Startup readiness review
Company Ready readiness report.
Evidence-led assessment for the Day Zero to Company Ready gate, based on source records, observations, registers and agentic review loops.
Decision
Conditional
Client: Example SaaS company
Review type: Illustrative sample
Stage gate
01
Company Ready
02
POC
03
Pilot
04
Pre-Production
05
Production
06
Scale
Executive summary
The assessed company has enough recorded facts to make the assessment meaningful and move the Company Ready gate to a conditional recommendation. The evidence repository, governance source records and prerequisite observations are strong enough to support a real stage decision.
The remaining work is now carried as explicit conditions: privileged-access evidence, email authentication monitoring, hosting ownership, TLS alerting and policy approval before the next gate is treated as clear.
Overview
Confidence describes how complete and current the evidence is. Medium confidence means the assessment has enough evidence to support a decision, while still depending on limitations, assumptions or missing operating proof. Risk severity describes the consequence of the remaining gaps if the company proceeds before those conditions are closed.
Recommendation
Conditional
Readiness score
74%
Risk severity
Medium
Confidence
Medium
Evidence summaries
Identity and Entra
Identity observation summary
Evidence
Adequate
Score
3 / 5
Impact
ConditionalTenant, domain and privileged-account facts are reviewable. The remaining conditions are operational safeguards around privileged access, break-glass use and monitoring.
- Tenant and verified domains are visible.
- Privileged users and emergency access accounts are identified.
- Conditional Access, MFA posture and break-glass recovery evidence need completion.
- PIM, risky-user and sign-in risk evidence remain licensing-limited.
Email DNS
Email DNS observation summary
Evidence
Adequate
Score
3 / 5
Impact
ConditionalThe approved sender inventory and public DNS facts are good enough to define the next actions. Email authentication should remain conditional until SPF, DKIM alignment and DMARC monitoring are verified.
- Google Workspace and SendGrid are recorded as approved senders.
- Google MX and SendGrid CNAME records are visible in public DNS.
- Root SPF and DMARC are not yet published.
- Delivered-message authentication evidence is still required.
Domain and Corporate Presence
Core operating facts
Evidence
Adequate
Score
3 / 5
Impact
ConditionalThe company domain, DNS owner and public endpoint are known. The remaining work is to make public presence operations reviewable: hosting, publishing access, contact route ownership and TLS renewal alerting.
- Primary domain, registrar and DNS host are recorded.
- Public website and TLS certificate facts are available.
- Hosting and publication route need owner evidence.
- TLS renewal automation and alerting need recording.
Governance and Registers
Governance registers
Evidence
Adequate
Score
3 / 5
Impact
PassedThe governance baseline is usable for this gate. Source records, controlled assets, risk register and policy register exist and can be reviewed by later loops.
- Controlled asset register exists.
- Risk register exists.
- Policy register exists.
- Draft policy approval remains a next-step action rather than a gate blocker.
Task list
| Task | Priority | Owner | Evidence | Done when |
|---|---|---|---|---|
| Complete privileged-access evidence | High | Technology owner | Identity observation summary | MFA or Conditional Access posture, break-glass custody, alerting and recovery-test evidence are recorded. |
| Complete email authentication | High | Domain owner | Email DNS observation summary | SPF, DKIM alignment, DMARC monitoring and delivered-message checks are evidenced. |
| Record public presence operations | High | Service owner | Core operating facts | Hosting, publishing access, contact ownership, TLS renewal and expiry alerting are recorded. |
| Approve bootstrap governance records | Medium | Governance owner | Policy register | Bootstrap policies have approval evidence and next review dates. |
Appendix
Evidence index.
The report can be generated from the current assessment, observation summaries, source records and registers. The output keeps source paths visible without making the reader inspect every underlying table.