System Hardening & Configuration Reviews
Your penetration test flagged hardening issues. Your ISO 27001 auditor wants evidence of configuration management. Or you simply need to know your servers, firewalls, and cloud environments are built to a recognised standard, not assembled by hand. Our CREST-accredited system hardening and configuration reviews measure your infrastructure against industry standard security benchmarks, point by point. Non-intrusive. Read-only.
Server & Infrastructure Hardening Services
Misconfiguration is the primary cause of cloud breaches and configuration weaknesses are the most common finding in penetration test reports. We measure your build standards against industry standard security benchmarks, identifying every deviation from the baseline. Read-only and non-intrusive. Pricing starts from £2,500 per review.
Cloud Security Configuration Review
In-depth review of AWS, Azure, and GCP environments against CIS Foundations Benchmarks v3.0. Covers IAM policies, S3 or blob access controls, VPC/VNet rules, CloudTrail or Azure Monitor logging, and encryption settings. An expert-led review contextualises findings to your architecture. A CSPM tool does not.
Firewall Configuration Assessment
Detailed analysis of firewall platform configuration and policy to ensure robust perimeter security. Supports Palo Alto, Fortinet, Check Point, Cisco, Juniper, Sophos, and SonicWall. Covers firmware version, management access controls, authentication settings, and zone policies.
Firewall Rule Audit
Rule-by-rule analysis of your firewall rulebase to identify shadowed rules, overly permissive rules, undocumented rules, and rules referencing decommissioned assets. We have reviewed rulebases with more than 5,000 rules.
Server Build Review
Gold image and baseline configuration reviews for Windows and Linux servers. 150+ configuration points per build measured against industry standard security benchmarks. Covers authentication, logging, network services, filesystem permissions, and patch management settings.
Database Configuration Assessment
Hardening review for SQL and NoSQL databases to prevent unauthorised access and data leakage. Covers SQL Server, MySQL, PostgreSQL, MongoDB, and Oracle against Industry Standard Security Benchmarks and vendor hardening guides.
Remote Access VPN Configuration Review
Security assessment of remote access solutions and VPN configurations. Covers SSL VPN, IPsec, and SD-WAN configuration analysis, including authentication methods, encryption cipher suites, split tunnelling policy, and access controls.
Workstation Build Review
Security assessment of standard corporate laptop and desktop builds. Windows 10/11 and macOS builds reviewed against industry standard security benchmarks, covering BitLocker or FileVault, firewall settings, browser hardening, and endpoint protection configuration.
CIS Benchmark-Aligned Reviews
Our audit-ready reports are structured to satisfy the evidence requirements of the frameworks that matter to your auditors. Configuration review reports are also accepted as evidence of hardening controls by major UK cyber insurers.
Annex A.8.9: Configuration Management
Documented and independently reviewed configuration standards for all technology assets.
Findings report mapped to A.8.9 controls; evidence pack for re-audit submission.
Requirement 1.2: Network Security Controls
Firewall rules reviewed at least every six months; configurations aligned to vendor hardening guides.
Firewall configuration assessment report accepted as evidence of Req. 1.2 compliance review.
Secure Configuration
One of the five technical controls: remove unnecessary software, change default credentials, apply security baselines.
Baseline configuration report demonstrating compliance with the Secure Configuration technical control.
Data Security Standard 7.1
Default passwords changed, unused software removed, configurations reviewed against recognised standard.
DSPT-aligned report with evidence of review against recognised hardening standards.
A single-platform review from £2,500 typically satisfies the evidence requirement for ISO 27001 Annex A.8.9. We typically deliver reports within 5 working days of the review, keeping your re-audit timeline on track.
What Is System Hardening?
System hardening is the process of reducing a system's attack surface by disabling unnecessary services, removing default credentials, applying least-privilege access controls, and configuring security settings against a recognised baseline standard.
The most widely adopted server hardening standards are the CIS Benchmarks (published by the Center for Internet Security) and NIST SP 800-123. These documents specify, point by point, which settings should be enabled, disabled, or changed on every major platform from Windows Server and Linux to AWS, Azure, and Palo Alto firewalls.
A configuration review is the independent assessment that validates whether those server hardening standards have been correctly applied. It is the difference between believing your infrastructure is secure and having independent assurance that it is.
Configuration weaknesses are the most common finding in penetration test reports. Addressing the root cause through a systematic server hardening review eliminates entire categories of finding before an attacker can reach them.
CIS Benchmarks Explained
What We Deliver
From Scoping to Report
A configuration review engagement follows four defined steps. We provide a firm timeline during the scoping call so your compliance or re-audit schedule stays on track.
Scoping Call
30-minute call to define which platforms are in scope, agree on timing, and confirm the fixed price. No commitment required.
Configuration Review
Read-only, non-intrusive review of your configurations against CIS Benchmarks. Typically 1 to 3 days. No downtime, no changes to live systems.
Report Delivery
Audit-ready report delivered within 5 working days. Findings rated Critical to Low with CIS Benchmark control references and specific remediation steps per finding.
Remediation Support
Direct access to the reviewing engineer for remediation Q&A. Retesting within the assessment window available to confirm remediation and issue a compliance attestation.
What You Receive
Every configuration review includes the following deliverables, formatted for both technical remediation teams and non-technical stakeholders.
Reports are delivered via our real-time penetration testing portal with role-based access. Also available in PDF and DOCX formats.
Protect Against Configuration Drift.
After Hardening.
After hardening your infrastructure, configurations drift. New services are added, patches change settings, and teams make undocumented changes. Our Managed Detection and Response (MDR) service monitors for configuration drift and security events across your servers, endpoints, and cloud environments 24/7, so the infrastructure hardening work you have invested in does not quietly erode.
Learn about MDRConfiguration Drift Detection
Continuous alerting when hardened settings are changed or reverted.
24/7 Security Monitoring
Eyes-on-glass coverage of your servers, cloud, and endpoints around the clock.
Incident Response Retainer
Rapid response if a misconfigured asset is exploited post-review.
Annual Re-review Scheduling
Planned re-testing cycles to satisfy ISO 27001 and PCI DSS recurring requirements.
Ready to harden your infrastructure?
We scope every engagement with a 30-minute call at no cost. Tell us what you need reviewed: servers, firewalls, cloud, or the full estate. We will confirm scope, timeline, and fixed price the same day.
Configuration Review FAQs
Common questions from IT infrastructure managers, GRC analysts, and cloud architects evaluating a configuration review engagement.
A configuration review is a detailed security assessment of your infrastructure components (servers, firewalls, VPNs, cloud environments) against industry standard security benchmarks. Unlike penetration testing which finds exploitable vulnerabilities, configuration reviews ensure your systems are hardened at the baseline level to prevent vulnerabilities from occurring.
System hardening is the process of reducing a server, device, or application's attack surface by disabling unnecessary services, removing default credentials, applying least-privilege access controls, and configuring security settings to a recognised baseline standard. The most widely adopted standards are the CIS Benchmarks (published by the Center for Internet Security) and NIST SP 800-123. A system hardening review (also called a configuration review or build review) is the independent assessment that validates whether those standards have been correctly applied.
Configuration reviews start from £2,500 for a single platform review (e.g., one server gold image or one firewall). Multi-platform reviews covering servers, workstations, and network devices typically cost £4,000 to £8,000. Cloud configuration reviews for AWS, Azure, or GCP environments range from £5,000 to £12,000 depending on account complexity. We provide fixed-price quotes after a scoping call.
No. Configuration reviews are non-intrusive, read-only assessments. We examine settings and policies without making changes to your live systems. For server and workstation reviews, we typically audit a gold image or clone rather than production machines.
We audit against industry standard security benchmarks, including NIST SP 800-123, Microsoft Security Baselines, and vendor-specific hardening guides depending on the technology being reviewed. Our reports map findings to the security frameworks most relevant to your environment, including ISO 27001, PCI DSS, and Cyber Essentials controls.
A penetration test finds exploitable holes in your defences. A configuration review ensures the walls are built correctly in the first place. Penetration testing identifies what an attacker can exploit today; configuration reviews prevent future vulnerabilities by ensuring your systems are hardened to industry standards. Many organisations benefit from both services.
Several major compliance frameworks require or strongly support evidence of independent configuration reviews: ISO 27001 Annex A.8.9 (Configuration Management) requires documented and reviewed configuration standards; PCI DSS Requirement 1.2 requires that network security controls, including firewall rules, are reviewed at least every six months; Cyber Essentials and Cyber Essentials Plus include Secure Configuration as one of five technical controls; NHS DSPT Data Security Standard 7.1 requires that default passwords are changed and unused software is removed and reviewed. Our reports are structured to provide the specific evidence documentation each of these frameworks requires.
A single-platform configuration review (one server gold image or one firewall) typically takes one day of review time, with the written report delivered within five working days of review completion. Multi-platform reviews covering servers, workstations, and network devices take two to four days of review time. Cloud configuration reviews for AWS, Azure, or GCP depend on the number of accounts and services in scope. Most single-account reviews complete within two days. We provide a firm timeline during the scoping call.
Yes. We review AWS, Azure, and GCP environments against industry standard security benchmarks. Our cloud configuration reviews cover IAM policies and role assignments, storage bucket and blob access controls, network security groups and firewall rules, logging and monitoring configuration (CloudTrail, Azure Monitor, Cloud Audit Logs), and encryption settings. We also review Microsoft 365 tenants against industry standard benchmarks.
You receive a written report containing: an executive summary written for a non-technical audience, a full findings list with each issue rated Critical, High, Medium, or Low, the specific configuration setting that is non-compliant (referencing the CIS Benchmark control ID where applicable), the recommended remediation step and the rationale, and a management table showing the total finding count by severity for tracking remediation progress. Reports are delivered via our real-time penetration testing portal with role-based access. Also available in PDF and DOCX formats. We also include a 30-day Q&A window to answer questions on specific findings.
We support the main enterprise firewall platforms used in UK organisations: Palo Alto Networks, Fortinet FortiGate, Check Point, Cisco ASA and FTD, Juniper SRX, Sophos, and SonicWall. Our firewall configuration reviews examine the platform configuration (firmware version, management access controls, authentication settings) as well as the rulebase (shadowed rules, overly permissive rules, undocumented rules, and rules referencing decommissioned assets). We have reviewed rulebases with more than 5,000 rules. For a full scope breakdown, see our dedicated Firewall Configuration Assessment and Firewall Rule Audit pages.