Audit template
infrastructure
Audits how your system is built, shipped, and run — fragile, exposed, or unrecoverable, found and fixed.
Maps to: CISCenter for Internet Security — consensus hardening benchmarks for systems and cloud. · Well-ArchitectedAWS Well-Architected Framework — cloud design best practices across reliability, security, cost, and operations. · DORADevOps Research and Assessment — the four key software-delivery performance metrics.
specialists, in parallel
Each finding is evidence-bound and survives ≥2-of-3 adversarial skeptics.
How this audit works
Twelve specialist passes cover IaCInfrastructure as Code — provisioning infrastructure from version-controlled definitions. quality and drift, cloud security and network exposure, IAMIdentity and Access Management — the system governing who may do what on which resources., secrets, containers, KubernetesAn open-source platform that automates deploying, scaling, and running containerized applications., CI/CD, high availabilityHigh Availability — designing a system to keep running through component failures, with minimal downtime., backup/DRDisaster Recovery — the plan and tooling to restore systems and data after a major outage., observability, cost, and environment parity. Every finding cites a concrete artifact — IaC file:line, a manifest or pipeline stanza, a CISCenter for Internet Security — consensus hardening benchmarks for systems and cloud. or Well-ArchitectedAWS Well-Architected Framework — cloud design best practices across reliability, security, cost, and operations. control — and the central question is always: what happens when this fails, and can you recover? P0–P1 findings are then attacked by independent skeptics before they survive into the report.
Use it when
Before a production launch
You are about to put a service on the public internet and need to know what is actually exposed. The audit traces public-exposure paths — security groups open to 0.0.0.0/0 on sensitive ports, public buckets and databases, missing TLSTransport Layer Security — the protocol that encrypts and authenticates network traffic (the S in HTTPS). or edge protection — and reports each with the exact IaCInfrastructure as Code — provisioning infrastructure from version-controlled definitions. line and the CISCenter for Internet Security — consensus hardening benchmarks for systems and cloud. control it violates.
After a near-miss outage
An incident made you ask whether you could actually rebuild from code and backups. The audit checks for single points of failureSingle Point of Failure — one component whose failure takes down the whole system. on tier-0 paths and whether backups are encrypted and restore-tested — not merely present — surfacing the unrecoverable states and missing DRDisaster Recovery — the plan and tooling to restore systems and data after a major outage. runbooksA documented, step-by-step procedure for operating a system or handling a specific incident. before the next failure does.
Hardening the deploy pipeline
Your team ships fast and you suspect the gates are decoration. The audit verifies whether build, test, scan, and approval steps actually block, checks branch protection and pipeline credential scope, and flags injection paths like pull_request_targetA GitHub Actions trigger that runs with repository secrets, risky to expose to untrusted pull requests. — pinpointing where a broken or unscanned build can reach prod.
What you get
A dimension-graded scorecard with a DORADevOps Research and Assessment — the four key software-delivery performance metrics. snapshot, a blast-radiusThe set of systems and data affected when one component fails or is compromised. map, and a priority-sorted backlog of verified findings — each filed as a GitHub issue with evidence, a before/after fix, and a re-audit criterion.