Flag when more than 3 super admins exist — reduces blast radius of compromised accounts.
Detect admin accounts created in the last 7 days that may indicate privilege escalation.
Identify admin accounts without two-factor authentication — a primary attack vector.
Measure MFA adoption across all users. Flags when coverage drops below 90%.
Find admin accounts inactive 90+ days that still hold elevated privileges.
Identify inactive user accounts that increase attack surface and should be reviewed.
Verify SPF DNS record exists and includes Google Workspace — prevents email spoofing.
Check DKIM DNS record is configured — ensures outbound email is cryptographically signed.
Verify DMARC policy is set to quarantine or reject — not the weak default of none.
Detect auto-forwarding to external addresses on high-risk accounts (CEO, CFO, admin).
Flag IMAP/POP access that bypasses modern OAuth security controls.
Scan Drive for files shared publicly or with external domains without restriction.
Find files with "anyone with the link" access — no authentication required to view.
Detect third-party apps with dangerous scopes (mail, drive, admin) that could exfiltrate data.
Verify admin audit logs are active and generating events — required for SOC 2 and ISO 27001.
Check for unresolved security alerts in Google Workspace Alert Center.
Detect users with 3+ failed login attempts in 7 days — potential brute force or credential stuffing.
Establish a baseline scan and detect drift in subsequent checks.
One-click PDF reports with A–F grades, compliance tags, and remediation steps.
Every finding maps to CIS Benchmarks, SOC 2, and ISO 27001 controls.
We never modify settings. All checks are strictly read-only.