15-Minute Discovery Call Free · Paid Audit · Written Roadmap Included

Most businesses have 5 to 7 critical gaps in their Google Workspace. Most have never looked.

A 20-point manual review of your Admin Console, across identity, email, data, and devices. Every finding explained in plain English. A prioritised roadmap telling you exactly what to fix and in what order. Start with a free 15-minute discovery call.

Best suited to businesses already running on Google Workspace with 5 or more user accounts. If you are not on Google Workspace yet, start with an IT Health Check.

97/215

Average score on a first audit

5–7

critical gaps found on the average first audit

#1 finding

MFA not enforced, one stolen password unlocks everything

48 hrs

Written roadmap delivered after the audit

The Process

How it works, three steps.

Start with a free 15-minute discovery call. If there is clear exposure, the paid audit runs from there, and the written roadmap lands within 48 hours.

Book a 15-minute discovery call (free)

Pick a time using the booking link. A Google Meet link is automatically generated. This call costs nothing. You don't need to prepare anything.

Discovery call

A 15-minute conversation about your current setup, how your team uses Google Workspace, how you handle leavers, how your files are organised. If there is clear exposure, the next step is a paid audit. Price is confirmed on the discovery call before anything is booked.

The audit and roadmap

Once payment is confirmed, you grant read-only delegated admin access. The full 20-point review runs across your live environment. Within 48 hours you receive a written Infrastructure Roadmap: every check marked Pass, Warning, or Fail, the business risk explained in plain English, and a prioritised action plan telling you what to fix first.

Book a Discovery Call

Book a 15-minute discovery call

A short conversation to understand your current setup. No preparation needed. If there is clear exposure, the audit runs from there, with pricing confirmed on the call and the written roadmap delivered within 48 hours.

Free to book

The discovery call costs nothing. If there is clear exposure, the paid audit follows, invoiced before access is granted.

Read-only access only

You add a delegated admin account before the audit begins, read-only. No passwords shared. Revoke it when the audit is complete.

No obligation to continue

The roadmap is yours. You can action it yourself, pass it to another provider, or ask Bulwark to handle the remediation.

Prefer email first? hello@getbulwark.com

Book a discovery call

15 minutes. Free. No preparation required.

15-Minute Operational Discovery

A free 15-minute conversation about your current setup. If there is clear exposure, the full audit and written roadmap follows.

Book a free 15-minute call
Free discovery call, no cost, no obligation
Read-only access only, revocable at any time
Paid audit, price confirmed on the discovery call
The Audit

20 security checks. The basics most teams never verify.

Not a surface-level scan. We look inside your Admin Console, your DNS records, and your device management. These are the controls that decide whether one phishing email becomes a nuisance or a real incident.

01Admin account securityCRITICAL
02User account hygieneHIGH
032FA enforcement, all usersCRITICAL
04Email authentication (DMARC, DKIM, SPF)CRITICAL
05External sharing settingsHIGH
06Third-party app permissionsHIGH
07Device management (MDM)HIGH
08Password policiesMEDIUM
09Audit log and alert settingsHIGH
10Gmail security settingsHIGH
11Drive and data residencyMEDIUM
12Endpoint protectionCRITICAL
13Backup coverageCRITICAL
14Leaver and joiner processHIGH
15Less secure app accessCRITICAL
16Email forwarding rulesCRITICAL
17Shared Drive permissionsHIGH
18Google Groups external accessMEDIUM
19Session and login controlsMEDIUM
20Screen lock and remote wipeHIGH
What you receive

A written report. Not a vague summary.

A structured PDF covering every control checked, your score, the gaps that matter most, and the exact remediation steps. Written so a non-technical business owner can act on it.

  • Pass / Warning / Fail status for all 20 controls
  • Risk level for each finding
  • Prioritised remediation list, most critical first
  • Plain-English explanation written for non-technical stakeholders
  • Yours to keep. The audit covers the review and the written report, with no obligation beyond that.
Security Audit Report Confidential

97 / 215

Overall score, action required

6FAIL
7WARN
7PASS
Admin 2FA enforcement FAIL Enforce via Admin Console → Security
DMARC record PARTIAL Policy is p=none, update to p=quarantine
External sharing PASS Restricted to authorised domains ✓
Third-party app access FAIL 23 unreviewed apps, 4 flagged high risk
Backup coverage FAIL No independent backup for Gmail or Drive
Straight Answers

The questions everyone asks before booking

Why pay for an audit? I can check things myself.

Most of the issues that cause real damage, stale OAuth tokens, permissive sharing policies, misconfigured DMARC, are not visible from inside your own account. You need delegated admin access to see what is actually configured, and you need to know what you are looking for. The audit is a manual review by someone who checks these settings every day.

What do I actually get?

A 20-point manual review of your live Admin Console, covering identity, email authentication, data access, and device compliance. Every finding is marked Pass, Warning, or Fail. Every failure includes the business risk in plain English and a specific remediation step. The report is structured so a non-technical founder can act on it, or hand it to whoever they use for IT.

What access do you need?

Delegated admin access, read-only. That means a Bulwark account is added to your Admin Console before the audit and removed when the report is delivered. It cannot make changes, access email content, or delete anything. It takes two minutes to set up.

Do I have to become a client after the audit?

No. The report is yours regardless. If you want Bulwark to handle the remediation, the audit fee is credited against the project cost. If you take it elsewhere or action it yourself, that is a completely reasonable outcome.

We already have IT support, is this still worth doing?

Yes, particularly if your current IT support is generalist. Most providers manage tickets and devices. They rarely audit Google Workspace configuration at this level of depth. The audit covers the controls that generalist IT typically does not touch.

How long does it take?

The discovery call is 15 minutes. If you proceed with the audit, read-only access is granted and the review is completed independently. The written roadmap is delivered within 48 hours of access being granted.