FK
FK94Security
Security TipJanuary 15, 20258 min read

What Actually Happens During a Security Audit?

If you have never been through a security audit, the process can seem opaque. Here is exactly what we do, what we look at, and what you get at the end.

A security audit is not a pentest where someone tries to break into your network. For most SMBs, it is something far more practical: a systematic review of your digital infrastructure to find the gaps that an attacker would exploit and give you a clear plan to fix them.

Before the audit: reconnaissance

Before we even talk to you, we do external reconnaissance. This is the same thing an attacker would do:

  • DNS analysis: We check your domain configuration, MX records, SPF, DKIM, and DMARC. This tells us how well your email is protected against spoofing.
  • OSINT scan: We search public databases, breach databases, social media, and search engines for any exposed data related to your organization. Employee names, leaked credentials, internal documents that should not be public.
  • Surface scan: We identify all internet-facing services: websites, VPNs, remote access tools, forgotten subdomains, open ports.

This phase requires zero access from you. By the time we sit down to discuss the audit, we already have a preliminary picture of your exposure.

During the audit: active review

With your authorization and access, we review:

  • Accounts and access: Who has access to what? Are there ex-employees still active? Is MFA enforced? Are there shared credentials?
  • Devices: Are laptops encrypted? Are operating systems updated? Is there a firewall? Auto-lock enabled?
  • Network: Is the WiFi segmented? Is remote access secured? Are there unnecessary services exposed?
  • Cloud: If you use AWS, Google Cloud, or Azure, we review IAM policies, storage permissions, logging, and encryption.
  • Processes: Is there an offboarding process? A password policy? An incident response plan?

The phishing test

If included in the scope, we send simulated phishing emails to a group of employees. This is not to shame anyone. It is to measure the organization's baseline susceptibility and identify where awareness training would have the most impact. We track who clicks, who enters credentials, and we use this data to make targeted recommendations.

What you get

At the end of the audit, you receive:

  1. Executive Report (3-5 pages): A non-technical summary for management. Risk level, key findings, and business impact in plain language.
  2. Technical Report (15-30 pages): Detailed findings with evidence (screenshots, configurations, scan results), severity classification, and step-by-step remediation instructions.
  3. Remediation Plan: A prioritized checklist with suggested timeline. Critical items first, then high, medium, and low.
  4. Delivery Session (60 min): A live presentation where we walk through the findings, answer questions, and help you plan next steps.
  5. 30-Day Follow-up: We re-check all critical and high findings to verify they were properly remediated. Included at no additional cost.

How long does it take?

A typical SMB audit takes 5 business days from start to delivery. Day 1 is external reconnaissance (no access needed). Days 2-3 are active review with your cooperation. Day 4 is documentation. Day 5 is the delivery session. The follow-up happens at day 30.

A security audit is not a one-time event. It is the starting point of a security practice. But it is the most important starting point, because you cannot improve what you have not measured.

Need help with this?

If this article raised concerns about your own security, or if you need personalized guidance, book a 1:1 session with FK94 Security.

Book a 1:1 Session

Related articles

Security Tip

Me hackearon WhatsApp: guia completa para recuperar tu cuenta y protegerte

12 min read

Security Tip

5 Privacy Settings You Should Change on iPhone Right Now

5 min read

Security Tip

Passkeys Are Here: What You Need to Know

7 min read

← Back to all articles

Get in touch

EmailRequest Audit