Evidence-based cyber security assessments — no systems accessed, no active scanning. Risk register, Privacy Act compliance review and Board-level reporting delivered within days.
Seeing what’s exposed means nothing without a framework to assess, report and act on it. We do both — most firms do only one.
Using only publicly available data — the same view a threat actor, a regulator or a competitor has — we map what’s visible about your organisation from the outside.
Every finding is rated, owned and mapped — turned into a living risk picture your Board can act on, not a report that goes nowhere.
External intelligence, translated into governance you can act on.
No client names, no logos. Every engagement is treated with the same confidentiality we assess others against — for a firm that evaluates privacy, practising what we preach isn’t optional.
Healthcare, finance, government and retail — listed and private, regulated and emerging. The exposure patterns repeat; only the obligations differ.
Findings delivered under your brand through established law-firm and insurance partnerships — your advisory, our engine.
Our findings speak for themselves. Our clients don’t have to.
Using exclusively passive, publicly available data sources — no systems accessed, no active scanning — we surface what anyone with the right knowledge can already see about your organisation.
All findings mapped to ASD Essential Eight · NIST CSF 2.0 · ISO 27001 · APRA CPS 234 · Privacy Act 1988
Domains, subdomains, exposed services, and infrastructure visible to the public internet — including assets you may not know exist.
The software, platforms, CMS, CRM, and third-party integrations on your public-facing systems — and whether they carry known vulnerabilities.
Whether your domains are protected against phishing and spoofing — missing email security records leave your brand open to impersonation.
The strength of your encryption, certificate validity, cipher suite weaknesses, and whether your systems meet current compliance thresholds.
Whether your organisation's domains appear in known public breach databases — indicating compromised credentials that may still be in active use.
Observable gaps in your privacy policy, data collection practices, and vendor relationships creating regulatory exposure under the Australian Privacy Act.
Structured, evidence-based GRC advisory for organisations operating in complex, regulated environments across Australia and Asia-Pacific. Every engagement is disciplined, documented, and mapped to recognised frameworks.
A comprehensive assessment of your organisation's externally visible security posture — covering attack surface, technology exposure, breach intelligence, and compliance posture.
Enquire →Assessment of your publicly observable compliance with Australian Privacy Principles — covering data collection, third-party disclosure, cross-border data transfer, and privacy policy obligations.
Enquire →Comprehensive assessment covering a parent company and all identified subsidiaries — mapping shared infrastructure risk and group-wide compliance posture across every entity.
Enquire →Passive assessment of the mobile applications your organisation uses — permissions, embedded trackers, cross-border data transfers, and Australian Privacy Act compliance. No systems accessed.
Enquire →All findings consolidated into a structured risk register rated by likelihood and impact, mapped to ASD Essential Eight, NIST CSF, ISO 27001, CIS Controls, and the Australian Privacy Act.
Enquire →Technical findings translated into clear, non-technical language for Board and C-Suite stakeholders — a briefing document that drives informed risk decisions.
Enquire →ASD Essential Eight maturity assessment, gap analysis, and an uplift roadmap. Risk register development and security policy documentation, with embedded GRC support available on-site and remote.
Enquire →A pre-engagement passive OSINT baseline for pentest providers, and post-engagement GRC translation of findings into a Board-ready risk register with framework mapping and executive summary.
Enquire →Evidence-based analysis on the threats, obligations and risks facing Australian organisations right now.
Australia’s national grid now runs through four million internet-connected homes — regulated as consumer gadgets, not critical infrastructure, on a concentrated foreign supply chain. A national-security exposure in plain sight, and what it means for every organisation’s own.
Read Analysis →The Five Eyes warned the gap between a vulnerability and its exploitation is now months, not years — FortiBleed proved it in days. Why point-in-time compliance is failing, what the AI security vendors aren’t watching, and where the major Australian breaches actually enter.
Read Analysis →Australian government grades its own cyber compliance and rarely checks the grade. Where independent auditors have looked — federal and every state — the mandatory rules aren’t being met. The findings, sourced entirely to government.
Read Analysis →BlackFlag Advisory is an independent GRC and OSINT advisory practice in Sydney. Submit your domain and contact details and we’ll discuss scope, approach and next steps — sample assessments available on request.
Enter your primary domain and contact details below. We will reach out to discuss your specific requirements.
All assessment discussions are treated with strict confidentiality. Sample reports are available on request to demonstrate methodology and deliverable quality.