Infra audit

Infrastructure Audit Snapshot

A fixed-scope audit of a smaller infrastructure focused on security, privacy and operational risks.

Are you unsure where your infrastructure is exposed, who has access to what, where your data goes, or whether your deployment process depends more on luck than on good operational practice?

Infrastructure Audit Snapshot is a practical review of servers, accounts, repositories and deployment processes. The goal is not a formal certificate or a pile of generic recommendations, but a clear and usable output: what is actually risky, what should be fixed first and what you can do to run your systems more securely.

Audit scope

The package includes a review of a smaller infrastructure within a fixed scope:

  • up to 3 Linux servers
  • basic Docker, Docker Compose and self-hosted services setup
  • one cloud account or hosting environment
  • one GitHub/GitLab organization or main repository
  • CI/CD pipeline and deployment process basics
  • access rights, SSH, administrator accounts and MFA
  • publicly exposed services, DNS, TLS, reverse proxy and open ports
  • backups, restore procedures, updates, monitoring, logging and alerting
  • handling of personal and sensitive data, telemetry and external services
  • basic incident readiness

How the audit works

  • first we confirm the audit scope, list of services and priorities
  • the audit is performed with read-only access whenever possible and without unnecessary changes to production
  • I review configurations, access rights, processes, exposed services and operational habits
  • risks are ranked by impact and likelihood, not by how scary their names sound
  • we go through the results together during the final consultation

What you receive

  • a clear summary of the main risks for non-technical decision-making
  • a technical list of findings ranked by priority
  • specific remediation recommendations
  • a proposal for quick fixes and longer-term operational improvements
  • a distinction between real risks and issues that are not a priority in your situation
  • a final consultation to discuss the audit results

Typical findings

  • poorly restricted SSH or administrator access
  • overly broad permissions in cloud accounts or CI/CD pipelines
  • secrets stored in unsuitable places
  • containers running with risky settings
  • services exposed to the internet without a clear reason
  • missing or untested backups
  • insufficient logging and monitoring
  • unnecessary sharing of data with external services

Who this audit is for

This audit is suitable for small companies, non-profit projects, startups, web services, cryptocurrency projects and individuals who run their own infrastructure and want to know whether their servers, accounts and deployment processes make sense from a security perspective.

It is especially useful when the infrastructure has grown over time, has been configured by several different people, includes things that were set up in a hurry, or when you are preparing for a larger operational change, migration, investment, launch of a new service or a security requirement from a customer.

Delivery

Typical delivery is within 7 business days after the scope is confirmed and access is provided.

What this audit is not

This is not a formal certification, compliance audit or full penetration test unless we explicitly agree on that scope. It is a practical security and operations review of your infrastructure from the perspective of a security-focused sysadmin.

If your infrastructure is larger than the scope above, we can agree on an extended audit individually.

The result should be a usable plan: what to fix now, what to schedule for later and what does not need to be overthought.