Home / Security Log

What we actually found. What we actually fixed.

Three anonymised engagements. Real Admin Console findings. Before-and-after audit scores. Every case is a UK business on Google Workspace that had outgrown basic IT — the same type of environment GetBulwark is built for.

All cases are anonymised. Sector, team size, and engagement type are accurate. Client names, industries, and any identifying details have been removed. Findings are taken directly from the scored audit reports delivered to each client.

Provenance: these engagements were conducted by Callum Fraser prior to founding GetBulwark, while working as a Google Workspace specialist at a UK-based Google Cloud Partner. GetBulwark was founded in March 2026 to deliver the same standard of work independently.

SECURITY_LOG · 3 engagements · Audit score range: 74–201 / 215 · All clients: UK · Google Workspace · Remote-first teams · REDACTED per client agreement

LOG_001 · Q1 2026

Creative Agency 12 users Hardening Project

MFA not enforced. A leaver still active. Domain spoofable.

A 12-person creative agency on Google Workspace Business Starter. No IT function. The person who managed the Google Admin Console had left six months prior. Nobody had taken over admin access formally. Three users had no MFA and the domain DMARC policy was set to p=none — visible to anyone who checked, spoofable by anyone who tried.

74
/ 215
Before
194
/ 215
After
+120 points · 3 weeks

Audit findings

  • 3 of 12 users with no MFA enrolled — including 2 with admin-level access
  • 1 former employee account active 6 months post-departure with Drive access intact
  • 14 shared Drive folders with link-sharing set to "Anyone with the link" — including a client deliverables folder
  • DMARC set to p=none — domain spoofable, no enforcement in place
  • No endpoint monitoring on any device
  • No backup outside Google — full Drive and Gmail exposure if account compromised

What was fixed

  • MFA enforced across all 12 users via Admin Console policy — no opt-out
  • Leaver account suspended and Drive access transferred same day
  • All 14 shared folders audited and ACLs restructured — external sharing locked to invited users only
  • DMARC moved to p=reject via staged rollout over 2 weeks
  • Huntress deployed across all 12 managed endpoints with SOC monitoring live
  • AFI backup configured — Drive, Gmail, and Shared Drives backed up daily to independent copy
Outcome: Monthly managed client
Hardening project completed in 3 weeks · Re-run audit score: 194/215

LOG_002 · Q1 2026

Recruitment Firm 8 users Hardening Project

DKIM not configured. Candidate data in an unsecured shared drive. No backup.

An 8-person recruitment firm that had moved to Google Workspace from a shared-hosting email provider two years earlier. The migration was done by whoever was cheapest at the time. DKIM was never set up. Candidate CV data — names, addresses, salary expectations — was stored in a shared Drive folder accessible to all staff with no access governance in place.

91
/ 215
Before
201
/ 215
After
+110 points · 2 weeks

Audit findings

  • DKIM not configured — emails unsigned and failing authentication checks
  • DMARC at p=none — no rejection or quarantine policy
  • No MFA enforcement — all 8 users on password-only access
  • Candidate CV data (PII) stored in a Drive folder shared with all users, no least-privilege structure
  • 3 former staff with access to candidate Drive — 2 of whom had left over 12 months prior
  • No backup outside Google — no recovery path if account or Drive compromised

What was fixed

  • DKIM configured and verified — all outbound mail now signed
  • DMARC moved to p=quarantine immediately, path to p=reject confirmed
  • MFA enforced across all active users — hardware key registered for admin account
  • Candidate data folder restructured with explicit access — only active users with documented need
  • 3 former staff accounts suspended and Drive access revoked with data ownership transferred
  • AFI backup deployed — daily copies of Drive, Gmail, and Shared Drives stored independently
Outcome: Monthly managed client
Hardening project completed in 2 weeks · Re-run audit score: 201/215

LOG_003 · Q1 2026

Professional Services 22 users Cloud Foundation

Moving from M365. Shared admin credentials. No SSO. Starting from scratch — properly this time.

A 22-person professional services firm moving from a legacy Microsoft 365 setup managed by a generalist IT provider. Admin credentials were shared among three people with no audit trail. There was no SSO, no standardised device policy, and user provisioning was manual — new starters were getting access to everything by default. They wanted Google Workspace set up correctly before a single user was migrated.

198
/ 215
At launch
Built right from day one

What was at risk (M365 state)

  • Admin credentials shared between 3 staff — no individual accountability or audit trail
  • No SSO — every app accessed with a separate password, inconsistently managed
  • New starters provisioned manually with no standard — access scope varied by who set them up
  • No endpoint monitoring — 22 devices with no visibility into compromise
  • 2 legacy admin accounts from staff who left 18 months prior, still enabled
  • No email authentication on the primary domain — spoofable from day one of migration if not fixed

What was built

  • Google Workspace environment built from scratch — org units, groups, and device policies configured before user migration
  • Individual named admin accounts — shared credential model eliminated
  • SPF, DKIM, and DMARC at p=reject configured on day one — domain protected before first email sent
  • Starter checklist and leaver procedure documented and handed over — consistent provisioning from day one
  • Huntress deployed across all 22 endpoints during migration week — monitoring live before M365 was switched off
  • AFI backup running from day one — Drive, Gmail, and Shared Drives all covered independently
Outcome: Monthly managed client
Cloud Foundation completed in 5 weeks · Launch audit score: 198/215

The gaps in these cases are not unusual. They are the default.

Option A

Find out your score.

45 minutes. 20 controls. Written report within 48 hours. Your setup scored out of 215 — same methodology as the cases above.

Book free audit

Option B

Not sure if this is the right fit?

Answer five questions and get an honest read on whether GetBulwark is right for your business. 60 seconds. No email required.

Is this right for me?

Or email hello@getbulwark.com with any questions.