Confidential · Do not distribute · &DEV/SEC
■ Confidential Security Posture Assessment Ref: &DEV/SEC/2026-0714
Subject: Your firm  ·  Status: Exposed

Your clients trust you with everything. Your Microsoft 365 should be as careful as you are.

A fixed, expert uplift of your Microsoft 365 tenant — built for law firms, mortgage brokers and IFAs who cannot afford a breach, a regulator's question, or a client who quietly loses faith.

Book a 30-minute review Read the options
◦ Cyber Essentials aligned ◦ UK engineers ◦ No tie-ins
Exhibit 00 — Mailbox capture● Live
From   Karen Whitfield, client
Re     Completion funds — 14 Ashcroft Lane

"Hi — as discussed, please transfer the balance of £184,500 to account 40 21 66 / sort code 09 01 28 ahead of Friday. Let me know once it's away."

Hover to reveal what a resident intruder reads.
INTERCEPTED
Finding 01 — The order matters

We fix the tenant before we monitor it.

Most providers sell you a dashboard and call it security. We start by closing the gaps that actually let people in — misconfigured mailboxes, dormant admin rights, licences bought but never switched on. Only once the foundations are sound does monitoring mean anything at all.

Exhibit A

For a regulated firm, a breach is never just an IT problem.

§ 01

Client money

Redirected completion funds and invoice fraud land on the firm, not the bank. The sums are rarely small.

§ 02

Your regulator

The SRA, FCA and ICO all expect you to protect client data. “We assumed Microsoft handled it” is not an answer.

§ 03

Confidentiality

One compromised mailbox exposes years of privileged correspondence and sensitive personal data.

§ 04

Reputation

Referrals dry up quietly. Clients rarely say they left because of a breach — they just stop calling.

Exhibit B — Incident file

A real firm.
A real incident.
A full rebuild.

A twelve-partner practice came to us after a completion payment was redirected. The attacker had sat quietly in a mailbox for weeks, reading correspondence and waiting.

14:02

The tenant held licences for advanced protection that were paid for but never enabled.

14:09

A former contractor still held global admin rights nobody had reviewed in two years.

14:20

There was no alerting, so the intrusion went unnoticed until the money moved.

We rebuilt the tenant properly in days. The recovery had already taken months.

Remediation

Start where it makes sense for your firm.

Most firms start here
L1Baseline

Foundations, made right

A one-off uplift that closes the gaps and hands the tenant back to you, documented.

One-off uplift
£1,800
Fixed scope
MFA enforced on every account
Admin rights reviewed & separated
Email authentication (SPF, DKIM, DMARC)
Conditional access — report-only
Written summary of what changed
Start with Baseline →
Most firms start here
L2Managed

Kept right, over time

Everything in Baseline, plus ongoing hardening as Microsoft and your firm change.

Uplift + retainer
from £1,800
+ £200/mo · 12-month commit
Everything in Baseline
MDM enrollment & setup
Security key configuration & setup
Conditional access enforcement & policy upkeep
Quarterly review, plain-English report
Talk about Managed →
Most firms start here
L3Full

Watched, so you needn’t

Managed plus monitoring, response and certification alignment — someone is watching the tenant so you don’t have to.

Uplift + retainer
from £1,800
+ £750/mo · 12-month commit
Everything in Managed
MDR platform licence + monitoring
Unlimited incident response
Certification (Cyber Essentials / CE+) alignment
Audit-ready reporting; optional board-ready report
Talk about Full →
Control schedule

What's included, control by control

Ref
Control
L1 Baseline
L2 Managed
L3 Full
SEC-01
MFA enforced across all accounts
SEC-02
Privileged / admin account hardening
SEC-03
Email authentication (SPF, DKIM, DMARC)
SEC-04
Anti-phishing & impersonation protection
SEC-05
Safe Links & Safe Attachments
SEC-06
Conditional access — report-only assessment
SEC-07
Written uplift summary
SEC-08
Conditional access — enforcement & policy upkeep
SEC-09
MDM enrollment, setup & configuration
SEC-10
Security key (FIDO2) configuration & setup
SEC-11
Quarterly review, plain-English report
SEC-12
Monitoring & alerting on your tenant
SEC-13
MDR platform licence
SEC-14
Unlimited incident response
SEC-15
Certification (Cyber Essentials / CE+) alignment
SEC-16
Audit-ready reporting
SEC-17
Board-ready report (optional)
SEC-18
Staff phishing awareness training

● Included    ○ Not in this tier  ·  Prices based on a 10-user organisation. The one-off uplift is fixed scope; L2/L3 add a monthly retainer on a 12-month term. Final figures confirmed after the review — no obligation.

Note to file

What we don't do

i.

Rip out what works

If your setup is sound, we’ll say so and leave it alone. We’re not here to sell you things you don’t need.

ii.

Tie you into hardware

This is about your Microsoft 365 tenant. No servers to buy, no five-year contracts, no vendor lock-in.

iii.

Hide behind jargon

You’ll always get plain English and a written record a non-technical partner can read and act on.

On the record

Questions firm principals actually ask

General IT support keeps you working day to day; it rarely means someone has deliberately secured your Microsoft 365 tenant against a targeted attack. The two jobs are different, and we’re happy to work alongside your existing provider.

It has excellent security tools, but almost none of the important ones are switched on by default. We turn on and configure the protections you’re very likely already paying for in your licences.

The review is 30 minutes. The Baseline uplift is typically completed within a week or two, scheduled around your firm so there’s no disruption to fee-earners.

Almost never. Most changes happen behind the scenes. The main visible change is stronger sign-in, which we roll out with clear guidance so nobody is caught out.

Yes. The uplift directly supports the data-protection and confidentiality obligations those regulators expect, and the written summary gives you evidence of the steps you’ve taken.

The Baseline uplift is a fixed price per tenant, confirmed after the review. Managed and Full add a monthly retainer. We’ll give you exact figures on the call, with no obligation.

Request assessment

Book a 30-minute security review.

We'll look at your tenant with you, tell you plainly where the real gaps are, and leave you with a written summary — whether or not you go further with us.

✓  No prep needed from your side ✓  You speak to an engineer, not a salesperson ✓  Written findings, yours to keep

Received — we'll reply within one working day.

Something went wrong — please email hello@and.dev.

Reply within one working day · No marketing lists