SnowOps Discovery Audit — Northwind Apps (SAMPLE)
⚠️ FULLY SYNTHETIC SAMPLE. "Northwind Apps" is fictional; all IDs, counts, and findings are fabricated for illustration. Safe to send cold as a "this is what you'll receive" example. Replace/supplement with a real sanitized sandbox run for the DoD (Nidhi reviews for leakage either way).
Prepared for: Northwind Apps (sample) | Scope: 1 subscription | Date: {{DATE}}
Auditor: SnowOps (read-only — Reader + Security Reader) | Run ID: sample-0000
Executive summary
We performed a read-only posture audit of Northwind's Azure environment across network, identity, encryption, logging, and cost. We identified 11 findings: 2 critical, 6 high, 3 medium. None of the findings are unusual for a click-ops-first Series A environment — and every one maps to a known, productized fix. The prioritized roadmap (§3) closes the two critical findings in week 1.
| Severity | Count |
|---|---|
| Critical | 2 |
| High | 6 |
| Medium | 3 |
Defender secure score: 41 / 100 (sample). Target after Baseline: > 75.
§1. Findings by domain
Identity
- [CRITICAL] IAM-001 — No Conditional Access policies in effect. No MFA enforcement, no risk policies. (SOC 2 CC6.1/CC6.6 · ISO A.5.15/A.8.5 · CIS 1.1) → H2.
- [MED] IAM-002 — 3 service principals with client secrets > 90 days old. Long-lived credentials that never rotate. (CIS 1.21) → H5 (+ migrate to OIDC, B2).
Network
- [CRITICAL] NET-002 — 2 NSGs allow SSH/RDP from the internet (0.0.0.0/0). Direct internet exposure of management ports. (SOC 2 CC6.6 · CIS 6.1/6.2) → N6.
- [HIGH] NET-001 — 4 storage accounts allow public network access. (CIS 3.7) → N5.
- [HIGH] NET-003 — Key Vault allows public network access. (CIS 8.5) → F5.
Encryption
- [HIGH] ENC-001 — 3 storage accounts permit TLS < 1.2. (SOC 2 CC6.1/CC6.7 · CIS 3.15) → D3 + M3.
- [CRITICAL-adjacent / HIGH] ENC-002 — 1 SQL server missing TDE. (CIS 4.2.1) → M2.
- [HIGH] ENC-003 — Key Vault purge protection disabled. (CIS 8.2) → F5.
Logging
- [HIGH] LOG-001 — Defender for Cloud plans disabled on this subscription. (CIS 2.1) → F1 / B3.
- [HIGH] LOG-002 — Secure score below 60. Symptom of the above. → F1 / B3.
Cost
- [MED] COST-001 — No active budget on the subscription. (SOC 2 CC7.2 · ISO A.8.6) → U1.
§2. What this means
Northwind's platform is typical of fast pre-Series-B growth: it works, but the controls an enterprise customer or SOC 2 auditor expects were never built in. The two critical findings (internet-exposed management ports + no MFA/Conditional Access) are the kind that fail a security questionnaire on sight.
§3. Prioritized remediation roadmap
| # | Finding | Severity | Fixed by | Effort | When |
|---|---|---|---|---|---|
| 1 | NET-002 internet SSH/RDP | Critical | N6 | ~S | Week 1 |
| 2 | IAM-001 no Conditional Access | Critical | H2 | ~M | Week 1 |
| 3 | LOG-001/002 Defender off | High | F1 / B3 | ~S | Week 1 |
| 4 | NET-001 public storage | High | N5 | ~M | Week 2 |
| 5 | NET-003 / ENC-003 Key Vault | High | F5 | ~S | Week 2 |
| 6 | ENC-001 weak TLS | High | D3 + M3 | ~S | Week 2 |
| 7 | ENC-002 SQL TDE | High | M2 | ~S | Week 3 |
| 8 | IAM-002 SP secret rotation | Medium | H5 + B2 | ~S | Week 5 |
| 9 | COST-001 no budget | Medium | U1 | ~S | Retainer |
Compliance mapping for the above: see the Y7 coverage matrix. Roadmap assets (N5/N6/M-series/U1) are delivered during a Baseline engagement.
§4. Recommendation
The findings map cleanly to a Baseline "Cloud Secure" engagement — the two criticals close in week 1. A scoped, fixed-price proposal follows this report.
Read-only audit · no changes made to the environment · run logged immutably (G6) · human-reviewed before delivery. Findings produced by the SnowOps G2 rule pack.