— How we work

One short call. Then we get to work.

We connect to your cloud, run our checklist against it, and tell you what we find in plain English. Below: the three steps, the benchmark we check against, and the security details around the connection.

— How it works

Live in a week, not a quarter.

From a clean account to a fully watched and protected business in three short steps.

  1. We connect

    You give us a one-time, read-only connection to your cloud admin console (Microsoft 365, Google Workspace, AWS, or GCP). Nothing to install on your laptops. No clunky agents. The whole thing takes under an hour.

    ≈ 60 minutes · read-only access

  2. We start watching

    The Foundry Cyber Benchmark runs against your setup continuously. When something slips, our AI assistant Forge writes you a plain-English summary: what's wrong, why it matters, what we're doing about it. You see everything in your secure portal.

    Continuous · plain-English briefings

  3. We can fix what's broken

    Fix work is a separate engagement, quoted up front. When you commission it, our engineers, with Forge's help, go in and put it right. You'll see findings flip to resolved with a short note explaining what was wrong, what we did, and why it mattered. Today, fix work runs on Microsoft 365, Azure and Google Workspace; AWS and GCP are assess-only for now.

    Optional · scoped per engagement

— The FC Benchmark

Our checklist for keeping you secure.

Every Foundry Cyber customer is checked against the same checklist: the FC Benchmark. It's a list of practical security controls for businesses that don't have a dedicated security team, but still need to know they're properly protected.

01

Built from trusted standards

We don't invent our checks from scratch. Every Foundry Cyber Benchmark control traces back to recognised public guidance: the National Cyber Security Centre (NCSC), NIST, and the ISO 27001 family. You get the benefit of the world's best security thinking, in plain English.

02

Mapped to what you already use

The benchmark is calibrated for the cloud platforms most modern businesses already use: Microsoft 365 and Azure, Google Workspace, AWS, and Google Cloud. We don't ask you to buy new platforms. We make sure the ones you've got are configured properly.

03

The same for every customer

We never weaken the checklist for a smaller customer. Bronze, Silver and Gold tiers all get the full benchmark. What changes is how often we run it, how deeply we go, and how much human attention you get.

— Microsoft estate

  • Microsoft 365 (Business Premium, E3, E5)
  • Microsoft Azure
  • Microsoft Defender
  • Windows 11
  • Microsoft Entra ID (identity)

— Other clouds

  • Google Workspace
  • Amazon Web Services (AWS)
  • Google Cloud Platform (GCP)

Mix of platforms? That's normal. We run the same benchmark across whichever clouds you use, so you get one set of findings and one plain-English view of where you stand.

The benchmark evolves as standards and threats evolve. New controls are added when guidance is updated; obsolete ones are retired. Your portal always shows you what's currently in scope.

— Onboarding

Live in under an hour.

Onboarding shouldn't feel like an IT project. There's nothing to install, no agents on your laptops, no kit to plug in, and no admin password to hand over. One short call, one approval click in your own cloud admin console, and we're connected, usually before the call ends. Simple for you, secure by design, and easy to switch off again if you ever want to.

01

No software

One short call, no software

There's nothing to install. No agents on your laptops, no kit to plug in, no IT project. We send you a short link, one of your admins clicks approve in your own cloud admin console, and we're connected. Most customers are live inside an hour, usually while we're still on the call.

  • No software to install: nothing on laptops, nothing on servers
  • One approval click in your own admin console
  • Most businesses are connected and being assessed within the hour
02

No shared passwords

We never ask for your password

You don't hand over admin credentials. You don't create a shared account for us. You don't bypass your MFA. We use each cloud's own pattern for managed service providers (Azure Lighthouse, AWS cross-account roles, GCP service accounts, Google Workspace delegation). Our engineers work from our tenant into yours, under your rules, with their own named identities. You see exactly who's doing what.

  • No shared passwords, no break-glass accounts handed over
  • Every action is attributable to a named Foundry Cyber engineer
  • You can revoke our access with one click. No awkward exit process
03

Least-privilege

Least-privilege, by default

We never ask for Global Admin. We take the smallest set of permissions we need to do the work: read-only for assessment, narrow scopes for specific fixes, time-bound elevation for the rare case it's required. Simple for you, safe by design, and exactly what your auditors and insurers want to see.

  • Read-only by default. Write access is the exception, not the norm
  • Separate scopes for assessment, reporting and remediation
  • Time-bound elevation. No standing privilege sitting around

The exact role mappings, delegation scopes and onboarding runbooks for each cloud are shared with you once a contract is in place, not before. Onboarding is part of the engagement, not a sales document.

Onboarding new customers now

Let's start with a conversation.

Tell us a bit about your business and what you're worried about. We'll come back with a plain-English view of where you stand and what we'd suggest doing first. Real people, real answers.

Contact us