PacketLoss.tech
ES Get in touch

Security architecture review

One week. Read-only access. PDF report with the top 5 fixes prioritized.

Get an honest read on your network and identity posture in a week.

One week. Read-only access. A PDF report with the top 5 fixes prioritized by effort and impact. No tooling installs, no resident agents, no 60-page deck nobody reads.

  • 1-week engagement
  • Read-only — no production changes
  • Bilingual deliverable · EN or ES
Free 30-min assessment →

Most security reviews end in a 60-page deck that lists 200 findings and prioritizes none of them. The team reads the executive summary, agrees something should be done, and the report goes into a SharePoint folder. Nothing changes.

This is the opposite. Five fixes, ranked by effort and impact, written for the person who’ll actually run them. The artifact is a PDF you can hand to a CTO, a board, or a vendor — and the engineering team gets a runbook they can act on Monday.

What you get

  • Executive summary · one page, written for whoever signs the check.
  • Top 5 prioritized fixes · one page each. Effort estimate, expected impact, the CLI / portal steps to run them.
  • Evidence appendix · what we looked at, what we found, what we couldn't see. So the next review can pick up where this one ended.
  • Walkthrough call · one hour, end of week. The whole engineering team can attend. Recording is yours.
  • Two follow-up emails · 30 days and 60 days out. Free. Bounce any clarification questions while the report is still warm.

The PDF is delivered in your language of choice — English or LATAM Spanish — and the walkthrough call runs in whichever the team prefers.

Scope

  • One FortiGate (or cluster) · config export reviewed against FortiOS 7.4 / 7.6 hardening baselines. SSL VPN posture, IPsec policies, admin access, logging, FortiGuard tier coverage.
  • One Entra ID tenant · Conditional Access policies, MFA coverage by user / app, legacy authentication exposure, privileged identity, guest access posture, named locations.
  • One Intune tenant · compliance policies, Defender for Endpoint integration via Intune, app deployment posture, device enrollment coverage.
  • Basic network exposure check · external port surface review of the FortiGate WAN, DNS posture, certificate freshness, third-party-known-leak check.

Multi-firewall environments, multi-tenant Entra, or full SOC-level threat hunting are different engagements — flag them on the assessment call and we’ll re-scope.

Timeline — what each day looks like

  • Mon · kickoff (1 hr). Read-only access provisioned. Two NDAs signed. Environment scope confirmed.
  • Tue–Wed · evidence collection. Config exports pulled, Conditional Access exported, Intune policies enumerated, FortiGate logs sampled for the prior 7 days.
  • Thu · analysis + draft. Findings written, prioritization pass, sanity-check against current FortiOS 7.6 / Entra June 2026 baselines.
  • Fri · walkthrough call + report delivered. One hour. PDF is in your inbox before the call starts.

If a finding surfaces something urgent during the week (active credential leak, exposed admin interface, no MFA on global admins), we’ll flag it inside 24 hours — not at the end-of-week call.

When this is the right fit

  • Pre-audit pressure (PCI, SOC 2, ISO 27001) and you need a clean baseline before the auditor arrives.
  • Post-incident review — something happened, the team patched it, leadership wants an independent look.
  • New head of IT getting the lay of the land in their first 90 days.
  • M&A integration where two environments need a security gap assessment before they merge.
  • Vendor evaluation — you’re considering moving off FortiGate or Intune and want a defensible “what we have today” snapshot.

When this isn’t the right fit

  • Nothing-broken environments looking for a sticker that says “we’re secure.” We’ll find something — that’s how this works — and you’ll have to address it.
  • Multi-firewall / multi-tenant scope. Different engagement (talk to us about it on the assessment call).
  • Pure SaaS shops with no on-prem network. The FortiGate slice doesn’t apply; the Entra slice alone is a different shape.

Frequently asked

  • What access do you need?

    Read-only. FortiGate: a config-export account or a backed-up .conf file. Entra: Security Reader role on the tenant, scoped to expire end of week. Intune: Intune Service Administrator, read-only equivalent. No agent installs, no Resident Service Principal, no persistent access.

  • Will you run any tools against our production environment?

    No active scanning, no exploit attempts, no traffic capture from inside your perimeter. External port surface review is the one exception — we'll probe what's reachable from the public internet, the same way an attacker would, using passive tools. Same posture as a tier-1 audit firm.

  • What if you find something critical?

    Flagged inside 24 hours, with a recommended interim mitigation if one exists. The report still ships on Friday, but you're not waiting on the report to start fixing the active fire.

  • Can you do the remediation too?

    Sometimes. If the top-5 list lands as FortiGate work, the FortiGate migration engagement may cover most of it. If it's Entra / Intune-heavy, scope on the assessment call. Either way, the audit isn't a sales hook for a bigger engagement — if the right answer is "your team can run these themselves," that's what the report will say.

Ready to scope it? Free 30-min assessment ↑ or email cflores@packetloss.tech directly.