Global Admin without MFA
Three tenant Global Admin accounts found without MFA enforced. One had a password last rotated 2.5 years ago.
Fix: Enforce conditional access policy requiring MFA on all admin roles; rotate the stale password.
Sample findings · sanitized examples
What a Switchback review actually finds.
These are real finding patterns from cloud and SaaS reviews, with customer names and specifics removed. The shape of the work, not marketing claims.
Identity & MFA findings (sample)
Reviewed against the customer's Microsoft 365 or Google Workspace tenant. Read-only access; no changes made.
Legacy auth still permitted
Basic authentication (POP/IMAP/SMTP) remained enabled tenant-wide. Six active sign-ins observed via legacy protocols in the last 30 days.
Fix: Block legacy auth via conditional access; migrate the 2 affected service accounts to modern auth.
Stale accounts retained access
Eleven user accounts had no sign-in in 180+ days but remained licensed and full members of high-trust groups.
Fix: Disable + audit; transfer mailboxes if needed; reclaim licenses (~$2,800/year saved here).
Public cloud posture (sample)
Read-only IAM role access to the customer's AWS / Azure / GCP accounts. Steampipe + Powerpipe-powered audit.
Public S3 bucket with PII
One bucket had public-read ACL inherited from a 2022 prototype; contained 14 GB of customer-uploaded PDFs including SSNs and addresses.
Fix: Block-Public-Access at account level; remove bucket ACL; rotate any exposed credentials; review CloudTrail for prior access.
Default VPC widely used
Twelve EC2 instances ran in the default VPC with a security group permitting 0.0.0.0/0 on port 22. Three had RDP exposed too.
Fix: Migrate to least-privilege VPC; restrict SSH/RDP to a bastion or VPN CIDR; document approved access patterns.
Encryption-at-rest gaps
Eight EBS volumes were unencrypted; one RDS instance lacked storage encryption. KMS keys not consistently rotated.
Fix: Snapshot → re-encrypt → replace volumes; enable RDS encryption migration; enforce default-encrypt at account level.
AI data exposure (sample · new for 2026)
Bedrock, Azure AI Foundry, Vertex AI permissive access patterns. New focus area as customers deploy generative AI workloads.
Bedrock + public S3 training data
Bedrock fine-tuning job referenced an S3 bucket marked public-read. Model weights now potentially reflect public-data assumptions.
Fix: Audit the bucket access log; remove public ACL; review whether to retrain on a hardened bucket; document AI data classification policy.
Azure AI Foundry over-shared
Foundry workspace had "anyone in the tenant" sharing enabled, including model deployment endpoints. Three workspaces affected.
Fix: Restrict workspace to Compute Contributor role; enable model endpoint authentication; review prompt logs for sensitive content.
OpenAI key in app config
Production app config table contained a long-lived OpenAI API key in plaintext, accessible to 7 deployment service accounts.
Fix: Rotate the key immediately; move to Azure Key Vault / AWS Secrets Manager; enforce key rotation policy; audit key usage logs.
External exposure (sample)
DNS, TLS, email-auth, and Shodan-visible service review. No credentials required; runs against public-facing surface only.
DMARC not enforced
DMARC record set to p=none for 18 months. SPF + DKIM aligned, but no enforcement; email spoofing trivial against the domain.
Fix: Monitor DMARC reports for 14 days; move to p=quarantine; then to p=reject after 60 days of clean reporting.
Expired TLS certificate
Subdomain staging.<customer>.com had a TLS certificate expired 4 months ago; modern browsers reject the connection.
Fix: Renew via ACM or Let's Encrypt; enable auto-renewal; add monitoring for cert expiration.
Shodan-visible RDP
Two IPs in the customer's allocated range showed Microsoft RDP on port 3389 indexed by Shodan; both lacked Network Level Authentication.
Fix: Restrict RDP to VPN-only access; enable NLA; move to Azure Bastion if no other RDP path needed.
Your stack has its own version of these.
Every cloud and SaaS environment has finding patterns like these. The flagship review surfaces them as a prioritized list your team can actually execute.
Book the review