CREST-Certified GCP Cloud Security Review and GCP Penetration Testing

Single-project (≤10 services, ≤50 resources) typically takes 4-5 working days. Folder-level multi-project takes 7-10 days. Organization-level enterprise (10+ projects, multi-region GKE) takes 10-15 days.

Single-project £6,000-£10,000. Multi-project £10,000-£18,000. Organization-level £18,000-£28,000. All quotes are fixed-price after scoping.

Yes. Every GCP engagement includes a control-by-control CIS Google Cloud Platform Foundations v3.0 assessment, plus Security Command Center recommendation review.

Yes. Service-account impersonation is the #1 GCP privilege-escalation path. We map the full impersonation graph using IAM Recommender data plus manual analysis, and identify chains that lead to high-value resources.

Yes. GKE reviews include Workload Identity boundary scrutiny, RBAC, Network Policies (Calico / Cilium), Binary Authorization (image signing), GKE Autopilot vs Standard differences, and pod-to-node escape paths.

Multi-project testing is fully supported. We map the entire Cloud Resource Manager hierarchy (Organization → Folders → Projects), audit Organization Policies, and test VPC Service Controls boundary enforcement.

A GCP configuration review checks every project in your Google Cloud organisation against the CIS Google Cloud Platform Foundations Benchmark, covering IAM, service accounts, storage, networking and GKE. It is the configuration-audit half of a GCP security posture review, paired with manual exploitation to confirm which misconfigurations are actually reachable.

Yes. GCP security posture review, GCP configuration review and GCP cloud security review all describe the same engagement: a CREST-certified assessment of your Google Cloud organisation against the CIS Foundations Benchmark, combined with manual exploitation across IAM, storage, GKE and networking. The name varies by buyer; the methodology does not.

Yes. VPC Service Controls are the modern GCP data perimeter. We test access level enforcement, ingress / egress rule effectiveness, and identify common bypass patterns (e.g. allowed Google APIs, dry-run mode).

Yes. Cloud Build supply chain (SLSA framework alignment) is part of cloud reviews. We audit build triggers, service account scope, Artifact Registry permissions, container image signing (Binary Authorization), and OIDC trust into other clouds.

Read-only by default. We use predefined Viewer and SecurityReviewer roles. Manual exploitation phases only run with explicit written authorisation per resource type, in agreed maintenance windows.

Yes. Every finding ships with prioritised remediation guidance and example Terraform / Deployment Manager / gcloud CLI commands. For high-severity findings we include direct engineer access via our portal during remediation.

All GCP testers are vetted UK or international engineers. Relevant certifications: CREST CRT and CCT INF, Google Professional Cloud Security Engineer, OSCP. SC-cleared testers available for public-sector engagements.

Yes. Standard NDA before any technical detail is shared. We operate under a project-specific master agreement that includes data handling, deliverable IP, and breach notification clauses.

A cloud security posture assessment reviews a cloud environment against a recognised benchmark to find misconfigurations and weak controls. For Google Cloud we use the CIS GCP Foundations Benchmark, then go further than an automated tool by manually exploiting the findings to show real, prioritised risk rather than a raw list.

CSPM, or cloud security posture management, is automated tooling that continuously flags misconfigurations. A GCP security posture review is a point-in-time, CREST-certified human assessment that benchmarks the same controls and then proves which weaknesses an attacker could exploit, with a hardening plan your auditors will accept.