See the Microsoft 365 gaps no single tool can.
Identity is the new perimeter — and the blind spots hide between Entra, Intune, and Defender. Bastion correlates all three (read-only), surfaces the assets no single tool sees — no-EDR, unmanaged, over-privileged — and hands your team the exact, human-approved fix for each.
Bring-your-own-key · Human-approved changes · No long-term lock-in
Over-privileged app registration
Entra ID · "Backup Application" · service principal
Remove-MgServicePrincipalAppRoleAssignment ` -ServicePrincipalId 4a93… -AppRoleAssignmentId 7f2c…
Read-only — your team runs the fix. Bastion never writes to your tenant.
Works with the models you already use — you bring the keys
Built by security practitioners · BYOK · Human-approved · Design partners welcome →
How it works
From tenant-connected to fixed — in days
The read-only assessment loop: AI finds, correlates, and prioritizes; your team approves and applies. Nothing in your tenant is ever changed by us.
Tenant connected
Read-only Microsoft Graph + Exchange + Defender, via your own admin consent. No write access.
12+ domain scan
Identity, app registrations, Conditional Access, devices, Defender, email — all read-only.
Cross-source correlation
Entra + Intune + Defender merged into one inventory — surfacing the coverage gaps no single tool sees.
Exploitability prioritization
AI ranks by real-world exploitability and blast radius — not a generic points score.
Exact fix per finding
A concrete, runnable command for each — mapped to MITRE ATT&CK / CIS.
Your team approves
You review every fix. Bastion never writes to your tenant.
You apply, with rollback
Run the exact fix we hand you — scoped, reversible, with rollback notes.
Re-scan to verify
Re-run the assessment to confirm the gap is closed — or subscribe to Monitor for scheduled, continuous re-scans.
Read-only, by design
What we connect to — and what you get
The Discovery Assessment is a read-only review of your Microsoft 365 / Entra tenant. We never get write access, and nothing in your tenant is changed.
- Read-only Microsoft Graph + Exchange Online + Defender — scoped, least-privilege app permissions.
- No write permissions. The scanner reads your posture; it cannot change a single setting.
- You grant access with your own admin consent and revoke it any time. Your model keys stay yours (BYOK).
- A prioritized findings report across 12 Microsoft 365 / Entra security domains — identity, app registrations, Conditional Access, devices, Defender, email.
- An exact, human-approved fix for each finding — real runnable commands, mapped to MITRE ATT&CK / CIS, down to the affected asset.
- Delivered in a live console and a printable report you can hand to your team or auditor.
See the exact deliverable before you buy · fixed scope · read-only · delivered in days.
Outcomes
You're buying results, not buzzwords
See what's exposed
12 Microsoft 365 / Entra domains assessed read-only, prioritized by real exploitability.
Find the blind spots
Cross-source correlation surfaces the assets no single Microsoft tool sees — no-EDR, unmanaged.
Know exactly what to do
An exact, runnable fix for every finding — not a generic recommendation.
Less analyst toil
AI triages the noise and drafts the fix; your team makes the calls.
Audit-ready report
A printable assessment mapped to MITRE ATT&CK / CIS for your team or auditor.
Yours, end to end
Read-only access you revoke any time; your own model keys (BYOK).
Services
What you can engage us for today
Microsoft 365 / Entra Discovery Assessment
The core deliverable: a read-only, 12+ domain security assessment with exact, human-approved fixes mapped to MITRE ATT&CK / CIS. $5,500, fixed scope, delivered in days.
AI Enablement & Model Consulting
Securely set up the models you use (OpenAI, Anthropic, Google, Azure, xAI), deploy Hugging Face & open models, and build LoRA fine-tunes on your own data — all BYOK.
Continuous monitoring ships today as a Monitor subscription. On the roadmap: broader network & cloud coverage and MSP/partner programs.
Integrations
Built to fit the stack you already run
Live today: Microsoft 365 / Entra scanning, native ticketing (Jira / ServiceNow / SyncroMSP), Slack & Teams alerts, HMAC-signed webhooks, and a read/write REST API. More source + SIEM connectors are on the roadmap.
Live today
On the roadmap
Bring your own key
You own the model relationship. We bring the security.
Customers connect their own provider API keys. That keeps you compliant with each provider's terms, in control of your spend, and free of vendor lock-in — while we secure, deploy, and manage the models on top.
You pay Bastion for the assessment — correlation, AI triage, and the exact human-approved fixes. Model usage is billed to you directly by your providers, with no markup from us. Your data and model choices stay yours.
Your keys, your accounts
You hold the API keys for every model provider. We never resell access or mark up your token spend.
Your data stays yours
Inference runs against your accounts. Sensitive workloads can run on private or self-hosted models.
No lock-in
Swap providers anytime. We help you choose the right model for each job — and move when it makes sense.
Pricing
One product, priced per tenant.
Assess your Microsoft 365 / Entra tenant once, or keep watching it continuously — priced on one axis, your billable identities. No per-seat surprises. Pay securely by card via Stripe (USD).
Start with an assessment
See your gaps free, then get the full picture — every finding with its exact fix. An assessment credits 100% toward your first year of Monitor.
Free Snapshot
See your gaps, free
Private beta · request access
A free read-only headline scan of your Microsoft 365 / Entra tenant — Secure Score, standing Global Admins, MFA & Conditional Access gaps, over-privileged apps, and your total finding count. The exact fixes come with a paid assessment.
- Headline findings on your own tenant
- Read-only — you create the app, you revoke it
- No AI key required
- Total finding count + top exposures
Self-Serve Assessment
The full picture
A complete read-only Microsoft 365 / Entra security assessment — every finding with the exact, vetted, ID-pinned fix and rollback, an authenticated console, and a point-in-time report with a CIS scorecard. 100% creditable toward your first year of Monitor.
- Full findings + all vetted fixes with rollback
- Authenticated console + print-ready report
- Basic CIS Microsoft 365 compliance export
- 100% credited toward Monitor
Assessment 2-Pack
Periodic re-check
Two full assessments a year for a shop whose posture changes slowly — a lighter-touch middle ground between one-time and always-on Monitor. Creditable if you upgrade.
- 2 full assessments per year ($650 each)
- Everything in the Self-Serve Assessment
- Creditable toward Monitor on upgrade
Discovery Assessment
White-glove
A human-led read-only assessment of your Microsoft 365 / Entra posture — full scan, an analyst review, an executive readout, and a prioritized remediation roadmap. For mid-market teams and vCISOs. 100% creditable toward Monitor.
- Everything in the Self-Serve Assessment
- Analyst review + executive readout
- Prioritized remediation roadmap + follow-up
- 100% credited toward Monitor
Then keep watching — Monitor
Continuous re-scans, change alerts, and the findings API + webhooks — priced by how many identities you actually have. Pick your size:
Enabled users + active guests (service principals, shared/resource mailboxes, and disabled accounts don’t count).
- Everything in Starter
- Basic CIS compliance export
- 3 console seats
Continuous monitoring after a read-only connect to your tenant, billed monthly per billable identity. An assessment you buy now credits 100% toward your first year of Monitor.
Partners & MSPs
Partner Assessment Pack
For consultants & MSPs
Wholesale on the Self-Serve Assessment for vCISOs, consultants, and MSPs — 5-pack at $600 each or 10-pack at $500 each, no minimum, white-label report included, 18-month cross-client redemption.
- 5-pack $3,000 · 10-pack $5,000
- No minimum
- White-label report included
- 18-month cross-client redemption
Partner Monitor
Recurring reseller rate
~20% off any direct Monitor band for consultants and MSPs (min 3 tenants), white-label included at every tier. Available once Monitor is live.
- ~20% off any Monitor band
- Min 3 tenants
- White-label included
- Live with Monitor
MSP Fleet
Manage tenants at scale
A pooled-inference fleet product for MSPs — per-tenant pricing with volume breaks ($149/$129/$109/$99 at 10/25/50/100 tenants), a fleet rollup dashboard, and white-label console. Trigger-dated as the channel commits.
- Volume-tiered $149→$99/tenant
- Fleet rollup dashboard
- Pooled inference (no per-tenant key)
- White-label console
Model-enablement consulting (AI setup, LoRA fine-tuning, deployment kit) is a separate service — see Services.
Contact
Let's secure your infrastructure
Tell us about your environment and what you want to secure or build. We typically reply within one business day.
- Free 30-minute scoping call
- No-obligation discovery summary
- Bring-your-own-key from day one