Continuous detection of security-critical configuration drift
Security Baseline Check
Hardening only works if it is actually enforced and remains stable under operational change. The Security Baseline Check evaluates the real security configuration of your systems against recognised hardening standards, identifies drift, and prioritises actions by risk.
Why hardening alone is not enough
A documented security baseline is not the same as an enforced one. In any production environment, drift accumulates: through operational decisions, exceptions, new systems, platform updates and unintended configuration changes.
A one-off conformance measurement creates short-term clarity – but no durable security standard. The difference between a hardening slide and an effective security configuration is continuous oversight: detect drift, evaluate it, prioritise it.
What we assess
The assessment covers the security-critical configuration areas:
- Security configuration against recognised hardening standards
- Logging and audit configuration
- Authentication and password policies
- Privileged accounts and access
- Unsafe services and protocols (e.g. deprecated TLS versions, weak SMB / LDAP configurations)
- Patch and baseline status
- Critical security settings in the operating system and platform services
- Consistency between target state and operational reality
- Risk-based evaluation of deviations
Methodology and tooling
Agent-based security assessment — we use platform-supported collection of your security configuration that captures results consistently over time.
Mapping against recognised hardening standards — evaluation is performed against established security baselines, always in the context of your operational reality.
Operational, not formal — we evaluate effectiveness, not ticks. A configuration deviation is prioritised by real risk and effort, not by checklist count.
Continuous Hardening (Standard and Continuous Hardening tier) — recurring assessments make drift visible before it becomes operationally entrenched.
What you receive after the check
The report is written so that IT operations and security ownership can act immediately. The Continuous Hardening tier establishes a recurring assessment rhythm rather than a single-point snapshot.
- Technical security evaluation per system and in summary
- Risk-based prioritised action list
- Concrete configuration recommendations
- Drift view over time (Standard, Continuous Hardening)
- Recurring reviews with trend observation (Continuous Hardening)
Phases
Scoping
System scope, collection mode, tier selection
Data collection
Platform-supported collection of security configuration
Analysis
Evaluation against hardening standards, drift analysis, prioritisation
Report & walkthrough
Delivery + workshop; Continuous Hardening continues into a recurring assessment rhythm
Report typically within 10 business days after data collection is complete.
Pricing
Tier selected by estate size and assessment depth.
Compact
Up to 10 systems. Initial technical security assessment, baseline analysis, action overview, results workshop.
from €3,900
Standard
Up to 50 systems. Extended baseline analysis, risk-based prioritisation, customer-specific adjustments, technical detail.
from €8,900
Continuous Hardening
Larger estates. Continuous security evaluation, drift detection, recurring reviews, continuous improvement.
from €14,900
Indicative figures; final fixed price after scoping call.
Frequently asked questions
What does drift detection mean in practice?
Drift detection identifies the deviation between your defined target security configuration and the actual configuration over time. Without drift detection, any one-off hardening remains static – with it, the points where your protection silently shifts become visible.
Which platforms do you cover?
We cover the common server and endpoint platforms (Windows Server, Windows endpoints, the established Linux distributions) and selected network and platform services. The exact scope is defined in the scoping call.
Will you change our configuration?
No. The assessment is non-invasive and operates on read-only level. We deliver configuration recommendations; implementation is performed by your operations team or optionally in a follow-on engagement.
How is this different from a pure compliance scan?
A compliance scan delivers a point-in-time conformance measurement against a standard. The Security Baseline Check evaluates operational security capability over time, prioritises by risk, and creates the basis for Continuous Hardening — no "100% compliance" promise, but effective configuration in production.
What does Continuous Hardening mean operationally?
Continuous Hardening is a recurring assessment rhythm: we capture drift, evaluate it and deliver an updated action state at defined intervals. Instead of a once-per-year snapshot, your security configuration remains stable over time.
What happens after the check?
You have a clear action path. Common follow-ups: targeted hardening engagements, a recurring Continuous Hardening rhythm, or integration into an existing vulnerability or configuration management programme.
Kontakt aufnehmen
How stable is your hardening line in production?
A scoping call is enough to align on system scope and tier. No commitment up front.