The Zero Trust Assessment Problem
Every target claims to be on a Zero Trust journey. Their security documentation says Zero Trust. Their CISO’s presentation mentions Zero Trust architecture. Their security questionnaires are filled with Zero Trust language.
What they often don’t have is a complete picture of which users have which access paths to which resources, whether their Conditional Access policies actually cover all the authentication paths in use, whether their service accounts are operating on least privilege, whether their network segmentation actually contains lateral movement, and whether their third-party app permissions are consistent with Zero Trust principles.
The gap between “Zero Trust strategy” and “Zero Trust actual implementation” is where breaches live.
What a 48-Hour Security Posture Audit Finds
Identity security: All user accounts with privilege level and last authentication time, service accounts and their actual permissions vs. required permissions, overprivileged accounts, stale accounts, local admin accounts, PIM/PAM usage and compliance.
Conditional Access: All policies mapped to what they actually protect, gap analysis of authentication paths not covered, policy conflicts that create security holes, legacy authentication protocols still in use.
Network security: Network segmentation compliance, lateral movement paths between segments, VPN configurations, Wi-Fi security configurations, DMZ configurations and their actual exposure.
Third-party access: M365 third-party app permissions, Azure AD enterprise app registrations, SaaS app SSO configurations, vendor access patterns.
The Findings That Change the Deal
Finding 1: Overprivileged Entra ID service principals
A target’s M365 environment had 47 service principals with Directory.Read.All permissions. This permission level gives the service principal read access to everything in Entra ID. These were created by SaaS applications during onboarding. Most didn’t need it — they were granted it during simplified onboarding nobody reviewed.
Risk: If any of these 47 service principals is compromised, the attacker has directory-wide read access.
Finding 2: Legacy authentication still enabled
A target’s Exchange Online was still accepting Basic Auth for SMTP, POP, and IMAP. Basic Auth has been deprecated by Microsoft. The target’s security documentation said “modern authentication only.” The actual configuration allowed legacy authentication for 6 protocols that were supposed to be disabled.
Risk: Basic Auth credentials are easier to compromise. If any user account is compromised and Basic Auth is still enabled, attackers can use the compromised credentials, bypassing MFA and Conditional Access.
The Security Posture Score
ACQI’s discovery sprint produces a Security Posture Score — a composite score across identity, network, and application security, calculated from the number and severity of findings weighted by exploitability.
The score tells the deal team where the target’s actual security posture differs from its documented security posture, which findings represent critical vulnerabilities, which represent compliance exposure, and which represent integration risk.
ACQI runs security posture audits in 48-72 hours as part of the M&A discovery sprint. Request a security posture assessment.