RescueCleanupOutside IT
Your outside IT team. We set up, clean up, and fix the systems your business runs on.
Email, logins, file access, and cloud accounts across Google Workspace, Microsoft 365, and the systems around them. When you are locked out, email is down, or the person who ran IT is gone, we fix it for a fixed fee, clean up what was left behind, and if you want, stay on monthly so IT stops being your problem. Everything in writing.
Illustrative output. Real findings come with evidence.
Start where you are
Broken right now?
Locked out, email down, or the person who ran IT is gone. Rescues get priority scheduling and a fixed fee before work starts.
Book an urgent rescueWorking, but messy?
Accounts, access, and licenses nobody has owned in a while. A fixed-fee audit finds all of it and hands you a prioritized plan, then we fix what you approve.
Get a fixed-fee cleanupWant it handled monthly?
Start with the cleanup, then keep us. The Outside IT plan runs your systems for a per-person monthly fee, with the cleanup credited.
See the Outside IT planYour business runs on systems nobody owns
The email, the logins, the licenses, the domain: it all works until the one person who understood it leaves, or the day something breaks and nobody knows where the keys are. That is the day most teams call us.
The person who ran IT is gone
An IT guy who retired, a provider who stopped answering, an office manager who left. The admin passwords, the domain account, and the way it all fits together went with them.
People left, their seats and access stayed
Ex-employees still on paid licenses and still holding logins. Contractors from finished projects sitting in Slack, drives, and client portals. You pay for both until someone finds them.
Apps and automations nobody owns
OAuth grants from tools you stopped paying for. Automations tied to a personal account that fail silently if that person leaves. AI tools connected to email and drives with more reach than anyone approved.
What VXSec fixes
Two questions drive the work: what is broken or about to break, and who or what can reach your systems that should not? These are the areas we fix, inventory, and keep clean.
Stale users and offboarding gaps
Ex-employees, finished contractors, forgotten guests, and the departure steps that never got written down.
Admin role sprawl
Super admins, delegated roles, billing owners, and privileged access that no longer matches actual jobs.
File sharing and ownership
External sharing, anyone-with-the-link files, shared drives, and documents owned by people who left.
OAuth and connected apps
Third-party apps granted access to email, files, calendars, and CRMs, including tools nobody uses anymore.
Automations and API keys
Zapier, Make, and n8n workflows, service accounts, tokens, and integrations with unclear owners.
AI tools with too much access
AI assistants, agents, meeting bots, and extensions connected to business data without an inventory or approval step.
Core offers
A ladder, not a menu. Most clients arrive with something broken or messy, get it fixed for a fixed fee, and keep us because it is easier than becoming their own IT department.
Email and Access Rescue
Locked out of Microsoft 365 or Google Workspace, email down or bouncing, or the person who ran IT is gone with the passwords. Fast diagnosis, systems back, admin access properly in the owner's hands.
Systems and Access Cleanup
Fixed-fee review and cleanup plan for users, admins, sharing, connected apps, automations, and offboarding gaps, plus the list of paid seats you can stop paying for. Credited toward the monthly plan.
Cleanup Sprint
Implementation of the approved fixes: remove stale access, restructure groups, reduce admin roles, transfer ownership, clean risky app access, and document the workflow so it stays fixed.
Email and Tenant Migration
Old host to Microsoft 365 or Google Workspace, tenant to tenant, or between platforms. Flat per-mailbox pricing, a written cutover plan, old mail preserved, and 30 days of post-move support included.
Outside IT Plan
Your outside IT team, monthly: Workspace or Microsoft 365 run properly, hires and departures handled completely, licenses matched to real people, and one named person who answers.
Agency Systems and Access Cleanup
For agencies holding client access: contractors, Slack, Google Workspace or Microsoft 365, Shopify, Meta, HubSpot, project tools, and the internal operating workflows behind them.
Bigger work grows out of the relationship and is quoted as fixed-scope projects: departure lockdowns, secure automation reviews, security hardening, SSO and MFA rollouts, Microsoft Entra ID and Google Cloud Identity work, cloud setup, and systems and integration builds.
The cleanup guarantee
Every Systems and Access Cleanup starts with a read-only audit. If that audit does not surface real access risk worth fixing, you do not pay the audit fee, and you keep the findings report either way. Scope and fee are fixed in writing before any work starts, and nothing changes until you approve it. The point is to lower your risk in hiring, not add to it.
Selected work
Real project work VXSec has delivered. Clients are named where permission exists; the rest are shared privately on request.
Google Workspace access governance
Built department-based Shared Drive architecture, role-based access through Google Groups, permission tiers, file ownership cleanup, and provisioning workflows for a support-services organization.
OAuth and automation reliability
Stabilized a QuickBooks to Mailchimp integration by fixing OAuth token handling, token persistence, refresh logic, and customer sync reliability across Heroku and Supabase infrastructure.
Infrastructure migration and hardening
Migrated PHP Laravel infrastructure and SQL data from Azure to OVH, configured SSL with Certbot, updated DNS, replicated Windows VMs, and reviewed Linux and Windows security policies.
Agency systems and access operations
Built the internal operating platform for an ecommerce media buying agency with ~250 client accounts: fail-closed role-based access control, per-client tenant isolation, encrypted credential storage, secret scanning, and onboarding and offboarding workflows.
Why this matters now
Three shifts made systems and access harder for teams to keep clean, and none of them are slowing down.
Teams are more fluid
Contractors, fractional roles, agencies inside agencies, and fast turnover mean access changes weekly. Offboarding processes built for annual turnover cannot keep up.
Every tool connects to every tool
OAuth made integration one click. A single approval can grant a third-party app standing access to mail, files, and customer data, and that grant outlives the person who clicked it.
AI tools ask for broad access
Assistants and agents want your inbox, calendar, drive, and CRM to be useful. Most teams connected them before anyone defined what they should be allowed to reach.
How an engagement works
The VXSec Access Review Method: fixed scope, documented findings, approved changes only. No surprise invoices, no unapproved changes, no access kept afterward.
Scope
A 15-minute call confirms systems, team size, access model, and the fixed fee. You get the scope in writing.
Inventory
Every user, admin role, share, connected app, OAuth grant, automation, and AI tool in scope gets listed with evidence.
Report
Findings ranked by risk, with recommended action, effort, owner, and dependencies. Written for approval, not for a shelf.
Approve
You decide what changes. Risky or dependent changes wait for explicit owner sign-off before anything moves.
Fix and document
Approved changes are implemented in a cleanup sprint, documented, and handed off with an updated offboarding workflow.
See what you would actually get
The audit report is the product. It lists every finding with risk, action, effort, and owner, so you can approve fixes in one sitting. The sample uses hypothetical data and shows the real structure.
Findings your team can act on
Stale users, admin sprawl, external sharing, ownership gaps, OAuth grants, automation risk, AI tool access, and offboarding gaps, each with a recommended action.
A plan you can approve
Quick wins separated from approval-needed changes. Findings can be mapped to CIS-style baseline controls where applicable.
How we work
Small by design. Accountable by default.
VXSec is a systems and security practice focused on access, identity, and secure operations for growing teams. Every engagement is fixed-scope, documented, and approved before changes are made.
You talk to the people doing the work: the same team that scopes the engagement runs the review, writes the report, and makes the approved changes. No account managers, no upsell scripts, no surprise invoices.
How VXSec handles your access
- MFA on every account, no password sharing
- Least-privilege, time-boxed access
- Approved changes only, documented individually
- Access removed at engagement end
- NDA available on request
Common questions
What does a Systems and Access Cleanup include?
Every cleanup starts with a read-only audit of every person, app, and automation that can reach your business systems: staff, ex-employees, contractors, admin roles, file sharing, shared inboxes, OAuth grants, connected apps, automations, and AI tools. It ends with a prioritized cleanup plan your team can approve.
Who is VXSec best suited for?
Businesses and agencies on Google Workspace or Microsoft 365 plus SaaS tools, without a full internal IT team. The strongest fits: teams whose IT person or provider just left, teams locked out of or fighting their own systems, and agencies holding client access.
Is VXSec an MSP?
VXSec solves the problem people hire an MSP for, with a different shape. Instead of an all-inclusive management contract, work starts with a fixed-fee rescue or cleanup, and teams that want ongoing care take a defined monthly Outside IT plan priced per person, month to month after the first quarter. Bigger projects are quoted separately, so the monthly cost stays predictable.
What do you need access to?
As little as possible. Exports, read-only access, screen share, or temporary least-privilege roles where practical, always with MFA and never with shared passwords. Access is removed at engagement end.
Can you implement the findings?
Yes. A Cleanup Sprint implements approved fixes with change control: each change is marked safe, approval-needed, or dependency-check-needed before anything moves.
What does it cost?
Rescues are a fixed fee confirmed at the scope check. Single-system cleanups from $750, multi-system cleanups from $1,500, credited toward the monthly plan if you take it. Cleanup sprints $2,500 to $12,000. Migrations priced flat per mailbox. The Outside IT plan is per person per month. Every fee is fixed in writing before work starts.
Broken now, or just tired of being your own IT department?
A 15-minute scope check confirms your systems and team size and gets you a fixed fee in writing. Urgent rescues get priority scheduling. No pitch deck, no discovery marathon.
Book a 15-minute scope checkUrgent? Email [email protected] with the subject "Rescue" · Or start with the free Offboarding Gap Checklist