Home / How It Works

The process is simple. The gaps it closes are not.

You do not need a technical education to get this right. You need one person to look at your Google Workspace, tell you plainly what is wrong, fix it to a defensible standard, and keep watch after the project is done. This is how GetBulwark does that.

20
Controls checked in every free audit, scored out of 215.
48hrs
Written PDF report delivered after the audit. No charge, no obligation.
2–4 wks
Typical hardening project. Findings resolved. Re-run audit to prove it.
1 owner
Same specialist. Audit, fixes, monthly review. No hand-offs, ever.
Why This Matters

Your Google Workspace is probably running with open doors right now.

None of them visible in day-to-day operations. None of them tripping any alarms. All of them exploitable — by a former employee, a phishing campaign, or a ransomware group that scanned your domain this morning. The damage does not announce itself until after it has already happened.

Finding 01

An ex-employee who still has full access.

The average UK SMB takes over three weeks to fully revoke a departing employee's access. During that window, their Google account — email history, Drive files, shared documents, client data — remains live and accessible.

They may have already forwarded things. You probably cannot name every account still active without checking right now.

Most businesses discover this when the leaver mentions it, not when they catch it themselves.
Finding 02

A domain anyone can spoof to target your clients.

Without DMARC set to reject, anyone can send email that appears to come from your domain. Your clients, suppliers, and staff would have no technical way to distinguish the real thing from fraud.

Spoofed invoices, fake payment instruction changes, credential phishing — all using your name and your brand.

DMARC misconfiguration is the most common finding in audits. It is also the most preventable.
Finding 03

A "backup" that shares the same point of failure.

Google Drive is not a backup. If your Workspace account is compromised, ransomware encrypted, or an admin accidentally deletes a Shared Drive, the "cloud" and the recovery copy are the same thing.

AFI backs up at item level, outside Google's infrastructure, with independent credentials. Google's Vault does not replace it.

Businesses that rely on Google's defaults discover the gap when they need to recover something specific.
The Process

From inherited mess to a controlled, documented baseline.

Four steps. A clear scope at each stage. No ambiguity about what happens next, what it costs, or who is doing it.

Step 01

Free security audit.

A 45-minute manual review of your Google Workspace. Twenty controls across identity, email authentication, data security, and devices — scored out of 215 and delivered as a written PDF. Yours to keep, regardless of what happens next.

45 min · Written PDF · 48-hour turnaround · No cost, no obligation
Step 02

Discovery call — understand what the findings mean.

A short call to walk through the report together. What is genuinely critical, what can wait, what a fix actually involves, and whether the work sits clearly in the Google Workspace lane. If it does not, you will hear that directly.

30 min · No jargon · Honest about fit · Scope confirmed before any commitment
Step 03

Hardening or Cloud Foundation project.

The findings become a fixed worklist. Every critical gap is closed: MFA enforced, DMARC corrected, leavers removed, monitoring deployed, backup configured. The audit is re-run at the end. A before-and-after score documents what changed.

2–4 weeks · Fixed scope · Re-run audit · Before-and-after score in writing
Step 04

Managed monthly — maintained, not just set-up.

The environment does not go quiet after the project. Every month: security controls re-checked, new starters onboarded, leavers revoked, a scored PDF delivered. You get visibility and proof — not just a recurring bill.

From £85/user/month · Full stack included · Monthly score report · Same specialist throughout
The First 30 Days

What actually changes in month one.

Audit findings do not sit in a report. They become a sequenced worklist, starting with the highest-risk items. By the end of week four, the environment has a documented before-and-after score and a clean baseline for managed monthly to build on.

WEEK 01

Access and scoping

The audit findings become a fixed worklist. Delegated admin access is set up and the order of changes is agreed before anything is touched.

  • Delegated admin access set
  • Tenant and user count confirmed
  • Hardening scope locked
  • Risk priority agreed
WEEK 02

Identity and email

The highest-risk items move first: MFA, admin roles, leavers, and email authentication.

  • MFA enforced across all users
  • Admin roles reduced to minimum
  • Leaver access checked and revoked
  • SPF, DKIM, DMARC corrected
WEEK 03

Devices and backup

Endpoint monitoring and backup are deployed so the environment is not relying on Google defaults alone.

  • Huntress deployed to managed devices
  • AFI backup configured and verified
  • Device posture reviewed
  • Screen lock and wipe policies checked
WEEK 04

Re-run and handover

The audit is re-run, the before-and-after score is documented, and the environment moves into managed monthly.

  • Re-run audit completed
  • Before/after score issued in writing
  • Monthly review cadence confirmed
  • User lifecycle process live
See the full month-one detail, including what you need to provide and what users will notice →
What Changes For You

What this feels like from your side of the desk.

The technical changes matter. The reduction in uncertainty matters more. By the end of month one, someone knows exactly what your environment looks like — and can prove it.

Before

  • You're not sure who still has access to what. Leavers may still be active. You would have to check manually.
  • Security feels like someone else's problem — until the moment it very clearly is not.
  • You know DMARC, MFA, and backup matter. Nobody owns them. They exist in some partial, unverified state.
  • If a breach or incident happened tonight, you don't have a documented plan, a score to point to, or a specialist on speed dial.
  • You're carrying the uncertainty. It surfaces in moments — a leaver, a phishing email, a client asking about your security posture.

After

  • You know your score — literally. Updated monthly in a written report you can keep and share.
  • One person owns the environment. You know exactly who that is and what they are responsible for.
  • Controls are enforced, not just recommended. MFA is on. DMARC rejects spoofed email. Leavers are revoked same day.
  • If something happens, there is a documented baseline, a specialist who knows the environment, and a response that starts in minutes — not days.
  • You can show clients, insurers, and regulators that the work is being done. A scored PDF every month, not a verbal assurance.
The Commitment

No hand-offs. No helpdesk. One person owns your account.

Most IT providers sell you the senior consultant in the pitch meeting and deliver the junior helpdesk three weeks later. GetBulwark works differently — not as a policy, but because the model does not have that problem.

The person you talk to is the person who does the work.

The specialist who runs your audit writes the report, manages the hardening project, owns the monthly review, and answers the phone when something needs attention. That does not change over time. There is no account manager between you and the work.

At this scale, the service works because it is personal. You always know who is responsible. There is no ambiguity about whose job it is when something needs attention — and no situation where "I'll escalate that" is the answer.

Callum Fraser, Founder of GetBulwark

Callum Fraser

Founder · GetBulwark

Promise 01

The audit report is yours to keep, no matter what.

Every engagement starts with a free 20-point manual review. The written report is yours whether you work with GetBulwark afterwards or not. No conditions. No follow-up lock-in. If your setup is already strong, you will hear that directly.

Promise 02

If the hardening project does not fix what was found, we fix it at no additional cost.

Every hardening project ends with a re-run audit. If a finding identified in the original report is not resolved, the fix is included at no extra charge. The deliverable is a genuinely improved score — not just a list of completed tasks.

Promise 03

If GetBulwark is not the right fit, you will hear that directly.

If you already have strong internal IT, the work sits outside the Google Workspace lane, or a different specialist would serve you better — you will be told plainly and pointed somewhere useful. No pressure, no pivot to a watered-down version of the service.

The Stack

What "properly secured" actually means.

GetBulwark uses a fixed stack — the same tools for every managed client. Not because it is convenient, but because these are the right tools for the job and the consistency means they are configured correctly every time.

Endpoint Protection

24/7 monitoring on every managed device.

Huntress monitors every managed device around the clock. If something suspicious happens — malware, an intrusion attempt, a compromised account being used at 3am — a real human analyst at the SOC investigates and contains it. Not an automated alert. A person.

Average containment time: 8 minutes. Purpose-built for SMBs, not a scaled-down enterprise tool.

Huntress — Managed EDR + SOC
Cloud Backup

A real backup — outside Google's infrastructure.

AFI backs up Drive, Gmail, and Shared Drives to independent storage with independent credentials. Item-level recovery means you can restore a single email or a specific file — not just an all-or-nothing account restore.

If the Google account is compromised, the backup is not. That separation is the point.

AFI — Workspace Backup
Email Authentication

Your domain, locked to you.

SPF, DKIM, and DMARC configured to reject. Once this is set correctly, nobody can send email that appears to come from your domain — no spoofed invoices, no fake payment instructions, no phishing campaigns wearing your brand.

DMARC at reject is the standard. Monitoring is included. Most businesses are on "none" or "quarantine" — neither stops spoofing.

SPF · DKIM · DMARC — Reject policy
See the full fixed stack and why each tool was chosen →
Go Deeper

Everything that supports the process.

Sample Output

What the audit report looks like.

A scored PDF covering all 20 controls. See exactly what you receive before booking.

Sample Output

What the monthly review looks like.

The scored PDF delivered every month. What gets checked, what gets reported, what changes.

Security Log

Real findings from real audits.

Anonymised case studies: what was found, what was fixed, what the environment looked like before and after.

Start with the audit. Everything follows from what it finds.

45 minutes. A written report scored out of 215. Yours to keep. If there is nothing critical, you will hear that. If there is, you will know exactly what it is and what fixing it looks like.

Book the free audit Not sure if you need this?