Blog

Critical Path Security is expanding its managed security capabilities to include ScubaGoggles configuration testing for our MSOC and XDR customers.

As organizations continue to rely heavily on cloud collaboration platforms, configuration risk has become one of the most common and most exploitable security gaps. Misconfigurations in SaaS environments routinely undermine otherwise strong endpoint, network, and identity controls. Addressing this risk requires structured, repeatable assessment aligned to authoritative baselines.

ScubaGoggles provides that framework.

What Is ScubaGoggles

Cybersecurity and Infrastructure Security Agency (CISA) developed ScubaGoggles as part of its Secure Cloud Business Applications initiative. The tool is designed to assess Google Workspace tenant configurations against CISA-published secure configuration baselines.

ScubaGoggles evaluates tenant settings, applies policy validation through Open Policy Agent rules, and generates structured reports identifying deviations from recommended security controls.

The result is a repeatable and defensible configuration review aligned to federal guidance and industry best practices.

Why Configuration Assessment Matters

Threat actors increasingly target identity platforms and cloud SaaS applications. In many incidents, compromise occurs not because of a zero-day vulnerability, but because of:

• Excessive administrative privileges

• Weak authentication policy enforcement

• Inadequate logging configurations

• Improper sharing or external access settings

• Disabled security controls

Even mature organizations with active monitoring can carry hidden configuration risk. Detection and response identifies malicious activity. Configuration assessment reduces the probability of successful exploitation in the first place.

By incorporating ScubaGoggles testing into our MSOC and XDR service stack, we are strengthening the preventive side of the security equation.

How Critical Path Security Is Implementing ScubaGoggles

For eligible MSOC and XDR customers, our team will:

1. Perform ScubaGoggles assessments against Google Workspace environments

2. Analyze baseline deviations and control gaps

3. Correlate findings with existing telemetry and detection data

4. Prioritize remediation based on risk, exposure, and business impact

5. Provide structured reporting suitable for leadership and audit review

This integration allows us to move beyond reactive detection and deliver proactive hardening guidance aligned to federal standards.

What Customers Can Expect

Customers who participate in ScubaGoggles testing will receive:

• A documented baseline comparison against CISA guidance

• Clear identification of configuration gaps

• Risk-based remediation recommendations

• Executive-level summary reporting

• Technical remediation guidance for implementation teams

This service enhances governance, supports audit readiness, and reduces exposure to cloud misconfiguration-based attacks.

Strengthening the MSOC and XDR Model

Critical Path Security’s MSOC and XDR programs are designed to provide layered protection across endpoint, identity, network, and cloud environments. Adding structured configuration assessment to this model reinforces the principle that effective security requires both detection capability and hardened foundations.

ScubaGoggles testing is now available for qualifying MSOC and XDR customers. Organizations interested in scheduling an assessment should contact their account representative for planning and onboarding.

Critical Path Security remains committed to delivering practical, defensible, and continuously improving security services for the environments our customers depend on every day.