What happens when you engage a managed CSPM service? Here’s what the first 90 days typically look like: from initial setup all the way through steady-state operations.

The value of bringing in an outside team: no politics, no history. We want to understand where things are, where they’re headed, and get to the ground truth of what’s secure and what needs fixing. Sometimes people get caught up in internal dynamics or the minutia of legacy decisions, and an outside perspective can cut through that.

Week 1: Setup and Integration

The technical onboarding is fast, often done asynchronously within the first day or two.

Communication channels: We set up a dedicated Slack channel (or Teams for Microsoft shops). Most cloud and DevOps teams live in chat. Async communication works better than scheduled calls for day-to-day questions.

Scanner integration: We plug your cloud environment into Orca, Wiz, or whatever scanner you’ve standardized on. New accounts get swept in automatically, or we can start with a tight set of accounts if you want a phased rollout.

Read-only audit role: We deploy our own audit role with read-only access. This lets our automation validate CSPM findings and extend scanning capabilities beyond what the platform does out of the box.

Initial configuration: We get SSO setup, MFA enabled, additional users onboarded. This is your basic housekeeping to ensure secure access.

Total technical setup: typically 15-30 minutes. The integrations are designed for easy deployment with zero operational impact.

Week 1-2: Scanning and Tuning

Once connected, the scanner needs time to work through your environment. Usually a day or two is required for a full initial scan.

During this window, we:

• Load tuning profiles: Our pre-built configurations for the CSPM platform: automations that enable or disable specific rules, and custom alerts that roll things up the way we’ve found works best for remediation focus.

• Push custom views: The 35 discovery views we’ve developed for different security domains covering attack surface visibility, IAM posture, vulnerability management, sensitive data, data storage inventory, and more. These become the lenses you use to see your environment.

• Configure business units: If you have logical groupings by account, team, or product, we set those up for cleaner reporting.

• Apply DSPM policies: Tuned data security scanning that filters the common false positives we see across environments.

• Set up integrations: Slack notifications, webhook connections, API setup for our MCP servers and post-processing analysis.

The scanner runs in the background. Agentless side-scanning means no impact on your production systems, so there are no performance hits or agent-deployment headaches.

Week 2-3: Context Gathering

This is where the real work starts. We walk through your environment together:

• Architecture review: How do things connect? What systems serve what purposes? If you have architecture diagrams, great. If not, we take the time to build them together.

• Business context: What matters most? Which systems are customer-facing? Where does sensitive data live? What’s changing? New systems coming online, old ones being retired?

• Crown jewel identification: Where’s the data you really can’t afford to lose? Which systems generate revenue? What keeps you up at night?

• Process understanding: How do you patch systems? How does IAM work (SSO integration, access request processes)? Who owns what?

This context-gathering transforms generic CSPM alerts into actionable intelligence. Without it, we’re just showing you what the scanner found. With it, we’re telling you what actually matters.

Week 2-3: Initial Findings

As we learn about the environment, we start finding things...

When we first log into a CSPM that hasn’t been actively managed, we typically see hundreds, sometimes thousands, of critical and high-risk alerts. You can’t even make sense of it due to all the noise. That’s the starting point.

• Critical issues: Anything requiring immediate attention gets flagged right away. Malware, active compromises, and severe misconfigurations with real exposure. 

• Quick wins: Low-effort, low-risk changes that deliver meaningful security improvements. We’ll often identify 5-10 of these that can be addressed in a single call. Many customers knock them out immediately.

• Abandoned infrastructure: Resources that aren’t in use anymore. Dev environments that were “temporary.” This discovery frequently saves $5-10K per month. Concrete ROI within the first few weeks.

• Junk drawer cleanup: That original cloud account with years of accumulated stuff. We identify what can be decommissioned, what needs migration, and what’s actually in production.

Week 4-8: Systematic Review

Once we understand the environment, we shift to systematic assessment across security domains.

• IAM posture: Who are your admins? Are they supposed to be admins? What access keys exist, and are they rotated? Where are the privilege escalation paths?

• Vulnerability management: What are the actual critical and high issues? How do we prioritize given business context? What’s the trend over time?

• Data security: Where does sensitive data live? Is it all in expected locations? What needs additional controls?

• Attack surface: What’s internet-facing? Is that intentional? What services are exposed that shouldn’t be?

• For each domain, we build a view that shows the current status, top issues, and links to the relevant data in your CSPM. This is a way to quickly see where you stand and what needs work.

Week 8-12: Establishing Cadence

By months two and three, we’re transitioning from initial assessment to steady-state operations.

• Daily monitoring: Our team sees new alerts as they appear and continues to monitor them. Critical issues are escalated immediately; routine findings are batched appropriately.

• Monthly reviews: Structured sessions looking at the security posture. Criticals and highs, trend lines, accepted risks, progress on remediation. We give credit for what’s improving, and an honest assessment of what isn’t.

• Quarterly OKRs: At the start of each quarter, we propose 2-3 high-level objectives with measurable key results. These are  improvement targets that align with your resources and priorities.

• Accepted risk tracking: Findings that aren’t getting fixed. Why not? What’s the compensating control? When do we review again? This gets documented and tracked.

What Steady-State Looks Like

Remember those hundreds or thousands of critical and high alerts from the beginning? After 90 days, the picture looks different.

• Critical alerts: The ideal number is zero. We try to resolve criticals immediately or have clear remediation timelines.
• High-risk alerts: Down to a handful, depending on your environment. Remaining issues are packaged into projects with specific timelines. “Over the next six weeks, we’ll figure out a process to patch and relaunch these containers on modern versions.”

You should have a solid remediation plan and an established timeline within 30 days. Even if you can’t fix everything immediately, you know what’s being addressed and when.

After 90 days, you also have the following.

• Fully configured CSPM with custom views, tags, and automation
• Daily monitoring and triage by people who know your environment
• Clear visibility into your security posture across domains
• Quarterly improvement plan with measurable goals
• Process for handling new findings (escalation, assignment, tracking)
• Running knowledge base of your infrastructure and business context

From there, it’s continuous improvement. Quarter over quarter, the posture gets stronger. Issues get resolved or formally accepted. New capabilities get added. The security program matures.

The Timeline Reality

For straightforward environments, 90 days gets you to steady state.

For complex situations with multiple acquisitions, merged infrastructure, or significant technical debt, the roadmap might extend to 6-12 months for comprehensive hardening.

That’s fine; we set realistic expectations based on what we find. Our goal is consistent progress, not arbitrary timelines.

The Takeaway

The first 90 days aren’t mysterious. Methodical work: integrate, scan, tune, learn context, assess systematically, establish cadence.

What makes it work is dedicated attention from people who look at your environment every day, not just when something escalates. Sometimes you just need someone to hold you accountable a little bit, encourage you, and be a sounding board for your decisions. That sustained focus and outside perspective is what most organizations struggle to provide internally.

By the end of 90 days, you have visibility and a plan. After 90 days, 180 days, or one year, your cloud security posture is in a radically better position than when you started. Everyone feels good about the progress. That’s the goal.