What We Evaluate First When We Take Over a New Client's Security

Every new client engagement starts the same way: we need to understand what we’re working with before we can protect it. The first week of a security onboarding isn’t about deploying tools or running scans. It’s about building an accurate picture of where the client stands today, what gaps exist, and what needs attention first.

We’ve been doing this for 20+ years across enterprise, government, and SMB environments. The process has evolved, but the core principle hasn’t changed. You can’t secure what you don’t understand. Here’s what our team actually evaluates in those first days.

Infrastructure Assessment: Endpoints, Servers, and Firewalls

The first thing we look at is the physical and on-premises infrastructure. That means every endpoint, every server, and every firewall in the environment. For each one, we evaluate current security policies, firmware versions, and whether any patching cadence actually exists.

The gaps here are almost always bigger than the client expects. We routinely find firewalls running firmware versions two or three generations behind, with default configurations that were never hardened after initial setup. Servers with months of missing patches. Endpoints with expired or misconfigured antivirus. These aren’t edge cases for businesses that haven’t had dedicated security oversight. They’re the baseline.

Once we have a clear picture of the environment, we deploy endpoint detection and response (EDR), connect systems to our SOC for 24/7 monitoring, and integrate SIEM logging where the client’s plan includes it. Deployment comes after assessment, not before. Installing tools on top of an environment you don’t understand creates blind spots.

Microsoft 365 Security Evaluation

Microsoft 365 is the operational center of gravity for most of our clients, which makes it one of the first things we audit after the infrastructure review. We pull the tenant’s Secure Score, review access policies, evaluate Conditional Access configurations, and check whether mobile device management (MDM) is enforced or just configured.

The M365 security settings that SMBs get wrong are remarkably consistent. Multi-factor authentication is enabled for some accounts but not all. Conditional Access policies exist but aren’t enforced. Former employees still have active accounts. Global admin privileges are assigned to accounts that don’t need them. Shared mailboxes with no MFA are used for vendor communications.

After the audit, we deploy email security tools like ProofPoint to protect against phishing and business email compromise, and integrate the tenant with our SIEM for centralized log analysis. If the client’s M365 configuration has significant gaps, we build a remediation plan that prioritizes the highest-risk issues first.

Cloud Infrastructure Audit

Clients running Azure, AWS, or other cloud environments get a dedicated audit. Cloud misconfigurations are one of the fastest-growing sources of breaches for SMBs, and most businesses don’t have the internal expertise to evaluate their own cloud security posture.

We review network security groups, storage account access, identity configurations, and logging. The audit produces a ranked list of recommended fixes with clear explanations of what each issue means in practical terms. Cloud infrastructure connects to our SIEM where applicable so that unusual activity in the cloud receives the same monitoring attention as on-premises systems.

The most common finding is overly permissive access. Cloud resources configured during initial setup with broad permissions that were never tightened once the environment went into production. One misconfigured storage account or an overly permissive IAM role can expose data that the client assumed was protected.

SOC Response Expectations

Before monitoring tools go live, we sit down with the client’s leadership to align on how incidents get handled. This conversation matters more than most technical steps because it determines what happens when something is actually detected.

The questions are straightforward. What constitutes a critical alert versus a low-priority notification? Who at the client’s organization needs to be contacted at different severity levels? What decisions can our team make autonomously, and which require client approval? How do after-hours incidents get escalated?

Getting this right upfront prevents confusion during real incidents. We’ve covered what a real incident response looks like in our walkthrough of the first 48 hours. The difference between a smooth response and a chaotic one almost always traces back to whether expectations were set during onboarding.

Policy and Procedure Review

Most SMBs have either outdated cybersecurity policies or none at all. We review whatever documentation exists: acceptable use policies, incident response plans, data handling procedures, access control policies, and employee onboarding and offboarding checklists.

The gap analysis tells us as much about the organization’s security culture as the technical assessment tells us about their infrastructure. A company with good technical controls but no written policies is vulnerable to turnover, inconsistency, and compliance failures. A company with thorough policies that nobody follows has a different kind of problem.

Where gaps exist, we provide templates and work with the client to adapt them to their specific situation. These aren’t generic documents pulled from a compliance library. They’re tailored to the client’s industry, size, and regulatory requirements. For businesses subject to HIPAA, CMMC, or other frameworks, the policy review also maps existing documentation against specific compliance controls.

Accounting Controls and Vendor Assessments

This step surprises some clients, but it’s one of the most important. We review controls around financial processes, including vendor assessment procedures and payment authorization workflows. Business email compromise targeting accounting departments is one of the most damaging attack types for SMBs, and it doesn’t require sophisticated malware or zero-day exploits.

We look at whether the client verifies banking changes from vendors through a separate communication channel, whether payment approvals require multiple sign-offs above a threshold, and whether accounting staff have received targeted training on wire fraud and invoice manipulation. These controls sit at the intersection of security policy and business operations, and they’re among the most common gaps we find.

What This Evaluation Tells Us

The first week of security onboarding produces two outputs. The first is a prioritized list of immediate risks that need attention before anything else. The second is the foundation of a 90-day security roadmap that addresses medium-term gaps in a structured sequence.

The evaluation also reveals something about the client’s previous IT provider. When we find years of unpatched firmware, default firewall configurations, no M365 Conditional Access, and zero written policies, that’s not just a list of gaps. It’s evidence that the prior provider was collecting a monthly fee without doing the work. If you’re wondering whether your current provider is checking the right things, bring them this list and ask them to walk through each area for your environment.

According to IBM’s Cost of a Data Breach Report, the average breach goes undetected for over six months. The goal of our onboarding process is to compress that window to zero by building visibility from day one across every layer of the client’s IT environment.