Microsoft 365 / Entra security assessment

See the Microsoft 365 gaps no single tool can.

Identity is the new perimeter — and the blind spots hide between Entra, Intune, and Defender. Bastion correlates all three (read-only), surfaces the assets no single tool sees — no-EDR, unmanaged, over-privileged — and hands your team the exact, human-approved fix for each.

Bring-your-own-key · Human-approved changes · No long-term lock-in

AI finding · Microsoft 365 / Entra
Example

Over-privileged app registration

Entra ID · "Backup Application" · service principal

High
GrantedApplication.ReadWrite.All
Why it mattersFull control of every app in the tenant
Mapped toMITRE T1098 · CIS M365
Exact, ready-to-run fixTenant-exact
Remove-MgServicePrincipalAppRoleAssignment `
  -ServicePrincipalId 4a93… -AppRoleAssignmentId 7f2c…
Copy fixAcknowledge

Read-only — your team runs the fix. Bastion never writes to your tenant.

Works with the models you already use — you bring the keys

OpenAIAnthropicGoogleAzure AIxAIHugging Face

Built by security practitioners · BYOK · Human-approved · Design partners welcome →

12+
M365 / Entra security domains scanned
MITRE ATT&CK
+ CIS-mapped findings
Read-only
no writes to your tenant
BYOK
your model keys, never ours

How it works

From tenant-connected to fixed — in days

The read-only assessment loop: AI finds, correlates, and prioritizes; your team approves and applies. Nothing in your tenant is ever changed by us.

01

Tenant connected

Read-only Microsoft Graph + Exchange + Defender, via your own admin consent. No write access.

02

12+ domain scan

Identity, app registrations, Conditional Access, devices, Defender, email — all read-only.

03

Cross-source correlation

Entra + Intune + Defender merged into one inventory — surfacing the coverage gaps no single tool sees.

04

Exploitability prioritization

AI ranks by real-world exploitability and blast radius — not a generic points score.

05

Exact fix per finding

A concrete, runnable command for each — mapped to MITRE ATT&CK / CIS.

06

Your team approves

You review every fix. Bastion never writes to your tenant.

07

You apply, with rollback

Run the exact fix we hand you — scoped, reversible, with rollback notes.

08

Re-scan to verify

Re-run the assessment to confirm the gap is closed — or subscribe to Monitor for scheduled, continuous re-scans.

Read-only, by design

What we connect to — and what you get

The Discovery Assessment is a read-only review of your Microsoft 365 / Entra tenant. We never get write access, and nothing in your tenant is changed.

What we request
  • Read-only Microsoft Graph + Exchange Online + Defender — scoped, least-privilege app permissions.
  • No write permissions. The scanner reads your posture; it cannot change a single setting.
  • You grant access with your own admin consent and revoke it any time. Your model keys stay yours (BYOK).
What you get
  • A prioritized findings report across 12 Microsoft 365 / Entra security domains — identity, app registrations, Conditional Access, devices, Defender, email.
  • An exact, human-approved fix for each finding — real runnable commands, mapped to MITRE ATT&CK / CIS, down to the affected asset.
  • Delivered in a live console and a printable report you can hand to your team or auditor.
See a sample reportOr book a demo first

See the exact deliverable before you buy · fixed scope · read-only · delivered in days.

Outcomes

You're buying results, not buzzwords

See what's exposed

12 Microsoft 365 / Entra domains assessed read-only, prioritized by real exploitability.

Find the blind spots

Cross-source correlation surfaces the assets no single Microsoft tool sees — no-EDR, unmanaged.

Know exactly what to do

An exact, runnable fix for every finding — not a generic recommendation.

Less analyst toil

AI triages the noise and drafts the fix; your team makes the calls.

Audit-ready report

A printable assessment mapped to MITRE ATT&CK / CIS for your team or auditor.

Yours, end to end

Read-only access you revoke any time; your own model keys (BYOK).

Services

What you can engage us for today

Microsoft 365 / Entra Discovery Assessment

The core deliverable: a read-only, 12+ domain security assessment with exact, human-approved fixes mapped to MITRE ATT&CK / CIS. $5,500, fixed scope, delivered in days.

AI Enablement & Model Consulting

Securely set up the models you use (OpenAI, Anthropic, Google, Azure, xAI), deploy Hugging Face & open models, and build LoRA fine-tunes on your own data — all BYOK.

Continuous monitoring ships today as a Monitor subscription. On the roadmap: broader network & cloud coverage and MSP/partner programs.

Integrations

Built to fit the stack you already run

Live today: Microsoft 365 / Entra scanning, native ticketing (Jira / ServiceNow / SyncroMSP), Slack & Teams alerts, HMAC-signed webhooks, and a read/write REST API. More source + SIEM connectors are on the roadmap.

Live today

Microsoft 365 / EntraMicrosoft DefenderIntuneJiraServiceNowSyncroMSPSlackMicrosoft TeamsWebhooksREST API

On the roadmap

Microsoft SentinelCrowdStrikeSplunkElasticWazuhRapid7QualysTenableGitHubAzure DevOpsAWSAzureGoogle CloudVMwareFortinet

Bring your own key

You own the model relationship. We bring the security.

Customers connect their own provider API keys. That keeps you compliant with each provider's terms, in control of your spend, and free of vendor lock-in — while we secure, deploy, and manage the models on top.

You pay Bastion for the assessment — correlation, AI triage, and the exact human-approved fixes. Model usage is billed to you directly by your providers, with no markup from us. Your data and model choices stay yours.

Your keys, your accounts

You hold the API keys for every model provider. We never resell access or mark up your token spend.

Your data stays yours

Inference runs against your accounts. Sensitive workloads can run on private or self-hosted models.

No lock-in

Swap providers anytime. We help you choose the right model for each job — and move when it makes sense.

Pricing

One product, priced per tenant.

Assess your Microsoft 365 / Entra tenant once, or keep watching it continuously — priced on one axis, your billable identities. No per-seat surprises. Pay securely by card via Stripe (USD).

Start with an assessment

See your gaps free, then get the full picture — every finding with its exact fix. An assessment credits 100% toward your first year of Monitor.

Free Snapshot

See your gaps, free

Free

Private beta · request access

A free read-only headline scan of your Microsoft 365 / Entra tenant — Secure Score, standing Global Admins, MFA & Conditional Access gaps, over-privileged apps, and your total finding count. The exact fixes come with a paid assessment.

  • Headline findings on your own tenant
  • Read-only — you create the app, you revoke it
  • No AI key required
  • Total finding count + top exposures

Self-Serve Assessment

The full picture

$750one-time

A complete read-only Microsoft 365 / Entra security assessment — every finding with the exact, vetted, ID-pinned fix and rollback, an authenticated console, and a point-in-time report with a CIS scorecard. 100% creditable toward your first year of Monitor.

  • Full findings + all vetted fixes with rollback
  • Authenticated console + print-ready report
  • Basic CIS Microsoft 365 compliance export
  • 100% credited toward Monitor

Assessment 2-Pack

Periodic re-check

$1,300/yr (2 scans)

Two full assessments a year for a shop whose posture changes slowly — a lighter-touch middle ground between one-time and always-on Monitor. Creditable if you upgrade.

  • 2 full assessments per year ($650 each)
  • Everything in the Self-Serve Assessment
  • Creditable toward Monitor on upgrade

Discovery Assessment

White-glove

$5,500one-time

A human-led read-only assessment of your Microsoft 365 / Entra posture — full scan, an analyst review, an executive readout, and a prioritized remediation roadmap. For mid-market teams and vCISOs. 100% creditable toward Monitor.

  • Everything in the Self-Serve Assessment
  • Analyst review + executive readout
  • Prioritized remediation roadmap + follow-up
  • 100% credited toward Monitor

Then keep watching — Monitor

Continuous re-scans, change alerts, and the findings API + webhooks — priced by how many identities you actually have. Pick your size:

Enabled users + active guests (service principals, shared/resource mailboxes, and disabled accounts don’t count).

Monitor Core
$599/mo
covers up to 60 identities
  • Everything in Starter
  • Basic CIS compliance export
  • 3 console seats

Continuous monitoring after a read-only connect to your tenant, billed monthly per billable identity. An assessment you buy now credits 100% toward your first year of Monitor.

Partners & MSPs

Partner Assessment Pack

For consultants & MSPs

$500–600/assessment

Wholesale on the Self-Serve Assessment for vCISOs, consultants, and MSPs — 5-pack at $600 each or 10-pack at $500 each, no minimum, white-label report included, 18-month cross-client redemption.

  • 5-pack $3,000 · 10-pack $5,000
  • No minimum
  • White-label report included
  • 18-month cross-client redemption

Partner Monitor

Recurring reseller rate

~20% offany band

~20% off any direct Monitor band for consultants and MSPs (min 3 tenants), white-label included at every tier. Available once Monitor is live.

  • ~20% off any Monitor band
  • Min 3 tenants
  • White-label included
  • Live with Monitor

MSP Fleet

Manage tenants at scale

$99–149/tenant/mo

A pooled-inference fleet product for MSPs — per-tenant pricing with volume breaks ($149/$129/$109/$99 at 10/25/50/100 tenants), a fleet rollup dashboard, and white-label console. Trigger-dated as the channel commits.

  • Volume-tiered $149→$99/tenant
  • Fleet rollup dashboard
  • Pooled inference (no per-tenant key)
  • White-label console

Model-enablement consulting (AI setup, LoRA fine-tuning, deployment kit) is a separate service — see Services.

Contact

Let's secure your infrastructure

Tell us about your environment and what you want to secure or build. We typically reply within one business day.

  • Free 30-minute scoping call
  • No-obligation discovery summary
  • Bring-your-own-key from day one
(408) 785-0763 info@bastionsecurity.dev

2150 N First St
San Jose, CA 95131