-known CA framework plus our own hardening.
OU-scoped policies for Gmail, Drive, Meet, Chat, Groups, device enrolment. Maps to CIS GWS, CISA SCuBA GWS and Google's own recommended configuration.
SocSage prepares the exact Terraform plan (or Graph call, or CA policy). Approve it in Slack/Teams. We apply, verify and log. Reversible in one click.
Some fixes shouldn't be automated — they touch user experience, licensing, or third-party services. SocSage writes a step-by-step playbook, with screenshots, rollback notes and impact preview.
Core · 1 year retention.Get-UnifiedAuditLogRetentionPolicy.All seven frameworks. Your first tenant. No credit card. Full posture report in under five minutes.