SECURITY GAP ANALYSIS
A written security posture report. From real data, not a questionnaire.
A quarterly deliverable for our managed clients.
Most assessments are interview-based. We pull live telemetry from the stack we already manage on your behalf and write the report from facts. Mapped against the National Institute of Standards and Technology Cybersecurity Framework, prioritized by remediation effort and cost.
- Live data, not questionnaire answers
- 5 to 7 business days end-to-end
- Free for active managed clients
Most security assessments boil down to a long questionnaire and an analyst writing what the answers add up to. The output is only as good as how honest the answers were, and the analysis takes three to four weeks. Netsafe Solutions runs a different process for our active managed clients. The assessment pulls live data from the tools we already manage on your behalf, runs the analysis against the National Institute of Standards and Technology Cybersecurity Framework, and produces a written report in five to seven business days. The only thing we ask in return is that we come see you in person to walk through the findings together.
Why a real gap analysis beats a questionnaire.
Most security assessments produce a deck full of yellow and red flags based on what the IT lead checked off in a survey. The honest answer is that the IT lead does not always know. Maybe a multi-factor authentication policy is “enabled,” but four service accounts are exempted. Maybe backups are “running,” but nobody has tried a restore in eighteen months.
The platform we run does not ask. It pulls the actual configuration: which conditional access policies are active, which devices are out of compliance, which mailboxes have forwarding rules set, what the patch state looks like across the fleet right now. The report describes what is, not what someone thinks is.
Mapped against the National Institute of Standards and Technology Cybersecurity Framework 2.0 by default, with overlays for the Center for Internet Security controls, HIPAA Security Rule, or industry-specific frameworks where they apply.
How the engagement runs.
One business week from kickoff to delivered report. Most of the data work is automated; the analyst time is in framing the findings and writing the recommendations.
Kickoff call. The data sources are already connected because we run the stack for you; we confirm the framework overlay and any compliance focus areas for this cycle.
Automated data pull across all ten domains. Identity, endpoint, email, network, data, backup, monitoring, training, policy, vendor.
Analyst review of the data. Findings categorized by severity, mapped against the framework, and prioritized by remediation effort.
Report drafting. Executive summary, domain-by-domain findings, prioritized remediation roadmap with effort and cost estimates.
In-person walkthrough. We come to your office, review the findings with your team, and discuss what makes sense to do next. The written report stays with you.
The ten domains assessed.
Each domain produces a posture grade, a list of specific findings, and a prioritized remediation list. Together they make up the report.
Multi-factor authentication coverage, conditional access policy review, privileged account inventory, dormant account cleanup.
Endpoint detection and response coverage, encryption status, patch posture, unmanaged device discovery.
Anti-phishing configuration, mailbox forwarding rule audit, sender policy framework alignment, business email compromise indicators.
Firewall configuration review, segmentation, remote access posture, wireless security posture, public-facing service exposure.
Data classification posture, encryption at rest, sensitive data discovery, retention policies, sharing audit.
Backup coverage across endpoints and cloud workloads, immutability posture, last successful restore, recovery time targets.
Logging coverage, alert routing, security operations center engagement, response time service levels, log retention windows.
Awareness training program status, phishing simulation results, onboarding and offboarding rigor, password hygiene.
Written policies versus actual configuration, acceptable use, incident response runbook completeness, compliance framework alignment.
Software supply chain visibility, third-party access review, data sharing with vendors, software-as-a-service inventory and risk posture.
How the assessment is priced.
Free for our active managed clients, with one ask in return. We do not run this engagement for businesses that are not currently managed by us.
Available as part of any active managed services engagement, no separate charge. The data sources are already connected and managed on your behalf; the assessment is a scheduled output of the platform we run for you anyway.
When the report is ready, we visit you in person to walk through the findings together. The point is having the right people in the room when we discuss what was found and what makes sense to do next. The walkthrough is the only thing we ask for in exchange.
The data pull is too deep to perform on a partial connection. Delegated access to Microsoft 365, read access into NinjaOne and SentinelOne, backup tooling, billing visibility, the whole stack. Setting that up just to run a one-off assessment is more lift than the assessment is worth. The right starting point for a non-customer is a managed engagement; the gap analysis becomes a quarterly deliverable after onboarding completes.
Penetration testing and structured vulnerability scanning are deeper engagements that go beyond the gap analysis. Quoted separately when the scope warrants them; we coordinate with specialized vendors for the testing itself.
Why the report is worth running.
A written posture report is the single document that aligns your leadership, your auditor, your insurance carrier, and your IT team on what the actual situation is.
One source of truth
Your leadership team, your insurance carrier, your auditor, and your IT team are usually working from different mental models of where the security posture stands. The written report is the document that puts them on the same page, with the same data, at the same time.
Days, not weeks
Traditional consulting assessments take three to four weeks of analyst time. Ours runs in five to seven business days because the platform does the data collection. The analyst time is spent on framing and recommendations, not on chasing screenshots and questionnaire follow-ups.
Mapped to a real framework
Findings are organized against the National Institute of Standards and Technology Cybersecurity Framework 2.0 by default, with overlays for the Center for Internet Security controls or specific frameworks like HIPAA when relevant. Your auditor or insurance carrier can read it without translation.
Honest output
If the gaps we surface are easier to close with your existing internal IT team, the report will say so. The assessment is a diagnostic, not a sales pitch. We earn the next engagement by being right about the report, not by inflating findings to drive scope.
Frequently asked questions.
How is this different from a Microsoft Secure Score check?
Microsoft Secure Score evaluates one tenant against a Microsoft scoring model. It is useful, and the gap analysis includes Secure Score data, but the report covers nine other domains too: endpoint, network, backup, training, vendor risk, and the rest. The framework alignment also goes beyond Microsoft to a vendor-neutral standard.
Do you need admin access to our Microsoft 365 tenant?
Yes. The data pull requires delegated admin access at the tenant level so we can read configuration, sign-in logs, conditional access policies, mailbox rules, and other tenant data. The access is delegated rather than direct, time-bound, and revocable. We document everything we read.
What happens to the report after delivery?
It is yours. You can share it internally, with your insurance carrier, with an auditor, or with another consulting firm if you ever decide to go a different direction. We do not require the report to stay confidential. The diagnostic value is the value.
Why is this only available to active managed clients?
The data pull is too deep to perform on a partial connection. We need delegated access to your Microsoft 365 tenant, read access into NinjaOne, SentinelOne, your backup tooling, your billing system, and the rest of the stack we run on your behalf. Setting all of that up just to deliver a one-off assessment is more lift than the assessment is worth. For businesses not currently managed by us, the right starting point is a managed engagement; the gap analysis becomes a quarterly deliverable once onboarding completes.
What about the in-person walkthrough?
That is the one thing we ask in return. When the report is ready, we visit you in person to walk through the findings together. Most clients invite the leadership team plus the internal IT contact; the walkthrough usually runs ninety minutes including questions. The conversation about what to do next is much better when it is happening face to face rather than over a deck.
Can the report be shared with our cyber insurance carrier?
Yes, and we encourage it. Most carrier renewal questionnaires ask about controls the report directly answers, and a recent third-party gap analysis often improves the renewal terms. We can also fill out the carrier questionnaire directly using the report data when asked.
What about confidentiality during the assessment?
The data pull is read-only and limited to configuration and metadata. We are not reading customer data, mailbox content, or stored files in the course of the assessment. A non-disclosure agreement is signed before any access provisioning begins, separately from any managed services engagement letter.
Let’s see where you actually stand.
Already a managed client? Reach out and we will schedule the next assessment plus the in-person walkthrough. Not yet a client? The gap analysis is part of an active engagement rather than a standalone product. Let us talk about what a managed relationship would look like for your environment, and the assessment becomes a quarterly deliverable from there.
Or call us:
(704) 333-0404
What our clients say
NetSafe is responsive, knowledgeable, and professional. Each person we deal with has the expertise to handle our IT needs. Great!!LeighAnn P. Feb 2025 · Google
Netsafe has been extremely helpful and we rely on them for answers to all of our IT issues. They are always there with great advice and cost effective solutions. I have worked closely with Jonathan now for many years and I really appreciate all of the hard work he puts in and is knowledgeable about many things!Grace C. Mar 2020 · Google
Yesterday's service was punctual, effective, and Professional - just like every time I need help. Good listeners, easy to talk to (and understand), and always pleasant.Drake S. Sep 2025 · Google
Serving 27 cities across the Carolinas
North Carolina
- Albemarle
- Charlotte
- Concord
- Cornelius
- Gastonia
- Greensboro
- Hickory
- Huntersville
- Kannapolis
- Lexington
- Matthews
- Monroe
- Mooresville
- Newton
- Salisbury
- Shelby
- Statesville
- Waxhaw
- Winston-Salem
South Carolina
- Chester
- Columbia
- Fort Mill
- Gaffney
- Lancaster
- Rock Hill
- Spartanburg
- York