Skip to content
kubeforge
Services

Kubernetes Security Audit

CIS benchmark review, RBAC and network policy hardening, severity-rated findings, with hands-on remediation as a time-boxed follow-on.

Book a scoping call All services

Prefer email? info@kubeforge.io

Engagement
Fixed-scope engagement
Timeline
1–2 weeks
Format
Remote · written report

Who this is for

Teams about to take production Kubernetes traffic handling PII, or post-incident wanting an independent review. Covers AKS, EKS, GKE, and other managed providers.

What's included

  • CIS Kubernetes Benchmark (full)
  • RBAC audit
  • Network policy review
  • Sealed-secrets and external-secrets review
  • Ingress and TLS review
  • Pod Security Standards
  • Resource quotas and LimitRanges
  • Node hardening notes where provider access allows
  • Runtime security (Falco, CrowdStrike) if deployed
Engagement

How this engagement runs

Every step is scoped before the engagement starts. Nothing happens that wasn't agreed in the scoping call.

Steps

  1. 01

    Scoping call

    30 minutes to confirm the cluster shape, the access path, and what's in scope. No charge.

  2. 02

    Access

    Read-only access via your preferred path: jump host, bastion, or temporary service account. NDA on request.

  3. 03

    Audit

    CIS benchmark, RBAC, network policy, secrets, ingress, and runtime checks against the agreed scope.

  4. 04

    Report

    Severity-rated findings written so engineers can act on them and a CTO can read the summary without a walkthrough.

  5. 05

    Walkthrough

    45-minute live session to pressure-test findings, prioritize fixes, and agree the next steps.

What you'll have at the end

Written artifacts you can hand to your team or board.

  • Written report with severity-rated findings

  • Recommended manifest changes

  • 45-minute walkthrough

Out of scope: GDPR compliance certification, Data protection impact assessment (DPIA), Processor agreements, Penetration testing — happy to refer.

FAQ

What does the fixed fee cover?
Pricing shared on the scoping call. Fixed fee covers one cluster or one logical environment. Multi-cluster audits are scoped separately.
Do you need cluster admin access?
Read access to the cluster is enough for most of the audit. Specific checks (node hardening, runtime agents) need more, and are clearly flagged ahead of time.
Do you sign an NDA?
Yes, happy to sign yours, or send ours. All engagements include a confidentiality clause by default.
Can you audit a private cluster?
Yes. Access via jump host, bastion, or temporary service account works — whatever fits your existing access pattern.
Will the report be readable by non-engineers?
Yes. Findings are severity-rated and written so a CTO or head of security can read the summary without needing a walkthrough.
Can you remediate the findings?
Yes, as a time-boxed follow-on phase. Manifest changes, RBAC tightening, network policy rollout, runtime agent deployment. All hands-on, billed at a fixed monthly rate, with a defined end date.

Kubernetes Security Audit

Most engagements start with a 30-minute scoping call. Pick a slot that works.

Book a scoping call

Prefer email? info@kubeforge.io