Cloud Security Posture Review

When someone's asking about your cloud security, you need an answer they trust.

A posture review across AWS, Azure, or Microsoft 365, with prioritized remediation guidance mapped to CIS, SOC 2, NIST, and more. Delivered fast.

Get a tailored quote Or book a call
What you get

A report your customers can read. A plan your team can ship.

Cloud misconfiguration review

800+ checks across AWS, Azure, and Microsoft 365 — with prioritized findings and compliance-mapped remediation guidance, not checklist-order busywork.

SOC 2 readiness memo

A plain-English memo your board and customer-security team can read — with remediation tied to specific CC controls.

Remediation backlog

A ready-to-import Jira or Linear export. Each ticket has a severity, owner, and a one-paragraph fix description.

How it works

Four steps.
Forty-eight hours.

48 h
from scoping call
to report delivered
  1. 01t − 3d

    30-minute scoping call

    We agree what's in scope, who owns remediation, and who sees the final report. No sales call.

  2. 02t − 1d

    Grant read-only access

    Short-lived IAM roles or M365 app registrations. You control the grant window and can revoke any time.

    roleCrestlineScan-ReadOnly
    policySecurityAudit + ViewOnly
    ttl72h · revocable
    mfa✓ required
  3. 030h → 40h

    We scan and review

    Every check runs across your environment. Ethan reviews every finding by hand — no AI-generated summaries, no false positives left in.

  4. 0448h

    Report + 2 calls

    Prioritized findings, compliance memo, and a tracked Jira/Linear backlog. Two 45-minute walkthrough calls included — we walk you through your portal and report, not fix your stack.

Pricing

Transparent. Fixed-scope. Optional retainer.

Assessment · One-time
Starts at$7,500
Single environment. Compliance-mapped findings. Fixed scope.
48h
Report delivery
  • One environment (AWS org, Azure tenant, or M365 tenant)
  • 1 scan, 48-hour report delivery
  • 1 compliance framework included (SOC 2, CIS, NIST, HIPAA, PCI, FedRAMP, FFIEC, NIS2, CSA CCM, more)
  • 90-day portal access with prioritized findings
  • Two 45-minute walkthrough calls
  • Compliance matrix (XLSX) + executive report (DOCX)
Book a scoping call See full pricing
Read-only access · short-lived roles Booked 5–10 days out
Retainer · Monthly
$1,500/mo
Continuous portal access. Quarterly rescans. Recommended after assessment.
10%
Annual prepay
  • Continuous portal access — no expiration
  • 4 rescans per year (quarterly), no extra cost
  • Quarterly walkthrough calls
  • Email support — 1 business day response
  • Vendor security questionnaire turnaround at $1,500/each
  • Cancel anytime with 30-day notice
Discuss on a scoping call
Same access controls as the assessment

What else affects pricing

Additional environment (assessment)+$1,500
Additional environment (retainer)+$500/mo
Each additional compliance framework+$500
Regulated data (PCI or HIPAA)+$2,500
PQC readiness module (1 env)+$6,500
PQC retainer (per env / month)+$750/mo
Out-of-cycle rescan$1,000
Findings walkthrough call (60 min)$650
Founding-client discount (first 3–5 customers)−25% / −50% Y1

Common questions

What if I'm multi-cloud?

Each environment (AWS org, Azure tenant, or M365 tenant) beyond the first adds $1,500 to the assessment and $500/month to the retainer. Pricing is the same regardless of which platform — we don't charge a premium for Azure or M365.

Do I have to take the retainer?

No. The assessment is a complete one-time deliverable; if you only want a point-in-time report, that's the whole engagement. The retainer is recommended because security drift is real — half of customers add it after the readout call so they have continuous portal access and quarterly rescans.

What's the regulated-data surcharge for?

If your environment processes PCI cardholder data or HIPAA PHI, we add $2,500 to the assessment to cover the additional scope-definition work (carving out the CDE for PCI, BAA-aligned controls for HIPAA), liability premium, and HIPAA-specific control mapping. Once you're a customer, the surcharge applies to each new engagement that involves regulated data.

What if I want PQC (post-quantum crypto) readiness?

The PQC readiness module produces a crypto inventory across your environments — algorithms in use, harvest-now-decrypt-later exposure, vendor PQC posture, and a NIST FIPS 203/204/205-aligned migration timeline. Bundled with the base assessment is $6,500 per environment; standalone (no base assessment) is $12,500. Most enterprise security questionnaires now ask about PQC — this gives you a credible answer.

How does payment work?

Assessments: 50% on signing, 50% Net-15 from report delivery. Retainers: monthly invoice (pay by ACH, wire, or card), or annual prepay for a 10% discount. We send invoices via Mercury; quotes valid for 30 days from issue date.

Do you offer discounts?

Founding-client rate (25% off the assessment + 50% off Year 1 retainer) is offered to the first 3–5 paying customers in exchange for a written testimonial and an anonymized case study. After that, we negotiate sparingly — better to keep transparent pricing for everyone than to play discount games.

What's not included?

Crestline does not perform remediation execution. We deliver findings, prioritization, compliance mapping, and advisory walkthroughs; your engineering team or your MSP partner ships the fixes. We can refer you to remediation partners if needed.

Most startups don't have a security problem. They have a security timing problem. The controls come too late, after the failed audit, after the lost deal. We exist to fix the timing. Ethan Leinberger · Founder, Crestline Security
Who runs this

One founder. Decade in cloud security. Every engagement personally delivered.

Ethan Leinberger founded Crestline Security after a decade building and breaking cloud infrastructure — sometimes both on the same project. Crestline is the firm I wished existed when I was a startup engineer staring at a security questionnaire I had a week to answer.

Every Crestline assessment is delivered by me. Every report is reviewed by me. There are no junior consultants reading a runbook to your scan output. That ceiling is also the floor: I don't take more engagements than I can deliver carefully, which is the trade-off — slower onboarding, higher quality.

The platform itself — scan engine, AI analysis, portal, compliance overlays for SOC 2 / NIST / FedRAMP / HIPAA / PCI / NIS2 / FFIEC / CSA CCM — is built and maintained by me. Source is on GitHub; LinkedIn here.

Security & trust

How we treat your access and your data.

What we do

  • Read-only access via short-lived IAM roles (AWS) or app registrations (Azure / M365)
  • Customer cloud credentials encrypted at rest in AWS Secrets Manager, KMS-managed keys
  • Multi-tenant isolation enforced by 176 automated tests on every code change
  • SBOM (CycloneDX) generated on every deploy, available on request for vendor security review
  • Dependabot + pip-audit on every PR; SECURITY.md vulnerability disclosure policy at GitHub
  • Raw scan outputs auto-deleted at 90 days; structured findings retained until you delete your account
  • Detailed data retention policy: /security/data-retention

What we don't do

  • No write access to your cloud environment, ever
  • No cardholder data or PHI in our scan outputs — we read configuration metadata, not your data
  • No third-party SOC 2 or pen-test letter yet — we're pre-customer-#5 and will publish them as we earn them
  • No remediation execution — your engineering team or your MSP partner ships the fixes

For PCI / HIPAA engagements, additional scope-exclusion contract language and a signed Business Associate Agreement (BAA) are included; the AWS BAA covers our infrastructure-side processing.

Fit check

Honest about who we're for.

You're probably a fit if you…

We do best with teams that have shipped a real product and have customers asking security questions.

  • Have 25–200 employees and production customers
  • Run on AWS, Azure, or Microsoft 365
  • Have an engineer who can land remediation PRs
  • Are pre-SOC 2 or renewing a lapsed report

Probably not a fit if you…

We'd rather tell you up front than waste a scoping call. Here's when we'll pass and refer you elsewhere.

  • Are pre-revenue and pre-product
  • Need a full-time CISO (we can refer you)
  • Want a checkbox audit with no remediation
  • Run mostly on bare-metal / on-prem