Most businesses have 5 to 7 critical gaps in their Google Workspace. Most have never looked.
A 20-point manual review of your Admin Console, across identity, email, data, and devices. Every finding explained in plain English. A prioritised roadmap telling you exactly what to fix and in what order. Start with a free 15-minute discovery call.
Best suited to businesses already running on Google Workspace with 5 or more user accounts. If you are not on Google Workspace yet, start with an IT Health Check.
97/215
Average score on a first audit
5–7
critical gaps found on the average first audit
#1 finding
MFA not enforced, one stolen password unlocks everything
48 hrs
Written roadmap delivered after the audit
How it works, three steps.
Start with a free 15-minute discovery call. If there is clear exposure, the paid audit runs from there, and the written roadmap lands within 48 hours.
Book a 15-minute discovery call (free)
Pick a time using the booking link. A Google Meet link is automatically generated. This call costs nothing. You don't need to prepare anything.
Discovery call
A 15-minute conversation about your current setup, how your team uses Google Workspace, how you handle leavers, how your files are organised. If there is clear exposure, the next step is a paid audit. Price is confirmed on the discovery call before anything is booked.
The audit and roadmap
Once payment is confirmed, you grant read-only delegated admin access. The full 20-point review runs across your live environment. Within 48 hours you receive a written Infrastructure Roadmap: every check marked Pass, Warning, or Fail, the business risk explained in plain English, and a prioritised action plan telling you what to fix first.
Book a 15-minute discovery call
A short conversation to understand your current setup. No preparation needed. If there is clear exposure, the audit runs from there, with pricing confirmed on the call and the written roadmap delivered within 48 hours.
Free to book
The discovery call costs nothing. If there is clear exposure, the paid audit follows, invoiced before access is granted.
Read-only access only
You add a delegated admin account before the audit begins, read-only. No passwords shared. Revoke it when the audit is complete.
No obligation to continue
The roadmap is yours. You can action it yourself, pass it to another provider, or ask Bulwark to handle the remediation.
Prefer email first? hello@getbulwark.com
Book a discovery call
15 minutes. Free. No preparation required.
15-Minute Operational Discovery
A free 15-minute conversation about your current setup. If there is clear exposure, the full audit and written roadmap follows.
Book a free 15-minute call20 security checks. The basics most teams never verify.
Not a surface-level scan. We look inside your Admin Console, your DNS records, and your device management. These are the controls that decide whether one phishing email becomes a nuisance or a real incident.
A written report. Not a vague summary.
A structured PDF covering every control checked, your score, the gaps that matter most, and the exact remediation steps. Written so a non-technical business owner can act on it.
- Pass / Warning / Fail status for all 20 controls
- Risk level for each finding
- Prioritised remediation list, most critical first
- Plain-English explanation written for non-technical stakeholders
- Yours to keep. The audit covers the review and the written report, with no obligation beyond that.
97 / 215
Overall score, action required
The questions everyone asks before booking
Why pay for an audit? I can check things myself.
Most of the issues that cause real damage, stale OAuth tokens, permissive sharing policies, misconfigured DMARC, are not visible from inside your own account. You need delegated admin access to see what is actually configured, and you need to know what you are looking for. The audit is a manual review by someone who checks these settings every day.
What do I actually get?
A 20-point manual review of your live Admin Console, covering identity, email authentication, data access, and device compliance. Every finding is marked Pass, Warning, or Fail. Every failure includes the business risk in plain English and a specific remediation step. The report is structured so a non-technical founder can act on it, or hand it to whoever they use for IT.
What access do you need?
Delegated admin access, read-only. That means a Bulwark account is added to your Admin Console before the audit and removed when the report is delivered. It cannot make changes, access email content, or delete anything. It takes two minutes to set up.
Do I have to become a client after the audit?
No. The report is yours regardless. If you want Bulwark to handle the remediation, the audit fee is credited against the project cost. If you take it elsewhere or action it yourself, that is a completely reasonable outcome.
We already have IT support, is this still worth doing?
Yes, particularly if your current IT support is generalist. Most providers manage tickets and devices. They rarely audit Google Workspace configuration at this level of depth. The audit covers the controls that generalist IT typically does not touch.
How long does it take?
The discovery call is 15 minutes. If you proceed with the audit, read-only access is granted and the review is completed independently. The written roadmap is delivered within 48 hours of access being granted.