Get in touch

Mobile Device Management (MDM) Assessment

Security assessments with remediation designed for humans.

Break the cycle of repetitive security assessment, where the same issues are raised on every test and walk the DevSecOps walk with our Full Stop Remediation™ training. Give your infrastructure team the skills to put security at the heart of their operations.

Service Context

In today’s interconnected world, mobile devices have become an integral part of our daily lives, both personally and professionally. With the rise of remote work and the increased use of mobile devices in business operations, organisations must ensure the security of their mobile device environment. Our Mobile Device Management (MDM) Assessment service is designed to address this very need.

Key Benefits

  • Tailored Threat-Led Approach: Our MDM Assessment goes beyond generic assessments and compliance standards. We take a bespoke approach, focusing on your unique requirements and real-world threats. By understanding your specific challenges, we provide an evaluation that addresses your distinct needs, ensuring your mobile security measures are aligned with the actual risks you face.
  • Enhanced Security: Our MDM Assessment comprehensively evaluates your mobile device management infrastructure, ensuring robust security measures are in place. We assess its effectiveness in identifying and mitigating risks such as malware, phishing attacks, and network vulnerabilities.
  • Regulatory Compliance: Tailored to your organisation’s specific needs, our MDM Assessment considers industry regulations, helping you meet compliance standards and maintain a secure operating environment.

Why Cyber Alchemy?

Beyond Compliance: Our Mobile Device Management assessments service goes beyond automated assessment against best practice benchmarks. While best practice benchmarks provide a useful framework for the assessment, a bespoke approach considers your organisation’s specific needs and use cases. This approach can identify specific risks and provides more actionable recommendations, allowing for critical issues to be prioritised, ultimately reducing the risk of security incidents and data breaches.

Actionable Recommendations: Our MDM Assessment doesn’t end with the evaluation; we provide you with actionable recommendations to improve your MDM implementation. Our focus is on helping you enhance the security, compliance, and overall management of your mobile devices effectively.

Expert Consultants: All of Cyber Alchemy’s consultants are CREST, or Cyber Scheme registered, assuring their expertise throughout the engagement and ensuring the correct approach is taken to robustly test your MDM system.

What is an MDM Assessment?

Our Mobile Device Management (MDM) Assessment service provides a comprehensive evaluation of your organisation’s mobile device management practices. Our team of experts thoroughly assesses your existing MDM infrastructure, policies, and procedures to identify potential vulnerabilities and weaknesses. We then provide detailed recommendations to strengthen your mobile security framework.

Why do I need an MDM Assessment?

Mobile devices have become a prime target for cyber attackers due to their widespread use and the sensitive information they often hold. A single compromised device can lead to significant data breaches, financial losses, and reputational damage for businesses. By investing in our Mobile Device Management (MDM) Assessment service, clients can proactively identify and mitigate security risks, ensuring the protection of their sensitive data and safeguarding their reputation.

Our Approach

The first stage of the engagement will define what needs to be tested, understand what the testing needs to achieve and why the testing is being conducted. Our diligent scoping process balances the breadth and depth of testing, providing robust assurance without unnecessary scope creep. We ensure the correct systems will be tested with an appropriate approach based on the context of the systems and organisation.

The outputs of this stage will be:

  • A meeting to establish the context and functionality of the MDM system.
  • A technical document outlining the scope of work to be signed off by both parties.
  • A proposal outlining the scope of works, delivery timelines, and commercials.

Our CREST and Cyber Scheme certified consultants use their expertise and the latest hacking tools to hunt for vulnerabilities. Industry-leading tools assist our consultants in applying their knowledge to assess your assets holistically. Once discovered, a robust vulnerability validation process ensures that only real threats are reported, saving your valuable resources to remediate what matters. Finally, where required and safe to do so, our consultants will determine an appropriate strategy to exploit the vulnerability, proving that an issue is present. All exploitation steps and any custom code will be provided along with the report, empowering administrators to quickly and effectively remediate the issue.

Detailed and digestible describe the outputs of every Cyber Alchemy engagement. Typically, this will be in a documented report with a follow-up meeting to discuss the assessment and the vulnerabilities found, ensuring every stakeholder understands the risks and the next steps to reduce those risks.

The report contains the scope, technical approach, executive summaries, dynamic risk visualisations, prioritised vulnerabilities based on likelihood vs impact, and bespoke mitigation advice for each finding. Each report has three distinct and dedicated board, management, and technical personnel sections. Report clarity ensures understanding and enables informed decisions. Every Cyber Alchemy report will include the following:

  • Background: An overview of the assessment’s general purpose, scope, methodology, and timing.
  • Management Summary: A detailed but digestible summary of the results, such as key critical findings requiring immediate attention, system or recurring issues, and other general findings. This could also include strategic recommendations, offering long-term remediation actions to ensure ongoing risk reduction.
  • Technical Details: Comprehensive vulnerability results, including a description of the vulnerability observed, the impact, evidence of where the vulnerability was observed, step-by-step demonstrations of exploits performed which give teams the ability to internally verify the issues, and detailed remediation recommendations which give developers the steps to address every reported issue.
  • Methodology: A detailed recap of what was tested, the methodologies used, and the related historical information required for audiences such as auditors to understand the specifics of the test approach.
  • Attack Surface Analysis: Additional content and guidance, such as recommended post-assessment activities that provide added value to the audience of the report.

After every engagement, we offer a focused meeting to discuss the testing and outcomes. This allows system administrators and risk owners to ask specific questions to our expert consultants, ensuring all parties understand the context of the vulnerabilities, root cause and the real-world likelihood and impact of successful exploitation in the context of the organisation. The potential mitigation steps will be discussed, allowing for the implementation of robust measures and the possible effort to be understood.

We don’t believe that report delivery marks the end of the engagement; in fact, it’s just the beginning for us. We’re in every client relationship for the long haul, providing ongoing support to ensure that issues are robustly addressed in line with your organisation’s requirements.

After every engagement, we offer a focused meeting to discuss the testing and outcomes. This allows system administrators and risk owners the opportunity to ask specific questions to our expert consultants, ensuring all parties understand the context of the vulnerabilities, alongside the likelihood and impact of successful exploitation.

We recognise that remediation of all issues doesn’t just happen overnight, and our technical team will be happy to answer any questions while remediation is happening over the following months. We find this approach allows for better integration of security into development and helps reduce the number of issues we see when retesting.


A technical contact (somebody who knows the ins and outs of what’s being tested) and 30 minutes to an hour. Our technical team will arrange a call, and then we can discuss all of the aspects of the assessment.

Specifically, for your MDM system, that question will be answered at the end of a scoping call with our technical team. The test duration depends on various factors, such as the number of policies and device types in scope. Generally speaking, depending on the project size and requirements, it can range from a few days to a few weeks

It depends. The cost of an assessment can vary based on factors such as the size and complexity of the MDM configuration, device types and the number of policies. After the scoping call, our consultants will be able to provide a detailed quote which outlines what we will do and what the outputs of that work will be.

We don’t just wine, dine and dash. We’re in every client relationship for the long term. Like most providers, after the penetration testing is complete, you will receive a detailed report outlining the vulnerabilities identified, their severity levels, and recommendations for remediation. Where we differ is in the post-test support. We recommend to all clients that debrief meetings are scheduled after the assessment is completed, allowing for discussions around real-world risk, prioritisation and the best way to approach specific remediation actions. We recognise that remediation of all issues doesn’t just happen overnight, and our technical team will be happy to answer any questions while remediation is happening over the following months. This approach allows operation teams to address issues while keeping their business moving forward.

Of course, what good is a security assessment if the issues aren’t addressed?! Our team will be here to support remediation efforts for months after the end of the assessment. Our recommended post-engagement debriefs calls, and detailed reports provide all the information that is often required to remediate all issues, but if it can be of any more use, then we will be on hand to help.

We understand that timescales can sometimes be tight, and things need to get done. In these cases, we will attempt to accommodate all requests from our clients. If we don’t have the capacity, we will know a trusted partner who can. Typically, we ask for a lead time of at least two weeks, however. For people who book far in advance, we can often offer reduced rates as our thank you for being super prepared.

The frequency of MDM assessments depends on various factors, including the criticality of the systems involved and the organisation’s risk appetite. As a general rule, conducting the assessment at least once a year or whenever significant changes are made to the systems is recommended.

o Our objective is not to cause any disruption to systems during testing, but that doesn’t mean that problems can’t (and don’t) occur. Given the nature of testing involved during an MDM assessment, there is a very low likelihood of any services being impacted.