Security Auditing
Regular security assessments and compliance verification
Security auditing provides regular, comprehensive security assessments of your infrastructure, identifying vulnerabilities and ensuring compliance with security standards.
Security auditing is included in the M plan only.
Audit scope#
Infrastructure security#
- Cloud account configuration
- Network architecture review
- Firewall and security groups
- VPN and access controls
- Encryption configuration
Kubernetes security#
- Cluster configuration
- RBAC policies
- Network policies
- Pod security standards
- Secrets management
- Service mesh security
Application security#
- Container security posture
- Dependency vulnerabilities
- API security
- Authentication mechanisms
- Authorization controls
Access control#
- Identity management
- Privilege escalation paths
- Service account review
- Key and certificate management
- MFA enforcement
Audit process#
1. Scoping#
- Define audit boundaries
- Identify critical systems
- Establish timeline
- Assign resources
2. Assessment#
- Automated scanning
- Manual review
- Configuration analysis
- Architecture review
3. Analysis#
- Vulnerability categorization
- Risk scoring
- Exploitability assessment
- Business impact analysis
4. Reporting#
- Executive summary
- Technical findings
- Risk prioritization
- Remediation recommendations
5. Remediation support#
- Implementation guidance
- Verification testing
- Re-assessment
Deliverables#
Findings report#
- Detailed vulnerability descriptions
- Evidence and proof of concept
- CVSS scoring
- Affected systems
Risk assessment#
- Risk matrix
- Business impact
- Likelihood analysis
- Risk acceptance criteria
Remediation plan#
- Prioritized action items
- Implementation guidance
- Timeline recommendations
- Resource requirements
Executive summary#
- High-level findings
- Risk posture overview
- Key recommendations
- Compliance status
Compliance support#
Security auditing helps maintain compliance with:
| Framework | Support |
|---|---|
| SOC 2 | Type I and II evidence |
| ISO 27001 | Control verification |
| PCI DSS | Requirement mapping |
| HIPAA | Security rule compliance |
| GDPR | Technical measures |
Audit frequency#
| Audit Type | Frequency |
|---|---|
| Automated scans | Continuous |
| Configuration review | Monthly |
| Comprehensive audit | Quarterly |
| Penetration test coordination | Annually |
Tools and methodologies#
Scanning tools#
- Trivy, Snyk (container scanning)
- ScoutSuite (cloud configuration)
- kube-bench (Kubernetes CIS)
- Prowler (AWS security)
Frameworks#
- CIS Benchmarks
- OWASP guidelines
- NIST Cybersecurity Framework
- Cloud provider best practices
Available in#
- M Plan — Comprehensive security auditing