Security & Infrastructure Audit Program
A standing audit program across 25 managed client organizations, run on a fixed cadence with AI-directed tooling doing the collection.
context
An MSP responsible for the security posture of roughly 25 managed client organizations. Security assessments existed, but as one-off exercises: performed when something prompted them, scoped differently every time, and hard to compare quarter to quarter. A finding raised once and never re-checked is not much better than no finding at all.
problem
Turn ad-hoc assessments into a standing program: M365 security baselines, firewall configuration review, EDR coverage verification, DNS validation, and backup and failover validation, executed the same way for every client, on a fixed cadence, with findings tracked through to remediation rather than filed and forgotten.
constraints
Auditor hours are the scarce resource: 25 organizations times a serious checklist does not fit in anyone's calendar unless tooling does the evidence collection. Client tenants are reached through delegated access, so every check had to work under those permissions. Results had to be consistent enough to diff against the previous cycle, and the findings themselves are sensitive client material that has to be handled and stored accordingly.
approach
The checks were codified into reusable, AI-directed audit workflows - part of a broader automation framework of 20+ standardized workflows - so each engagement runs the same collection and produces the same report structure. M365 tenants are assessed against security baselines; firewall configuration review was built as Python tooling against the firewall vendor's cloud management API, pulling and analyzing support-report data across 14 managed firewalls instead of clicking through admin consoles. Findings land as remediation guidance in IT Glue, the documentation system technicians already work in, which is what keeps them alive between cycles.
outcome
A repeatable program across the managed portfolio on a fixed cadence. The tooling surfaced findings that manual spot checks had missed - including expired security licensing on perimeter devices and an active credential-guessing campaign against one client - each documented with remediation guidance and tracked to closure.