This guide introduces what Beacon does, the handful of concepts you need to know, and the quickest ways to begin, whether that is a hands-on demo or connecting your first client account across Azure, AWS, or GCP.
Beacon is a hosted compliance platform for Managed Service Providers who manage Microsoft Azure, Amazon Web Services, and Google Cloud for their clients. You connect each client cloud account once, and Beacon continuously scans it for security and compliance gaps, then presents the results as a single, always-current view across every account you manage.
Each account is scanned every 6 hours using a read-only connection, so there is nothing to install in client environments and nothing to babysit. For Azure and Microsoft 365, Beacon's checks span identity and Conditional Access, network security groups, Key Vault, storage, Microsoft Defender for Cloud, end-of-life operating systems, Intune, Microsoft 365 (Exchange, SharePoint, Teams), and Azure DevOps and GitHub. For AWS, checks span IAM, S3, networking, encryption, logging, GuardDuty, and tagging; for Google Cloud, IAM, logging and monitoring, networking, compute, storage, databases, KMS, and Security Command Center.
The checks map to controls drawn from the CIS Microsoft 365 Benchmark, CIS AWS Foundations, CIS Google Cloud Foundations, NIST CSF, and ISO 27001:2022, so the compliance posture you report to clients is grounded in standards they and their auditors already recognise.
A few terms appear throughout the product. Understanding these is enough to get started.
A client is one of the organisations you manage. Each client is linked to a cloud account, which Beacon reaches through one read-only connection: an Azure App Registration, an AWS cross-account IAM role, or a GCP scanner service account. One client maps to one cloud account.
A scan is one pass of the full check suite against a tenant. Beacon runs scans automatically every 6 hours and reconciles the results across cycles, so a single ongoing issue does not generate duplicate alerts.
Each check is a single, named test of one aspect of posture, such as legacy authentication being disabled or storage accounts being private. Every check is tied to the benchmark controls it supports.
When a check fails for a tenant, Beacon raises a finding with its severity and guided remediation steps. Findings can be acknowledged, assigned, or suppressed, and feed each client's compliance score.
Each client has a compliance score summarising how many checks pass. Scores update in real time as findings are resolved, giving you and your clients an at-a-glance health measure per tenant.
Engineers belong to teams, and teams are granted access to specific clients. Role-based access control keeps each MSP's data isolated and ensures engineers only see the clients they are assigned to.
There are two ways to start: explore the live demo with no commitment, or create an account and connect your first cloud account.
The fastest way to see Beacon is the read-only demo. It is pre-loaded with sample MSP clients and real findings, and needs no sign-up. Use demo code BEACON-DEMO on the home page.
When you are ready, choose a plan and create your MSP organisation. Plans scale with the number of client cloud accounts you manage across Azure, AWS & GCP, and you can cancel anytime. Talk to us first if you would like a walkthrough.
Set up one read-only connection per cloud and the first scan begins automatically. For Azure, create an App Registration with Graph and Azure Resource Manager reader permissions; for AWS, see the AWS setup guide; for GCP, see the GCP setup guide.
Beacon only ever requests read-only access on every cloud. It never asks for write, Contributor, or Owner roles, so it can read posture but cannot change anything in a client environment. Any credential you provide is encrypted before it is stored.
For the full detail on the exact permissions, encryption, and audit logging, see the security and trust page.
Once you are signed in, the in-product help centre covers each workflow step by step, including connecting cloud accounts, managing clients, configuring teams and roles, setting up webhooks, and using the API. Until then, these public pages, including the AWS and GCP setup guides, help you evaluate the fit.