Beta opens 10th April · UK businesses

Know what your Microsoft security controls actually look like

ScanPosture gives Microsoft-first SMBs a clearer, more defensible view of control posture, priority gaps, and what changed since the last scan.

133
Security checks
across 15 categories
9
Security domains
control-model scoring
4
Frameworks
CE, ISO, GDPR, NIST
£2.50
Per user / month
from £250/month
app.scanposture.com/dashboard
Dashboard
Security posture overview · Last scan 2h ago
Run Scan
74
B+ · Good Posture
▲ +6 pts since last scan
74 checks scored · 12 advisory · 47 skipped
Findings
17
2 critical · 4 high · 8 medium
Critical
2Immediate action needed
Resolved
3This month
Checks
112Security controls assessed
Top Actions to Improve Your Score
CRITICALUsers without MFA enabledCE+15 pts
CRITICALLegacy authentication not blockedCE+15 pts
HIGHDMARC not configuredISO+8 pts
HIGHAdmins without dedicated accountsNIST+8 pts
Fix 4 issues to improve your score56 → ~74/100
Security DomainsView All →
D1+4
Identity & Auth
68
D2
Privileged Access
45
D3+8
Conditional Access
82
D4
Email Security
91
D5
App & NHI
72
D6
Governance
61
D7
SharePoint & Teams
78
D8
Logging & Audit
55
D9
Device Security
38

The Problem

Security posture is managed through scattered admin centres and spreadsheets

Most SMBs rely heavily on Microsoft 365, but the security configuration is fragmented, manually reviewed, and poorly evidenced. That creates real risk.

Poor visibility

Security settings are scattered across multiple admin centres. Nobody has the full picture in one place.

Weak prioritisation

When everything is a finding, nothing is a priority. Teams waste time on low-impact issues while critical gaps remain.

Stale evidence

Screenshots and spreadsheets are weak evidence. Clients, insurers, and auditors want current, structured proof.

Why ScanPosture Is Different

Control strength, not checkbox compliance

Most tools give you raw findings or overstate compliance. ScanPosture is designed to give you a defensible view of what your controls actually look like.

01

Not just pass/fail

Findings are grouped into controls. The result reflects real control posture across your tenant, not isolated technical checks.

02

Four-dimension assessment

Every control is scored across presence, coverage, quality, and strength. A setting that exists but covers 30% of users doesn't score the same as one covering 95%.

03

Evidence that survives scrutiny

Framework support language is bounded and defensible. We say what we can evidence. We never overclaim compliance.

What Gets Scanned

133 security checks across 15 categories and 9 domains

Structured around the controls that matter most across identity, access, applications, collaboration, logging, and device posture.

Identity & authentication
Privileged access
Conditional Access policies
Account lifecycle & governance
Application & NHI permissions
Email security (SPF, DMARC, DKIM)
SharePoint & OneDrive sharing
Microsoft Teams collaboration
Logging & audit configuration
Device compliance (Intune)
Segregation of duties
AI & Copilot identity risk
Configuration drift detection
Guest & external access
Credential & secret management

What You Get After Every Scan

More than a findings list

Every scan gives you a structured view of posture, what matters most, and what changed since the last scan.

Posture score

0–100 score across 9 weighted domains with trend tracking

Priority controls

Know which controls are weakest and what to fix first

Framework evidence

CE, ISO 27001, GDPR, NIST support levels with approved language

Step-by-step guides

Detailed remediation with exact portal navigation paths

Drift detection

See what changed between scans — roles, policies, permissions

PDF reports

Executive summary and compliance readiness, client-ready

Scheduled alerts

Daily, weekly, monthly summaries via email, Slack, Teams

Compensating controls

See where existing controls mitigate gaps elsewhere

Real Findings

What ScanPosture actually surfaces

CRITICALUsers without MFA enabled
CRITICALLegacy authentication not blocked
HIGHAdmins without dedicated accounts
HIGHDMARC not configured for primary domain
HIGHGuest users with elevated privileges
MEDIUMSharePoint anonymous sharing enabled
HIGHAI agents with high-privilege permissions
MEDIUMNo device compliance policies configured

These are 8 examples from 133 checks. A full scan covers identity, access, email, collaboration, devices, AI risk, drift, and more — every finding includes severity, compliance mapping, and step-by-step remediation.

Compliance Readiness

Framework support, not compliance claims

ScanPosture maps observable controls to framework requirements and tells you how strongly the evidence supports alignment. We never say “compliant” — we show what we can defend.

Cyber Essentials v3.3

Secure Configuration and User Access Control evidence within M365 scope

ISO 27001 2022

Selected A.5 and A.8 technical control evidence

GDPR Article 32

Technical safeguard assessment within identity and access scope

NIST CSF 2.0

Protect and Detect function evidence

Pricing

Enterprise-grade assurance, SMB-friendly pricing

£2.50

per user / month · from £250/month for 100 users

  • 133 security checks across 9 domains
  • Control-model posture scoring
  • Framework readiness evidence (CE, ISO, GDPR, NIST)
  • Drift detection between scans
  • Step-by-step remediation guides
  • PDF reports and CSV exports
  • Scheduled email summaries
  • Slack and Teams webhook alerts
  • Continuous monitoring — not one-off

Free during beta · No credit card required

How that compares

SailPoint IdentityNow£10,000+/year
Okta Identity Governance£8,000+/year
Microsoft Entra ID Governance£5.60/user/month
One-off consultant review£3,000–£8,000
ScanPosture (100 users)£250/month

Continuous assurance, not a one-off check. Evidence that stays current. Priority actions that stay relevant. That is what justifies a subscription, not a snapshot.

How It Works

From connection to continuous assurance

1

Connect Microsoft 365

Read-only OAuth consent. No agents, no passwords, no complex setup.

2

First scan runs

133 checks execute automatically against your Entra ID and M365 configuration.

3

Review your posture

Posture score, domain breakdown, priority controls, and framework evidence — all in minutes.

4

Stay assured

Recurring scans detect drift, refresh evidence, and track improvement over time.

Why This Isn’t a One-Off Assessment

Security posture doesn’t stay fixed

Users change, guest access expands, new apps appear, roles drift, and evidence quickly becomes stale. ScanPosture is built to help you maintain control assurance over time, not just identify issues once.

Controls drift

Roles, policies, apps, and permissions change constantly. Even well-run tenants drift between scans.

Evidence expires

Old reports and screenshots quickly lose value. Clients and insurers want to know what posture looks like now, not three months ago.

New risk appears

New users join. Apps gain permissions. AI agents are provisioned. Service principals accumulate scope. Risk is dynamic.

Ongoing monitoring matters

Clients, insurers, and auditors care about current posture. Recurring scans keep evidence fresh and priorities accurate.

For Managed Service Providers

Turn posture monitoring into a repeatable managed service

MSPs are expected to do more than manage licences. Customers want evidence that their environment is being monitored and improved. ScanPosture makes that scalable.

Multi-tenant portal

Manage all customer tenants from a single MSP dashboard with role-based access control.

Recurring evidence

Generate posture reports for every client on a schedule. Show improvement over time.

Consolidated billing

One invoice for all clients. Auto-adjusting quantities as client user counts change.

Drift detection

Identify changes in customer environments before clients do. Proactive, not reactive.

White-label reports

Brand reports with your logo and colours. Option to remove ScanPosture branding entirely.

Upsell visibility

See where clients need licence upgrades or hardening work. Built-in commercial opportunity.

Already managing Microsoft 365 environments for clients? Let’s talk.

Platform Status

What’s live, what’s next, what’s planned

Live today

  • 133 security checks
  • 9-domain control model
  • 4 framework mappings
  • MSP portal
  • Billing integration
  • PDF reports & CSV exports
  • Scheduled email reporting
  • Drift detection
  • Slack & Teams webhooks
  • Workload-aware filtering

Coming next

  • Public launch (Summer 2026)
  • Beta feedback integration
  • Additional framework depth
  • Reporting and packaging polish

Longer-term

  • AWS IAM module
  • NHI lifecycle governance
  • Joiner / Mover / Leaver
  • Privileged Access Management
  • Multi-cloud expansion
  • Public API

What Happens After You Join

Results in minutes, not weeks

From connection to posture in under five minutes. No agents, no passwords, no complex setup.

Connect Microsoft 365

Read-only OAuth consent

First scan starts

Runs automatically

Review results

Posture in minutes

Stay assured

Ongoing monitoring

Read-only accessNo agents to installNo credit card for betaBeta opens 10th AprilUK company (Lawsons Enterprises Ltd)

Built By Practitioners

I built ScanPosture because I saw the same problem at every Microsoft-first business I worked with: fragmented security evidence, weak prioritisation, and no ongoing assurance. The tools that existed were either too basic or too expensive. This product fills that gap.
AL

Andy Lawson

Founder, Lawsons Enterprises Ltd

Start your free beta

Know what matters most, fix the right gaps first, and stay ahead of drift.

Clear posture. Priority gaps. Fresh evidence. Updated with every scan.

Free during beta · No credit card required · Read-only access