Automated SOC 2 / ISO 27001 / CIS / HIPAA readiness — assess your tenant, then remediate in a click.
Sign in with Microsoft 365 or Google Workspace and get an auditor-ready assessment of your identity, admin access, MFA, logging, and data-sharing controls. Then apply guided, safe fixes — on Microsoft, Conditional Access changes start in report-only mode so nothing breaks.
Enterprise-grade security assessment tools designed for compliance teams and auditors
Your Microsoft 365 access tokens never leave your browser. We use delegated authentication—you sign in, we scan, you get results. No persistent access, no security risk.
Download reports in PDF, CSV, JSONL, and SOC 2 JSON. Each finding includes raw evidence from Microsoft Graph / the Google Admin SDK and its SOC 2 / ISO 27001 / CIS / HIPAA mapping — built for auditor verification and security reviews.
No ongoing monitoring, no data retention. Run assessments on-demand when you need them. Perfect for pre-audit preparation, compliance reviews, and security assessments.
Every finding maps to SOC 2, ISO 27001, CIS Microsoft 365, and the HIPAA Security Rule — so you see exactly which controls you meet and where the gaps are, in your auditor's language.
Microsoft 365: 20+ checks across identity, Conditional Access, privileged access, audit logging, devices (Intune), and data sharing. Google Workspace: 2-Step Verification, admin access, audit logs, domains and more — evaluated against Microsoft, Google, and CIS baselines.
The scan is read-only. When you're ready, apply guided remediations with one click — and Conditional Access fixes start in report-only mode, so you review the impact before anything is enforced.
The full source code is public on GitHub. You can read every line of code that touches your data before you run it. No black boxes — exactly what you need for a security tool.
The assessment runs entirely in your browser. Your tenant data is read directly from Microsoft or Google and is never sent to or stored by LockList.
The scan executes as client-side code in your browser and calls your provider's API directly. There is no LockList server in the path reading your tenant.
Your Microsoft / Google access token stays in your browser, is used only to read your settings, and is never transmitted to or stored by us. It expires on its own.
During a scan the only outbound calls are to graph.microsoft.com / admin.googleapis.com and the provider's own login — nowhere else.
We keep no database of scans and no user accounts. Results live only in your browser tab for the session; closing it clears them.
The assessment requests read-only permissions. Any fixes are opt-in, require your explicit approval, and Conditional Access changes start in report-only mode.
No analytics SDK, no tracking, no usage collection. See our Privacy Policy for the full detail.
Every finding is tagged to SOC 2, ISO 27001, the CIS Microsoft 365 / Google Workspace Benchmarks, and the HIPAA Security Rule — in the app and in every report.
Trust Services Criteria — CC6 access, CC7 monitoring, CC8 change management.
Annex A controls for access, authentication, logging, and monitoring.
View ISO 27001 controls →CIS Microsoft 365 & Google Workspace Foundations Benchmarks.
Technical & administrative safeguards (45 CFR 164.312 / 164.308).
Delegated, read-only access via Microsoft Graph and the Google Workspace Admin SDK — the scan runs in your browser, not on our servers.
The assessment uses delegated, read-only permissions (admin consent required). Write access is requested only if you choose to apply a fix — one fix at a time, never application-level. Read the privacy details →
Sign in with Microsoft 365 or Google Workspace, get auditor-ready results in minutes — then fix what's wrong.
No download required. Sign in with Microsoft 365 or Google Workspace and the assessment runs entirely in your browser — your tenant data is read directly from Microsoft/Google and never sent to our servers.
Prefer a desktop app? Install LockList straight from your browser — it opens in its own window with a dock/taskbar icon, like a native app. No app store, no code signing, no separate download.
The assessment is free. Unlock the full multi-format report (PDF, CSV, JSONL, SOC 2 JSON) and guided auto-fix with a one-time payment.