What happens when you engage a managed CSPM service? Here's what the first 90 days typically look like--from initial setup through steady-state operations.
No surprises. No mystery. Just the process.
The value of bringing in an outside team: no politics, no history. We want to understand where things are, where they're headed, and get to the ground truth of what's secure and what needs fixing. Sometimes people get caught up in internal dynamics or the minutia of legacy decisions. An outside perspective cuts through that.
Week 1: Setup and Integration
The technical onboarding is fast, often done asynchronously within the first day or two.
Communication channels: We set up a dedicated Slack channel (or Teams for Microsoft shops). Most cloud and DevOps teams live in chat. Async communication works better than scheduled calls for day-to-day questions.
Scanner integration: Connecting Orca, Wiz, or your existing CSPM to your cloud environment. At the organizational level, new accounts get automatically included. Or we target specific accounts if you're starting focused.
Read-only audit role: We deploy our own audit role with read-only access. This lets our automation validate CSPM findings and extend scanning capabilities beyond what the platform does out of the box.
Initial configuration: SSO setup, MFA enabled, additional users onboarded. Basic housekeeping to ensure secure access.
Total technical setup: typically 15-30 minutes of customer time. The integrations are designed for easy deployment with zero operational impact.
Week 1-2: Scanning and Tuning
Once connected, the scanner needs time to work through your environment. Usually a day or two for a full initial scan.
During this window, we:
Load tuning profiles: Our pre-built configurations for the CSPM platform. Automations that enable or disable specific rules, and custom alerts that roll things up the way we've found works best for remediation focus.
Push custom views: The 25-35 discovery views we've developed for different security domains covering attack surface visibility, IAM posture, and data storage inventory. These become the lenses you use to see your environment.
Configure business units: If you have logical groupings by account, team, or product, we set those up for cleaner reporting.
Apply DSPM policies: Tuned data security scanning that filters the common false positives we see across environments.
Set up integrations: Slack notifications, webhook connections, API setup for our MCP servers and post-processing analysis.
The scanner runs in the background. Agentless side-scanning means no impact on your production systems. No performance hits, no agent deployment headaches.
Week 2-3: Context Gathering
This is where the real work starts.
We walk through your environment together:
Architecture review: How do things connect? What systems serve what purposes? If you have architecture diagrams, great. If not, we build them together.
Business context: What matters most? Which systems are customer-facing? Where does sensitive data live? What's changing? New systems coming online, old ones being retired?
Crown jewel identification: Where's the data you really can't afford to lose? Which systems generate revenue? What keeps you up at night?
Process understanding: How do you patch systems? How does IAM work (SSO integration, access request processes)? Who owns what?
This context gathering transforms generic CSPM alerts into useful intelligence. Without it, we're just showing you what the scanner found. With it, we're telling you what actually matters.
Week 2-3: Initial Findings
As we learn the environment, we start finding things.
When we first log into a CSPM that hasn't been actively managed, we typically see hundreds, sometimes thousands, of critical and high-risk alerts. You can't even make sense of it. That's the starting point.
Critical issues: Anything requiring immediate attention gets flagged right away. Malware, active compromises, severe misconfigurations with real exposure. These don't wait for a monthly report.
Quick wins: Low-effort, low-risk changes with meaningful security improvement. We'll often identify 5-10 of these that can be addressed in a single call. Many customers knock them out immediately.
Abandoned infrastructure: Resources that aren't in use anymore. Dev environments that were "temporary." This discovery frequently saves $5-10K per month. Concrete ROI within the first few weeks.
Junk drawer cleanup: That original cloud account with years of accumulated stuff. We identify what can be decommissioned, what needs migration, what's actually production.
Week 4-8: Systematic Review
Once we understand the environment, we shift to systematic assessment across security domains.
IAM posture: Who are your admins? Are they supposed to be admins? What access keys exist, and are they rotated? Where are privilege escalation paths?
Vulnerability management: What are the actual critical and high issues? How do we prioritize given business context? What's the trend over time?
Data security: Where does sensitive data live? Is it all in expected locations? What needs additional controls?
Attack surface: What's internet-facing? Is that intentional? What services are exposed that shouldn't be?
For each domain, we build a view with current status, top issues, and links to the relevant data in your CSPM. A way to quickly see where you stand and what needs work.
Week 8-12: Establishing Cadence
By month two and three, we're transitioning from initial assessment to steady-state operations.
Daily monitoring: Our team sees new alerts as they appear. Triage happens continuously. Critical issues get immediate escalation; routine findings get batched appropriately.
Monthly reviews: Structured sessions looking at the security posture. Criticals and highs, trend lines, accepted risks, progress on remediation. Credit for what's improving. Honest assessment of what isn't.
Quarterly OKRs: At the start of each quarter, we propose 2-3 high-level objectives with measurable key results. Specific improvement targets that align with your resources and priorities.
Accepted risk tracking: Findings that aren't getting fixed. Why not? What's the compensating control? When do we review again? This gets documented and tracked.
What Steady-State Looks Like
Remember those hundreds or thousands of critical and high alerts from the beginning? After 90 days, the picture looks different.
- Critical alerts: Ideally zero. We try to resolve criticals immediately or have clear remediation timelines.
- High-risk alerts: Down to 5-40, depending on your environment. Remaining issues are packaged into projects with specific timelines. "Over the next six weeks, we'll figure out a process to patch and relaunch these containers on modern versions."
You should have a solid plan for remediation and an established timeline within 30 days. Even if you can't fix everything immediately, you know what's being addressed and when.
After 90 days, you also have the following.
- Fully configured CSPM with custom views, tags, and automation
- Daily monitoring and triage by people who know your environment
- Clear visibility into your security posture across domains
- Quarterly improvement plan with measurable goals
- Process for handling new findings (escalation, assignment, tracking)
- Running knowledge base of your infrastructure and business context
From there, it's continuous improvement. Quarter over quarter, the posture gets stronger. Issues get resolved or formally accepted. New capabilities get added. The security program matures.
The Timeline Reality
For straightforward environments, 90 days gets you to steady state.
For complex situations with multiple acquisitions, merged infrastructure, or significant technical debt, the roadmap might extend to 6-12 months for comprehensive hardening.
That's fine. We set realistic expectations based on what we find. The goal is consistent progress, not arbitrary timelines.
The Takeaway
The first 90 days aren't mysterious. Methodical work: integrate, scan, tune, learn context, assess systematically, establish cadence.
What makes it work is dedicated attention from people who look at your environment every day, not just when something escalates. Sometimes you just need someone holding you accountable a little bit, encouraging you, being a sounding board for decisions. That sustained focus and outside perspective is what most organizations struggle to provide internally.
By the end of 90 days, you have visibility and a plan. After 90 days, 180 days, one year, your cloud security posture is in a radically better position than when you started. Everyone feels good about the progress. That's the goal.
Jon Rose runs IOmergent, advising engineering-led companies on security strategy and managed cloud security operations.