Cloud Penetration Testing & Security Assessment
Cloud penetration testing across AWS, Azure, and Microsoft 365. Most cloud breaches aren't sophisticated: a public S3 bucket, an over-privileged service account, an MFA gap, a forgotten test environment with production credentials. Pentiq's manual review finds the configuration and identity weaknesses that turn a healthy cloud estate into an open door.
Cloud Platforms
Comprehensive coverage across major cloud providers
Amazon Web Services (AWS)
IAM policies, EC2 security groups, S3 bucket configurations, VPC settings, and AWS-specific security services.
- • IAM & Access Management
- • EC2 & VPC Security
- • S3 & Storage
- • CloudTrail & Monitoring
Microsoft Azure
Azure AD, resource groups, network security groups, storage accounts, and Azure-specific security controls.
- • Azure AD & Identity
- • Network Security
- • Resource Management
- • Security Center
Microsoft 365
Exchange Online, SharePoint, Teams, conditional access policies, and Office 365 security configurations.
- • Exchange Security
- • SharePoint & OneDrive
- • Teams Security
- • Conditional Access
Assessment Areas
Comprehensive cloud security coverage
Identity & Access Management
User permissions, service accounts, privilege escalation paths, and identity federation security.
Network Security
Security groups, network ACLs, VPC configurations, and micro-segmentation effectiveness.
Data Protection
Encryption at rest and in transit, data loss prevention, and sensitive data exposure risks.
Logging & Monitoring
Security event logging, monitoring coverage, alert configuration, and incident response readiness.
Compliance & Governance
Policy enforcement, compliance monitoring, resource tagging, and governance controls.
Container & Serverless
Container security, serverless function configurations, and cloud-native service security.
Common Findings
Typical cloud security misconfigurations we discover
Illustrative examples of misconfigurations we commonly see - not an exhaustive list. The specific findings on any engagement depend on your environment, identity model, and platform mix.
Overprivileged IAM policies
Public storage buckets
Weak network security groups
Missing encryption
Excessive admin permissions
Inadequate logging
Insecure API configurations
Weak conditional access
Unmonitored resource changes
Legacy authentication methods
Insufficient backup security
Insecure secret management
Common questions
Frequently asked questions.
Do you test AWS, Azure, and Microsoft 365?
Yes. We cover all three plus hybrid identity setups. The assessment scope and depth depend on which cloud platforms you use, your IAM model, and the data flows between them.
Is this a configuration review or a pen test?
It's a security assessment that combines configuration review (IAM, network, storage, logging) with targeted exploitation where the configuration suggests a real-world risk. Findings include both misconfigurations and actively-exploitable paths.
Do you need our cloud admin credentials?
No. We need read-only or scoped audit access, typically via a federated audit role or service principal. We never ask for full admin credentials. The exact access requirements are confirmed at scoping.
How does this map to ISO 27001 or SOC 2 evidence?
Cloud Security Assessment findings map to ISO 27001 Annex A controls and SOC 2 Trust Service Criteria that auditors are likely to review. Reports include framework mapping designed to support audit evidence preparation.
Compliance
Findings from a Cloud Security Assessment commonly support evidence for ISO 27001 Annex A, SOC 2 Trust Services Criteria, and DORA Article 25.
Get started
Find the misconfigurations that matter.
Findings are mapped to AWS Well-Architected, Azure CIS, Microsoft Secure Score, and your own compliance obligations - plus a prioritised “fix this first” list.