18 checks across the Workspace tenant
An agentless scan reads each connected Google Workspace tenant through a read-only service account and runs 18 checks — flagging weak 2-step verification, over-broad admin access, risky third-party apps, blind spots in the Alert Center, and unmanaged mobile access.
2-Step Verification
Whether 2SV is enforced organization-wide, how many users are still exempt or unenrolled, whether weaker SMS-only methods are allowed, and whether security keys are required for admins.
Super-admin hygiene
The count of super-admins against least-privilege guidance, admins without 2SV, dormant privileged accounts, and delegated admin roles handed broader scopes than the job needs.
Risky OAuth apps
Third-party apps granted broad Gmail, Drive or Directory scopes, unverified publishers, and domain-wide delegation — the OAuth grants attackers use to keep access without a password.
Alert Center & audit
Whether the Alert Center and login, admin and Drive audit logs are on and retained, and whether suspicious-login and data-exfiltration alerts are actually configured to reach someone.
Sharing & external access
Default Drive and Docs external-sharing rules, link-sharing exposure, group access set to public, and legacy less-secure-app or IMAP/POP access left enabled.
Mobile device posture
Whether mobile management is enforced, screen-lock and encryption are required, and unmanaged or compromised devices are allowed to reach Workspace data.