AGENCY White-Label Delivery  ·  280+ Checks  ·  100% Margin

280+ AWS & M365 Security Checks.
Runs in Your Environment.

Generate fully branded 280+ point SOC 2, HIPAA, GDPR, and NIS2 reports in minutes. Zero coding. Resell them to your clients at 100% margin.

View Sample Report Request a License
Read-only access Zero agents installed 24-hour delivery Self-hosted Docker
leapscan — scanning account 123456***012 · eu-west-1
$leapscan start --account 123456***012 --checks 280+

[001/280+] Root Account MFA & Keys... ⚠ CRITICAL — Root has no MFA
[009/280+] IAM Old Access Keys (>90d)... ⚠ CRITICAL — Key age: 1,423 days
[019/280+] S3 Account Public Block... ✓ PASS
[047/280+] Lambda Environment Secrets... ⚠ CRITICAL — Hardcoded Stripe key
[089/280+] GuardDuty Threat Detection... △ HIGH — Not enabled in 4 regions
[134/280+] GDPR: S3 Lifecycle Policies... △ HIGH — 8 buckets, no expiry rule
[220/280+] M365: Legacy Auth Protocols... ⚠ CRITICAL — Basic auth enabled
[264/280+] NIS2: Vulnerability Management... △ HIGH — Inspector v2 not enabled


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
SECURITY SCORE: 54/100 [CRITICAL RISK]
Critical: 11 High: 24 Medium: 18 Passed: 136
Report: aws_security_report_20260402.html → delivering to inbox
$
280+
Checks Per Scan
7
Compliance Frameworks
14
Avg. Critical Findings
$2.1k
Avg. Monthly Savings Found
Compliance Coverage
7 frameworks. 100% automated coverage.

Every check maps to a specific control ID in your target compliance framework — giving auditors exactly the evidence they need.

🛡️
CIS AWS Foundations v3.0
Universal baseline — every AWS account
62 controls · 100% automated
Industry Baseline
📋
SOC 2 Type II
SaaS companies handling customer data
28 controls · 100% automated
Enterprise Sales
🌍
ISO 27001:2022
Enterprises, EU-facing companies
42 controls · 100% automated
Global Standard
💳
PCI-DSS v4.0
FinTech, e-commerce, payments
36 controls · 100% automated
Mandatory for Card Data
🏥
HIPAA Security Rule
Healthcare, digital health startups
31 controls · 100% automated
PHI Protection
🇪🇺
GDPR (EU) 2016/679
Any company with EU customers
29 controls · 100% automated
Data Privacy
🔐
NIS2 Directive (EU) 2022/2555
Essential & important entities in the EU
17 controls · 100% automated
✨ Newly Added
ℹ️
Automated vs. Manual Controls. Each framework also contains process and policy controls — staff training records, privacy notices, DPIAs, vendor contracts — that cannot be verified via AWS API. LeapScan documents these in a "Company Responsibility" checklist in your report so your team knows exactly what manual evidence to prepare for auditors. See full control matrix →
What We Audit
280+ checks across 16 categories.

Every category is covered. Every critical service. All regions scanned simultaneously.

🔑
IAM & Access Control
Root MFA, old access keys, admin users, wildcard policies, cross-account roles, inactive credentials.
11 checks
🪣
S3 Storage Security
Public access blocks, bucket policy exposure, encryption, versioning, logging, SSL enforcement, lifecycle rules.
11 checks
🖥️
EC2 & Network
Open SSH/RDP, IMDSv2 enforcement, public snapshots, VPC flow logs, NACLs, AMI exposure, SSM coverage.
13 checks
📋
Logging & Monitoring
CloudTrail multi-region, GuardDuty, Security Hub, Config recording, 8 CloudWatch metric alarms per CIS.
11 checks
🗄️
Database Security
RDS public access, encryption, backups, deletion protection, DynamoDB PITR, ElastiCache, Redshift.
10 checks
🔒
Encryption & Keys
EBS encryption defaults, KMS rotation, ACM expiry, SNS/SQS/EFS encryption, Secrets Manager rotation.
10 checks
Lambda & Serverless
Admin roles, deprecated runtimes, public access, hardcoded secrets, DLQ, concurrency limits, API Gateway WAF.
8 checks
💰
Cost & Waste Detection
Idle EC2/RDS, unattached EBS, orphaned snapshots, unused EIPs, NAT gateways, gp2→gp3 migration, Savings Plans.
18 checks
🐳
Containers & EKS
ECR scan-on-push, public repos, ECS root user, host networking, EKS public endpoint, K8s version, logging.
7 checks
🌐
CDN & Edge
CloudFront HTTPS, WAF association, modern TLS, Route53 query logging, DNSSEC, domain privacy.
7 checks
🗺️
Multi-Region Coverage
Scans all enabled regions for open SGs, IMDSv2, public RDS, and GuardDuty gaps — threats hide in unused regions.
4 checks
🤖
AI & Bedrock Security
Bedrock invocation logging, Guardrails, Knowledge Base encryption, VPC endpoint for private AI traffic.
6 checks
🛡️
Advanced Authentication
Cognito MFA, WAF, weak passwords, deletion protection, unauthenticated identities, session token expiry.
6 checks
🔧
CI/CD Pipeline
CodeBuild plaintext secrets, S3/CloudWatch log encryption, public project visibility, privileged mode.
5 checks
🔍
Native Security Ops
Macie PII discovery, Inspector v2 EC2/ECR scanning, VPC endpoints for S3/DynamoDB/SecretsManager.
8 checks
🇪🇺
GDPR Controls
S3 lifecycle policies, object-level logging, data residency checks, Config recording, storage expiry rules.
8 checks · ✨ New
🪟
Microsoft 365
MFA enforcement, admin roles, Conditional Access, guest access, legacy auth, OAuth apps, external sharing, forwarding rules, mailbox audit, Safe Links & Attachments.
10 checks · ✨ New
View all 280+ checks with compliance mapping →
Frictionless Delivery
Your Logo. Your Margins. Our Engine.

Stop wasting expensive engineering hours wrestling with open-source tools or parsing raw JSON data. LeapScan delivers executive-ready presentations tailored for your clients.

01
🔐
Connect
Your client deploys a 60-second, read-only CloudFormation template. No agents, no credentials.
aws cloudformation deploy --template-file leapscan-role.yaml
02
🎨
Brand
Provide your agency logo, custom color scheme, and client details.
Uploading agency_logo.png... Configured.
03
📊
Deliver
Receive a premium, 280+ point compliance PDF within 24 hours, ready to slide across the boardroom table.
Report delivered → client_security_report.pdf
🔒
Read-Only IAM Role
Uses AWS-managed SecurityAudit policy. We cannot modify, delete, or write anything in your account.
Zero AWS Cost Impact
All checks use free read-only API calls. No EC2 agents, no Lambda invocations billed to you.
🐳
Self-Hosted Docker
Runs entirely in your environment as a Docker container. Your scan data never leaves your infrastructure.
The Margin Multiplier
We Build Your Remediation Pipeline.

LeapScan does not just find technical vulnerabilities; it hands you a roadmap to sell high-value consulting hours.

🎯
Enterprise Compliance Mapping
Every automated finding maps directly to CIS, SOC 2, ISO 27001, PCI-DSS, HIPAA, GDPR, and NIS2 controls.
🛡️
The Liability Shield
We explicitly document 40 manual organizational controls (e.g., GDPR accountability) that cannot be automated. This protects your agency from legal blowback while teeing up lucrative policy-creation contracts for your team.
Copy-Paste Fixes
Your engineers receive the exact AWS CLI commands to remediate technical failures instantly.
Your Revenue Math
One Scan. Massive Margin.
Your Cost
$49
per scan ($149 ÷ 3)
You Charge
$2,500
market rate $1.5k–$5k
=
Your Margin
$2,451
98% gross margin
3 audits per month = $7,353+ in new monthly revenue from a single $149 bundle.
Partner Results
What agencies are achieving.

On our first client scan, LeapScan flagged 11 critical findings including a 2-year-old contractor key with S3 admin access. That single white-labeled report closed a $4,500 remediation contract for our team the same week.

Alex T., Managing DirectorIT Consulting Agency · 22 Clients

We white-labeled LeapScan and offered compliance audits to our existing client base. 3 clients signed up in the first month — $7,500 in new revenue from a $149 investment. The branded PDF looks like we built the platform ourselves.

Priya M., FounderCloud MSP · 35+ AWS Accounts

A client needed SOC 2 evidence fast. We delivered LeapScan's 280+ point report mapped to CC6–CC9 trust criteria under our brand. Their auditor accepted it as baseline evidence on first submission. We now offer this to every client.

Daniel K., VP of ServicesDevOps Consulting Agency

LeapScan found $4,200/month in AWS waste across a client's idle RDS instances and unattached EBS volumes. The cost savings alone justified our consulting fee, and we locked in a 12-month managed security retainer off the back of it.

Sophie R., PartnerAWS Consulting Firm
Sample Reports
See exactly what you get.
🚀
SaaS Startup Audit
A 3-year-old containerised environment with S3 exposure, IAM sprawl, and Lambda secrets.
View Sample →
💸
Enterprise Cost Review
Large AWS account with $4,200/month in wasted EBS volumes, idle RDS, and unused EIPs.
View Sample →
🚨
Critical Breach Posture
Environment failing CIS Foundations benchmarks with unrotated root keys and open security groups.
View Sample →
Subscription Tiers
Choose the right plan for your team.

All plans include the self-hosted Docker container. License invoiced monthly or annually as agreed.

Starter
£200/ month
1 organisation · 3 AWS accounts
  • AWS security scanning (280+ checks)
  • 7 compliance frameworks
  • HTML & PDF reports
  • Copy-paste CLI remediation
  • Self-hosted Docker deployment
  • Email support
Request License
Most Popular
Professional
£500/ month
10 orgs · 20 AWS accounts
  • AWS + Microsoft 365 scanning
  • Continuous monitoring & drift alerts
  • 7 compliance frameworks
  • White-label reports
  • Self-hosted Docker deployment
  • Priority support
Request License
Enterprise
£1,500/ month
Unlimited orgs & accounts
  • All Professional features
  • White-label + custom branding
  • REST API access
  • SSO / SAML integration
  • Dedicated support SLA
  • Custom compliance frameworks
Request License
Not sure which tier fits?
Our team will help you find the right plan. Get in touch and we'll respond within 24 hours.
Request a License
Common Questions
Everything you need to know.
How does the trial license work?
Yes. We run the complete, 280+ point enterprise audit on your agency's internal AWS infrastructure at no cost. No credit card. No commitment. It allows you to hold the exact executive PDF report in your hands and validate our engine's capabilities before you offer it to your clients.
How safe is giving you read-only access?
Extremely safe. We use the AWS-managed SecurityAudit policy — a well-known, widely-trusted read-only policy. We cannot modify resources, delete data, or see encrypted content. You control the CloudFormation stack and can delete it instantly, revoking all access.
How does the compliance mapping work?
Every one of our 280+ checks is mapped to specific control IDs in CIS, SOC 2, ISO 27001, PCI-DSS, HIPAA, GDPR, and NIS2. When a check passes, it counts as evidence for that control. Your report shows a compliance posture card per framework — exactly what auditors need to see.
Will my clients ever know LeapScan is running the audit?
No. We are a 100% invisible backend engine. Your clients will never see our logo, receive emails from our domain, or be prompted to create a LeapScan account. The CloudFormation template and the final PDF are completely white-labeled under your agency's brand.
How does the white-label branding actually work?
When you run a scan, you simply pass your agency's name, your client's name and your logo URL into the engine. The resulting PDF is dynamically generated to look like a bespoke document created entirely by your internal consulting team.
What if I need to scan more accounts than my tier allows?
The $299/mo tier covers the vast majority of mid-sized IT agencies. If you are an enterprise MSP managing 50+ AWS environments, reach out to us at support@leaptrix.com. We can spin up a dedicated, high-volume Enterprise instance with custom volume pricing.
Do you store my clients' AWS data or source code?
Never. Our engine only reads metadata (e.g., "Is port 22 open?" or "Is bucket X encrypted?"). We never have access to the data inside your S3 buckets, RDS databases, or application code. Because LeapScan runs entirely within your own Docker environment, all findings and report data remain on your infrastructure. We do not store your scan data.
Does the GDPR scan guarantee GDPR compliance?
No automated tool can guarantee GDPR compliance — that's an important limitation to understand. LeapScan covers all automatable technical controls (Art.5, Art.25, Art.32, Art.33, data residency). However, GDPR also requires organisational controls like privacy notices, DPIAs, DPO appointment, and staff training — these are documented as "Company Responsibility" items in your report with a checklist for auditors.
What does the NIS2 framework check cover?
Our NIS2 module maps AWS infrastructure findings to the binding cybersecurity obligations in NIS2 Directive (EU) 2022/2555 Art.21. This includes: incident handling readiness (Art.21(2)(b)) via EventBridge rules, business continuity & backup coverage (Art.21(2)(c)), supply chain security via ECR Enhanced Scanning (Art.21(2)(d)), vulnerability management via Inspector v2 (Art.21(2)(e)), effectiveness evaluation via Security Hub standards (Art.21(2)(f)), cryptographic policy via KMS key rotation (Art.21(2)(h)), network security via WAF & Shield (Art.21(2)(a)), and MFA enforcement (Art.21(2)(j)). NIS2 applies to essential and important entities operating in the EU — non-compliance can result in fines up to €10M or 2% of global annual turnover.
Does the scan add any cost to my AWS bill?
Zero. All 280+ checks use free read-only AWS APIs — DescribeInstances, ListBuckets, GetBucketEncryption, etc. We never spawn EC2 instances, invoke Lambda functions, or write data. Your AWS bill will not change by a single cent.
What's included in the 30-minute findings review?
For Agency Starter customers, we include an async or live session where we walk through your top 5 critical findings, explain the business risk in plain English, and guide you through the CLI remediation commands. Most customers resolve their top issues within 48 hours of the review.

Run Security Checks in Your Environment.

Run a complete, read-only baseline scan on your agency's internal infrastructure for free. See the exact 280+ point PDF you will be handing to your clients.

⚡ Request a License View Sample Report →

Self-hosted Docker · AWS & M365 · 280+ checks · 24h onboarding