Cavaridge Academy
Setting Up Posture Scans
Module 1 of 5

AEGIS architecture

How AEGIS scans, what it scores, and what an "Adjusted Score" actually means.

Video — pending production
Read the transcript below. Once recording is complete, the video will replace this notice.
--- title: AEGIS architecture status: draft note: AI-generated first-pass transcript pending video production + SME review. --- Cavaridge AEGIS is the security-posture surface for MSPs running multi-tenant client environments. Before you connect a single client, get the architecture into your head. ## What AEGIS scans AEGIS pulls signals from four classes of source: 1. **SaaS providers.** Microsoft 365, Google Workspace, Okta, AWS, GCP, the major MSP-relevant SaaS apps. Read-only, minimum-privilege. 2. **Endpoint agents.** Where the MSP has rolled out an EDR/MDM stack, AEGIS reads health + posture status, never command-and-control. 3. **The MSP's PSA / RMM.** ConnectWise Manage, HaloPSA, Atera, Syncro, NinjaOne. Tickets, asset inventory, change history. 4. **Browser telemetry.** When the optional browser extension is deployed, you get phishing alerts, risky-extension flags, weak- password reuse warnings. Every source is **read-only**. AEGIS does not push changes. AEGIS does not respond to incidents. AEGIS observes, scores, and reports. ## What it scores The AEGIS score is a 0–100 composite across 12 control families mapped to NIST CSF + relevant compliance frameworks. The 12 families include identity, endpoint, network, data, vulnerability, third- party risk, incident response, training, business continuity, governance, application security, and physical/operational. Each family has weighted sub-checks. The weighting is published — the math isn't a black box. ## Raw vs Adjusted This is the most important concept in the path: - **Raw Score** = what the connectors observed. - **Adjusted Score** = Raw + verified compensating controls. A compensating control gets credit when: 1. The customer attests it's in place, 2. The platform verifies via evidence (a config snapshot, a log excerpt, a screenshot with metadata), AND 3. A qualified MSP tech or admin signs the attestation. No evidence + signature = no Adjusted Score boost. The auditor will agree. ## What AEGIS will never do - Score a finding higher than the evidence supports. - Apply compensating control credit without a signed attestation. - Auto-remediate without operator action. - Send a finding to a customer without your review on first delivery. These are bright lines. They protect your trust and theirs. ## Pulse events The events you'll see most often: - `scan_started` / `scan_completed` — bookend every scan. - `finding_created` — new posture issue identified. - `score_changed` — Raw or Adjusted Score moved. - `risk_flagged` — high-severity finding awaiting triage. - `evidence_collected` — a control attestation gathered evidence. - `framework_attestation_signed` — a qualified human accepted. These appear in your Pulse feed and your client's read-only feed. ## What's next Module 2 walks you through connecting the M365, PSA, and EDR stacks in the sandbox. You'll see honest "data not collected" surfaces when a connector fails — that's the design, not the bug.

Knowledge check

  1. Question 1 · select one
    AEGIS scans run against
  2. Question 2 · select one
    The Adjusted Score is the Raw Score
  3. Question 3 · select all that apply
    Which of these are AEGIS-domain Pulse events?