English
Start free trial

A Cloud Horizons module

Azure guardrail drift,
with who signed off.

Daily diff of Azure Policy, exemptions, RBAC, and tags, plus exception records and monthly audit packs.

Start a 30-day trial Book a demo

GDPR · ISO 27001:2022

Guardrails · landing-zone drift and policy, tracked

guardrails active CIS Azure ISO 27001 last sync 07:48 UTC

Capabilities

What lands in the ledger.

  • Azure Policy drift

    Assisted collectors diff assignments and exemptions against the last baseline so you see what moved, when, and at which scope.

  • Exception ledger

    Every accepted deviation gets an owner, approver, expiry date, and reason of record — mapped to CIS Azure and ISO 27001:2022 A.8.9.

  • Defender for Cloud mapping

    Recommendations arrive with the control name they affect, not a raw recommendation ID, plus landing-zone deviation flags.

  • RBAC and tag drift

    Role assignments and resource-tag changes are compared daily per subscription so access and tagging drift surface in one place.

  • Exposure pattern detection

    Public IPs, internet-facing storage accounts, and widened Key Vault access are flagged against ISO 27001:2022 A.8.20.

  • Monthly audit packs

    Signed exports land in Cloudflare R2 with time-limited download URLs — one file for what drifted and who signed off.

In the product

Inside Guardrail Ledger.

Screens from the product — dashboard and sign-in.

Guardrail Ledger dashboard
Guardrail Ledger sign-in screen

Estate posture — subscriptions, drift, exceptions, compliance

How it works.

  1. Connect your subscriptions

    Assisted collector setup grants read access to Azure Policy, exemptions, RBAC, and tags. Nothing is written back to your estate.

  2. Drift is detected and routed

    Each scan compares current state to the last baseline. New deviations and Defender findings map to controls, and the drift digest opens ITSM tickets.

  3. Exceptions and audit records land

    Accepted deviations enter the exception ledger with owner, approver, and expiry. At month end, a signed audit pack is ready for your auditor.

Pricing.

Included with Cloud Horizons Growth and Business. Read-only collectors — no per-resource metering.

Guardrail Ledger ships as a Cloud Horizons module — included with Cloud Horizons Growth and Business plans, not sold separately. See Cloud Horizons pricing

Questions.

  • Where is collector data stored?

    Read-only scan results and ledger records are processed in EU regions. Monthly audit packs are written to Cloudflare R2 with signed, time-limited download URLs. Collectors never write back to your Azure subscriptions.

  • How does sign-in work?

    Guardrail Ledger uses Microsoft Entra SSO through Spot Suite OIDC. Your team signs in with a work account and lands in your Customer Environment — no separate username database.

  • Which compliance frameworks does it map to?

    Drift and exceptions are mapped to CIS Azure Foundations, ISO 27001:2022, NIS2 Art. 21, and DORA RTS change-management clauses. Defender recommendations and landing-zone deviations include the control name, not just the Azure resource ID.

  • What does the 30-day trial include?

    Guardrail Ledger is included with Cloud Horizons Growth and Business — the 30-day trial on those plans, no card required, covers drift monitoring, the exception ledger, and monthly audit packs. The Starter plan does not include governance modules.

Start tracking guardrail drift.

Connect your Azure subscriptions, record exceptions with approvers on file, and hand auditors a signed monthly pack.

Get started Book a demo