Implementation

Cleanup Sprint

The audit found it. The sprint fixes it. VXSec implements the approved change list: remove stale access, restructure groups, reduce admin roles, transfer ownership, clean risky app access, and document the workflow so the debt does not rebuild next quarter.

Small sprint$2,500 to $3,500. One system or a short list of low-dependency changes.
Standard sprint$5,000 to $7,500. Multi-system cleanup with owner approvals and documentation.
Advanced sprint$8,000 to $12,000. Agency stacks, cloud, automations, or multiple owner groups.

What a sprint implements

  • Disable or remove confirmed stale users, guests, contractors, and external collaborators.
  • Reduce admin roles to what jobs actually require, and document who holds privileged access and why.
  • Transfer ownership of files, shared drives, shared inboxes, automations, and client handoff points before accounts are touched.
  • Restructure groups and permission tiers so access follows roles instead of history.
  • Revoke risky OAuth grants and connected apps, and rotate exposed API keys and tokens.
  • Move automations off personal accounts onto named service accounts with documented owners.
  • Set AI tool access controls: inventory, allowed scopes, approval steps, and offboarding tasks.
  • Write the offboarding workflow so the next departure is a checklist, not a scramble.

Change control, in practice

Every sprint runs from an approved change list. Each change is classified before work starts: safe to execute, approval-needed, dependency-check-needed, or out of scope. Changes that could affect data, billing, production systems, client access, or integrations wait for explicit sign-off. Every change is logged with what changed, when, why, and how to reverse it where reversal is practical.

Where the change list comes from

Most sprints follow a VXSec Access and Offboarding Audit, which produces the findings table the sprint executes. Sprints can also run from a partner's findings or a clear internal backlog, as long as the change list can be verified before work starts.

What is excluded

Helpdesk tickets, device support, managed IT retainers, custom app development, broad procurement, emergency incident response, and destructive changes without written approval. If new findings surface mid-sprint, they are documented and quoted separately rather than absorbed silently.

Advanced implementation work

Where an audit shows the fix is structural rather than janitorial, VXSec scopes identity projects as their own engagements: SSO and MFA rollouts, Microsoft Entra ID and Google Cloud Identity configuration, conditional access, CIS-mapped secure baselines, and offboarding automation. These are quoted case by case after an audit.

Have a fix list that needs executing?

Bring an audit report, a partner's findings, or a backlog. The scope check confirms the change count, approval owners, and a fixed fee.

Book a 15-minute scope check