Features
Microsoft signals turned into compliance evidence.
Read-only collectors, pre-mapped frameworks, and a hashed ledger — built for EU mid-market firms on Microsoft 365 and Azure.
-
Read-only Microsoft collectors
Assisted collectors for Microsoft Graph, Entra, Intune, Defender for Cloud, Azure Policy, and the Activity Log. They read your tenant — no remediation runs, no write-back.
-
Pre-mapped control libraries
One Defender for Cloud or Azure Policy signal lands against every NIS2, DORA, ISO 27001:2022 Annex A, and CIS v8 control it satisfies. Collected once, answered four times.
-
SHA-256 append-only ledger
Every record is hashed and appended — entries are added, never edited in place. The chain is tamper-evident and maps to ISO 27001:2022 A.8.15 logging.
-
Exception register
Record controls you cannot meet yet with an owner, expiry date, and reason of record. Expired exceptions surface instead of aging out — NIS2 Art. 21(2)(a) risk acceptance on file.
-
Control drift digest
A recurring digest of what failed, what changed since the last run, and who owns it. MFA coverage drops and Conditional Access edits show up with an owner attached.
-
Audit pack export
Export by framework, business unit, or audit period. The pack carries the underlying Microsoft records and the control mapping together — NIS2 Art. 21(4) audit records.
-
Auditor read-only role
Give your auditor a scoped read-only role with exports instead of a shared admin login. They verify the ledger without touching your Microsoft tenant.
-
Entra SSO and role-based access
Sign-in runs through Spot Suite OIDC via Microsoft Entra ID. Your existing Entra groups map to admin, operator, and auditor roles — no separate password directory.
-
Per-business-unit packs
Scope audit packs and drift digests by business unit so each division gets its own evidence set. Business plan includes unlimited per-unit exports.
How it works.
-
Connect with read-only consent
Grant the collectors read scopes on your Microsoft tenant. The first run reads Graph, Entra, Intune, Defender for Cloud, Azure Policy, and the Activity Log and pins each result to a point in time.
-
Map once, reuse across frameworks
Each signal lands against the pre-mapped NIS2, DORA, ISO 27001:2022, and CIS v8 libraries. Controls you cannot meet yet go in the exception register; everything else is hashed into the append-only ledger.
-
Export the pack your auditor asked for
Pick a framework, a business unit, or an audit period and export. The drift digest keeps you current between exports, and the auditor read-only role lets them verify the ledger without touching your tenant.
Start recording Microsoft control evidence.
Connect your tenant with read-only consent and export your first audit pack in under a day.