Watchtower

Compliance system of record for Microsoft 365

Find every gap in Microsoft 365. Prove you closed it.

Watchtower runs 600+ security and compliance checks across every Microsoft 365 tenant, continuously. Every gap is tracked with its severity and how long it has been open, and every fix is written to a signed, tamper-evident record your auditors can verify themselves - hosted in the EU, or self-hosted in your own jurisdiction.

watchtower · posture
scanning · 2 tenants
287open findings
71%M365 benchmark
EVIDENCE SIGNED
SevFindingTenantStatusAge
CRITAdministrative accounts are cloud-onlyNorthwind ProdOpen2d
CRITSign-in risk conditional access policyContoso (Demo)In progress11d
HIGHService account secrets rotated < 90dNorthwind ProdAccepted risk34d
HIGHDMARC publishedNorthwind ProdResolved
HIGHExternal sharing is unrestrictedContoso (Demo)Open5d
HIGHMailbox auditing disabledNorthwind ProdIn progress19d
manifest600+ checks
surfaces
Microsoft 365Entra IDIntuneWindowsmacOSiOSExchange OnlineSharePoint & OneDriveTeamsCopilotDNS
benchmarks
Microsoft 365 benchmarkIntune (Windows 11) benchmarkiOS / macOS benchmarksCISA ScubaGear (partial)Microsoft Zero Trust Assessment (partial)Copilot governanceyour own frameworks
01how it works

Connect your tenants once, and Watchtower keeps the record.

It runs as a continuous cycle, with no agents to deploy and nothing to schedule. Here is what that looks like, end to end.

  1. 01connect

    No agents, no scripts

    Onboard each tenant through admin consent, a certificate, or a secret. Watchtower reads your configuration through Microsoft's own APIs, so there is nothing to install in your environment.

    oauth · cert · secret

  2. 02monitor

    Checked continuously

    600+ checks run against industry security benchmarks and the CISA ScubaGear baseline, across Entra, Intune, Exchange, Teams, SharePoint, Copilot and DNS. New tenants are covered the moment you connect them, and you can add frameworks of your own.

    benchmarks · scubagear (partial) · copilot · custom

  3. 03track

    Findings that persist

    Every misconfiguration carries a severity and an age. Drift shows up on the next sweep, so you can answer how long something has been broken - and restore an Intune setting through a signed, attributed change when you fix it.

    durable · drift · intune restore

  4. 04prove

    Evidence on demand

    Export a signed pack for any tenant. Your auditor verifies the chain offline, without calling back to us.

    ed25519 · offline · no network

02the problem

“How long has this been broken?” should not be a guess.

A point-in-time scan tells you the state of your tenant in the moment it ran. It cannot tell you when a control started failing, whether it has failed before, or that nobody edited the result after the fact. For an audit, an insurance attestation, or a regulator, the moment is not the question. The history is.

  • How long has this setting been non-compliant?
  • Was it ever fixed, and did it regress?
  • Who changed it, and when?
  • Can you prove that record has not been quietly edited?
point-in-time scanone moment
CRITLegacy authentication enabledOpen
First seenunknown
Time openunknown
Last changed byunknown
Historyunknown
A scan tells you it is broken. Not for how long.
03why it holds up

Fast evidence and drift detection are the job. Provability is why you can put your name to it.

evidence

Audit evidence in minutes, not a week

When an auditor, a client, or your board asks you to prove it, export a signed evidence pack instead of assembling screenshots for a week. Every control, dated and attributed, ready to hand over.

signed pack · dated · attributed · export on demand

drift

Catch drift before the auditor does

Watchtower sweeps Intune, Exchange, Teams, SharePoint, Entra, Purview and DNS on a continuous cycle, so a setting that quietly slips out of compliance surfaces in the next sweep, not six months later in front of an auditor.

continuous sweep · change-level diffing

scale

One account, every tenant

Connect every Microsoft 365 tenant you operate under one account, each isolated at the database with Postgres row-level security, not in application code you have to take on faith. Onboard via OAuth admin consent, certificate, or secret.

per-tenant RLS · oauth · cert · secret

proof

Provable, not just plausible

Most dashboards ask you to trust a green checkmark. Watchtower's are independently verifiable: you, your auditor, or your client can confirm the signed chain offline, with no call back to us. A checkmark you can always back up.

offline verifier · ed25519 · no network

Verify a sample pack yourself
04the product

A record of your compliance estate, across every tenant you operate.

Scans produce observations; observations update findings; findings persist across scans and carry their own lifecycle. The question a regulator or auditor actually asks is not “are we compliant today” - it is how long has this been broken?

Illustrative example of the Watchtower dashboard. Not live customer data.Findings · durable · 287 openSCANNING · 2 TENANTS
SeverityFindingTenantStatusAge
CRITAdministrative accounts are cloud-onlyNorthwind ProdOpen2d
CRITSign-in risk conditional access policyContoso (Demo)In progress11d
HIGHService account secrets rotated < 90dSANDBOXNorthwind ProdAccepted risk34d
HIGHDMARC publishedNorthwind ProdResolved
Coverage across frameworks5 active · 600+ checks
Microsoft 365 benchmark94/14864%
Apple iOS 26 benchmark41/5476%
Apple macOS 26 benchmark38/6261%
CISA ScubaGear M36553/8960%
Intune for Windows 11 benchmark57/9361%
Tenantsone account
Northwind Prod
156 findings · 6 crit
71
▲ +3
Contoso (Demo)
131 findings · 6 crit
52
▲ +4
Durable

Findings persist across scans - open, acknowledged, accepted-risk, resolved, muted. Age is a first-class column, not a timestamp you dig for.

Custom = built-in

Build your own frameworks, controls and checks - clone a built-in or start from scratch, scoped to your workspace. Custom checks run in a sandboxed boundary; your content is the same kind of object as ours, in the same table.

Crosswalked

One failing control maps across the industry benchmarks, the ScubaGear baseline and the MITRE ATT&CK crosswalk at once. A new benchmark version is a migration, not a rebuild.

05frameworks

Bring your own frameworks. Not just your own checks.

Frameworks, controls and checks are rows in a database, not code we ship. A new benchmark version is a migration; your auditor's bespoke control is a record; your internal policy is something you author - the same kind of object as our built-in catalog, in the same table.

clone a built-in, or start blank
Take any built-in framework into your workspace and make it yours - add, edit and remove controls, and attach the checks that prove them. Or author a framework from scratch.
yours, and scoped to you
Custom frameworks are private to your workspace and editable; the built-in catalog stays read-only. Every change is permissioned and written to the audit trail.
a catalog that keeps growing
We add and maintain benchmarks over time - industry security benchmarks, the CISA ScubaGear baseline (partial) and Copilot governance today. Most groups start with those and extend from there.
06trust & architecture

Provable history. We name the boundary instead of hiding it.

Every state change lands in a hash-chained, signed, append-only audit trail. Download the evidence pack, run the verifier with no network, and confirm the signature chain yourself. Trust by math, not by our word - and where that boundary ends, we say so precisely.

01
A scan observes

Each observation is collected by a signed scanner and written once. Evidence is append-only - never edited, never overwritten.

02
The chain links it

Every audit event carries sha256 … ← prev. Break one link and the whole chain stops verifying.

03
You verify it offline

Export the evidence pack, run the open verifier on your own machine, confirm the ed25519 signatures. No connection to us required.

04
Write-actions are gated

Restore and template-apply are signed before execution, recorded in the same chain, and gated by an explicit per-tenant opt-in.

evidence-pack · acme-corp · 2026-04-21SIGNED
Append-only audit chain · ed25519
finding.observed15:47 UTC
sha256 9f3a1c2 3a417e2
finding.acknowledged14:03 UTC
sha256 3a417e2 4b112ae
finding.created08:02 UTC
sha256 4b112ae genesis
Chain verified offlineverifier · no network

“The per-tenant opt-in is enforced in Watchtower's own application layer, not by Microsoft - a contractual and operational boundary, not a cryptographic one. We name it rather than disguise it.”

EU sovereign infrastructure

Hosted on Hetzner in Germany. German jurisdiction over the audit records.

One code path

The same engine drives self-host and hosted. No closed-source magic in the audit chain.

Honest about limits

Where a capability can't be made cryptographic, we name the boundary instead of hiding it.

Findings that persist

Open, acknowledged, accepted-as-risk, resolved. A lifecycle that survives across scans, not a snapshot that resets.

07policy simulation
Rolling out

Model the change before you make it.

Before you apply a fix or push a baseline across your estate, Watchtower predicts exactly what it will do - which findings would open or clear, and which users a Conditional Access change would lock out - and emits it as a signed artefact you can hand to a change board or regulator. Not an AI estimate; a deterministic computation you can verify.

Which findings flip
The same engine that runs your scans evaluates a hypothetical change and diffs the predicted result against your current findings - what would clear, what would open.
Who gets locked out
For a Conditional Access change, it simulates which users and devices the new targeting would affect - before anyone loses access.
A pre-approval anyone can verify
The output is a signed, Ed25519 change-impact artefact. Hand it to your change board or your auditor; they confirm it offline. It writes nothing.

Single-tenant modeling is rolling out now. Cross-tenant blast-radius across a fleet is in progress.

What-if · apply “L1 hardening baseline”writes nothing
Findings would clear5
Findings would open2
Users affected3
Signed change-impact artefacted25519 · verify offline
08baselines & drift
Rolling out

Push one baseline across every tenant - and catch it when it drifts.

Define the configuration a tenant should hold, assign it across the estate, and push the settings through the same signed path as restore. From then on Watchtower watches: the moment a setting moves away from the baseline, it surfaces as a tracked finding - with the expected value and the tenant named.

A reusable baseline
Capture the settings a tenant should hold as a baseline, or clone one of ours, and assign it to the tenants that should run it.
Pushed through the signed path
Apply the baseline across assigned tenants through the same gated, signed, attributed write path as restore. Intune-focused today, expanding.
Drift becomes a finding
When a setting moves off the baseline, you see the exact setting, its expected value, and which tenant drifted - tracked, not a surprise.

Drift detection against a baseline is live. Pushing settings is rolling out, Intune-focused; cross-tenant rollout is in progress.

Baseline · L1 hardeningdrift report
Legacy authenticationexpected: Blockeddrifted: AllowedNorthwind Prod
Security defaultsexpected: Enabledin line
Mailbox auditingexpected: Ondrifted: OffContoso (Demo)
Idle session sign-outexpected: 15 minin line
2 settings drifted across 2 tenantsre-apply to fix
09compare

Keep your free scanner. Add the record it cannot keep.

ScubaGear is excellent, free, open-source, and you should run it. It measures your Microsoft 365 baseline at a point in time. Watchtower is not a replacement for that check - it is the system of record and action built on top of it. Here is the honest division of labour.

CapabilityA point-in-time scanScubaGear, Secure ScoreWatchtowersystem of record
Point-in-time posture checkYesYes
Tells you how long a control has been failingNoYes
Findings persist with a lifecycle across scansNoYes
Signed, tamper-evident historyNoYes
Evidence pack you can verify offlineNoYes
RemediationNoIntune only
Many tenants in one placeNoYes

If all you need is a point-in-time score, ScubaGear alone is enough - and we will tell you that. If you need to prove the history to a regulator, an auditor, or your board, that is what we are for. Our ScubaGear coverage is partial, and restore is Intune only - both stated plainly in the product.

10fits your stack

Built to plug into what you already run.

Posture data is only useful where your team already works. Watchtower connects agentlessly and exposes its findings over an API and webhooks. It integrates with your SIEM; it is not one.

agentless
Onboard each tenant through OAuth admin consent, a certificate, or a secret. Watchtower reads your configuration through Microsoft's own APIs - nothing to install in your environment.
rest api
A public REST API over findings, tenants and evidence. Automate onboarding, pull posture into your own reporting, or drive Watchtower from your existing tooling.
webhooks
Subscribe to events like finding.opened and restore.applied and push posture changes straight into your SIEM, ticketing or on-call. No polling.
eventsfinding.opened · restore.applied
01POST /your-endpoint ← webhook
02{
03 "event": "finding.opened",
04 "tenant": "northwind-prod",
05 "severity": "critical",
06 "check": "wt.exo.legacy-auth-blocked"
07}
08 
09GET /api/v1/findings?status=open ← rest api
11plans

Priced per tenant. Honest about the trade-off.

Same engine, same audit chain, whichever way you deploy. The only real choice is where the records live - and we name it plainly. Prices are not published yet; join the waitlist and we will quote per tenant.

Self-hostedTRUST-MAXIMISING
Per tenantcontact us for pricing

Run Watchtower in your own jurisdiction, on your own disks, against your own audit chain. Data sovereignty is structural, not a setting.

  • Your network boundary, your keys
  • Offline evidence verification
  • Community support & release channel
Join the waitlist for pricing
Hosted · EU sovereignMOST CHOSEN
Per tenantcontact us for pricing

Hosted on Hetzner in Germany. Convenience tier - it asks you to trust our infrastructure, and we say so. German jurisdiction over your audit records.

  • Everything in Self-hosted
  • Managed upgrades, backups & scaling
  • German jurisdiction over records
  • Priority support & SLA
Join the waitlist for pricing
Volume / SovereignVOLUME
Custom

One schema serves a large enterprise group or a managed-service practice. One entity or six hundred - volume pricing across everything you operate.

  • Unlimited tenants, one account
  • Per-tenant isolation & scopes
  • Dedicated support
Talk to us
Every plan includes
600+ checksAll built-in benchmarks + ATT&CK crosswalkTamper-evident audit chainUnlimited users & scopesSigned evidence packsGitOps custom checks

Early access for launch partners. No prices published yet, no card required to join the waitlist.

12roadmap

Direction, not dated promises.

Dated roadmaps become commitments customers plan around and vendors quietly miss. This is the trajectory the platform is built to move along - expanded one capability at a time, demand first.

Shipped
  • Tamper-evident audit trail
  • Signed evidence packs
  • Custom frameworks and controls
  • Microsoft Intune restore
  • Copilot governance checks
  • REST API and webhooks
In progress
  • Policy impact simulation (what-if change modeling)
  • SharePoint restore
  • Expanded benchmark and ScubaGear coverage
Planned
  • Restore beyond Intune (Teams, Exchange, Entra ID, Purview)
  • Microsoft Teams and Slack notifications
  • ServiceNow integration
  • Custom checks via GitOps (general availability)
  • Expanded self-host (Sovereign) options
  • Value reporting v2
13questions

The hard questions, answered.

ScubaGear is free. Why pay for this?
Run ScubaGear - we mean it. It is a great free, open-source, point-in-time scan. You pay Watchtower for what a scan cannot give you: a tamper-evident signed history, an answer to "how long has this been broken," findings that persist with a lifecycle, remediation, many tenants in one place, and a record you can keep in your own jurisdiction. If a point-in-time score is all you need, ScubaGear alone is enough.
Is this just another dashboard?
A dashboard asks you to trust a green checkmark. Watchtower's checkmarks are independently verifiable - you, your auditor, or your regulator can confirm the signed chain offline, with no call back to us. It also acts: restore an Intune setting through a signed, attributed path. A dashboard shows; Watchtower records, acts, and proves.
What about Microsoft's all-or-nothing admin consent?
This is the part most vendors leave out, so we lead with it. Microsoft's admin consent is all-or-nothing: the moment you consent, the write scope sits on the service principal whether or not you ever turn a write feature on. We cannot make that capability technically absent, because Microsoft does not offer a consent model that would let us. So the per-tenant opt-in that gates restore is recorded as verifiable state, every exercise is signed into the tamper-evident chain, and we tell you plainly that this boundary is contractual and operational, not cryptographic. We will not disguise a contractual boundary as a technical guarantee.
Is the audit trail tamper-proof?
No, and we will not claim it is. It is tamper-evident: any tampering is provably detectable. Anyone with sufficient database access can destroy data, but no one can alter history undetectably. That is a precise claim, and we state it precisely on purpose.
Can it run on our hardware, in our jurisdiction?
Yes. Self-host (Sovereign) runs Watchtower inside your own network boundary, in your own jurisdiction, with you holding the keys and the audit chain. If you would rather we run it, the EU-sovereign tier is hosted on Hetzner in Germany. Same engine and same trust model under each.
You are early. Are you viable, and can I trust you with this?
We are pre-launch and onboarding launch partners, and we are direct about it. The answer to "can I trust you" is built into the product: self-host so your data never depends on our uptime or jurisdiction, an open offline verifier so you can confirm the record without us, and one code path under self-host and hosted alike. The platform is built so you take as little as possible on faith - including faith in us.

Pre-launch · onboarding launch partners

Compliance you can verify, not just trust.

Join the waitlist for early access. We'll only email you about early access - no spam, no list-sharing.

We'll only email you about early access. No spam, no list-sharing. See our Privacy Policy.

Already have an account? Sign in · Prefer to talk first? Tell us about your environment