How we work
We connect to your cloud, run our checklist against it, and tell you what we find in plain English. Below: the three steps, the benchmark we check against, and the security details around the connection.
How it works
From a clean account to a fully watched and protected business in three short steps.
You give us a one-time, read-only connection to your cloud admin console (Microsoft 365, Google Workspace, AWS, or GCP). Nothing to install on your laptops. No clunky agents. The whole thing takes under an hour.
The Foundry Cyber Benchmark runs against your setup continuously. When something slips, our AI assistant Forge writes you a plain-English summary: what's wrong, why it matters, what we're doing about it. You see everything in your secure portal.
Fix work and green-field builds are separate engagements, quoted up front. Whether it's drift on a tenant you already run or a Microsoft cloud being set up from scratch, our engineers, with Forge's help, go in and do the work. Findings flip to resolved with a short note explaining what we did and why it mattered. Today, hands-on work runs on Microsoft 365, Azure and Google Workspace; AWS and GCP are assess-only for now.
The FC Benchmark
Every Foundry Cyber customer is checked against the same checklist: the FC Benchmark. It's a list of practical security controls for businesses that don't have a dedicated security team, but still need to know they're properly protected.
We don't invent our checks from scratch. Every Foundry Cyber Benchmark control traces back to recognised public guidance: the National Cyber Security Centre (NCSC), NIST, and the ISO 27001 family. You get the benefit of the world's best security thinking, in plain English.
The benchmark is calibrated for the cloud platforms most modern businesses already use: Microsoft 365 and Azure, Google Workspace, AWS, and Google Cloud. We don't ask you to buy new platforms. We make sure the ones you've got are configured properly.
We never weaken the checklist for a smaller customer. Bronze, Silver and Gold tiers all get the full benchmark. What changes is how often we run it, how deeply we go, and how much human attention you get.
Microsoft estate
Other clouds
Mix of platforms? That's normal. We run the same benchmark across whichever clouds you use, so you get one set of findings and one plain-English view of where you stand.
The benchmark evolves as standards and threats evolve. New controls are added when guidance is updated; obsolete ones are retired. Your portal always shows you what's currently in scope.
Onboarding
Onboarding shouldn't feel like an IT project. There's nothing to install, no agents on your laptops, no kit to plug in, and no admin password to hand over. One short call, one approval click in your own cloud admin console, and we're connected, usually before the call ends. Simple for you, secure by design, and easy to switch off again if you ever want to.
No software
There's nothing to install. No agents on your laptops, no kit to plug in, no IT project. We send you a short link, one of your admins clicks approve in your own cloud admin console, and we're connected. Most customers are live inside an hour, usually while we're still on the call.
No shared passwords
You don't hand over admin credentials. You don't create a shared account for us. You don't bypass your MFA. We use each cloud's own pattern for managed service providers (Azure Lighthouse, AWS cross-account roles, GCP service accounts, Google Workspace delegation). Our engineers work from our tenant into yours, under your rules, with their own named identities. You see exactly who's doing what.
Least-privilege
We never ask for Global Admin. We take the smallest set of permissions we need to do the work: read-only for assessment, narrow scopes for specific fixes, time-bound elevation for the rare case it's required. Simple for you, safe by design, and exactly what your auditors and insurers want to see.
The exact role mappings, delegation scopes and onboarding runbooks for each cloud are shared with you once a contract is in place, not before. Onboarding is part of the engagement, not a sales document.
Frequently asked
Read-only by default. We use each cloud's own pattern for managed service providers: Azure Lighthouse, AWS cross-account roles, GCP service accounts, Google Workspace delegation. Our engineers work from our tenant into yours, under your rules, with their own named identities. You see who did what, and you can revoke access in one click.
Monthly on Bronze, weekly on Silver, weekly with on-demand triggers on Gold. Drift between scans is detected by Forge in your portal, with a plain-English summary of what changed and why it matters. You're never waiting until next quarter to find out something slipped.
Just you and the assigned Foundry Cyber engineers. Findings, reports, and evidence live on our portal infrastructure in Microsoft Azure UK South and West Europe regions. We do not share, sell, or train AI models on customer data. We are a UK company; your data stays within the UK and EEA.
Tell us. Forge is good but not infallible, and context matters. Every finding has a "this isn't right for our environment" route. We'll review with you, document the rationale, and either reclassify or close it. The audit trail stays on the finding so future auditors see the reasoning, not just the outcome.
One click in your own cloud admin console. Because we never hold shared passwords and every action runs under a named identity, removing us is the same as removing any other guest user. We'll close the engagement cleanly and hand back evidence. No awkward exit process.
It flips to "resolved" in your portal with a short note explaining what was wrong, what we (or you) did, and why it mattered. The date and the engineer who closed it are recorded on the finding. That's what becomes audit evidence later.
Onboarding new customers now
Tell us a bit about your business and what you're worried about. We'll come back with a plain-English view of where you stand and what we'd suggest doing first. Real people, real answers.
