Evidence-based cyber security assessments — no systems accessed, no active scanning. Risk register, Privacy Act compliance review and Board-level reporting delivered within days.
Using exclusively passive, publicly available data sources — no systems accessed, no active scanning — we surface what anyone with the right knowledge can already see about your organisation.
Domains, subdomains, exposed services, and infrastructure visible to the public internet — including assets you may not know exist.
The software, platforms, CMS, CRM, and third-party integrations on your public-facing systems — and whether they carry known vulnerabilities.
Whether your domains are protected against phishing and spoofing — missing email security records leave your brand open to impersonation.
The strength of your encryption, certificate validity, cipher suite weaknesses, and whether your systems meet current compliance thresholds.
Whether your organisation's domains appear in known public breach databases — indicating compromised credentials that may still be in active use.
Observable gaps in your privacy policy, data collection practices, and vendor relationships creating regulatory exposure under the Australian Privacy Act.
Every engagement begins with your domain. What follows is a structured, evidence-based assessment that gives you a clear picture of your risk posture.
Enter your primary domain and contact details. We identify all associated entities, subdomains, and publicly visible infrastructure before we begin.
Our structured, 5-phase passive assessment framework is applied across your entire external footprint. Every finding is evidenced, sourced, and mapped to a recognised framework control.
A structured professional report — risk register, framework mapping, and a Board-level executive summary — that tells you exactly what was found and what to do about it.
Structured, evidence-based GRC advisory for organisations operating in complex, regulated environments across Australia and Asia-Pacific. Every engagement is disciplined, documented, and mapped to recognised frameworks.
A comprehensive assessment of your organisation's externally visible security posture — covering attack surface, technology exposure, breach intelligence, and compliance posture.
Enquire →All findings consolidated into a structured risk register rated by likelihood and impact, mapped to ASD Essential Eight, NIST CSF, ISO 27001, CIS Controls, and the Australian Privacy Act.
Enquire →Technical findings translated into clear, non-technical language for Board and C-Suite stakeholders — a briefing document that drives informed risk decisions.
Enquire →Comprehensive assessment covering a parent company and all identified subsidiaries — mapping shared infrastructure risk and group-wide compliance posture across every entity.
Enquire →Assessment of your publicly observable compliance with Australian Privacy Principles — covering data collection, third-party disclosure, cross-border data transfer, and privacy policy obligations.
Enquire →Your confirmed technology stack cross-referenced against current threat advisories and known exploited vulnerabilities — surfacing active threats in your specific environment.
Enquire →Passive assessment of the mobile applications your organisation uses — permissions, embedded trackers, cross-border data transfers, and Australian Privacy Act compliance. No systems accessed.
Enquire →Every assessment follows the same disciplined process. No shortcuts. No guesswork. Every finding is evidenced and mapped to a recognised framework control.
Corporate entity mapping, subsidiary identification, domain and subdomain enumeration, and email security record analysis across all associated entities.
Passive infrastructure review, certificate analysis, SSL/TLS configuration audit, and technology stack fingerprinting across all public-facing systems.
Domain breach exposure analysis, indexed sensitive content discovery, historical footprint review, and credential exposure assessment.
Privacy policy assessment against Australian Privacy Principles, current threat advisory cross-referencing, and third-party vendor risk identification.
Risk register population, framework mapping, remediation roadmap development, and Board-level executive summary production.
Every framework carries distinct obligations for Australian organisations. Click to understand what each one requires of your business.
Evidence-based analysis on the threats, obligations and risks facing Australian organisations right now.
CVE-2026-43284 and CVE-2026-43500 give any attacker with local Linux access complete root control in a single command. Nine years of kernels affected. Active exploitation confirmed by Microsoft. What your organisation must do now.
Read Analysis →ShinyHunters exfiltrated 3.65TB from Instructure through an open registration form. Queensland’s QLearn platform — every state school student since 2020 — is caught up in it. Five controls that should have been in place before 29 April 2026.
Read Analysis →A 3am Google Maps traffic jam predicted Russia's invasion of Ukraine. FlightRadar24 exposed America's Iran buildup. The same tools are mapping your business right now.
Read More →Your organisation does not choose whether to have a digital footprint. This infographic maps exactly what is visible, where it comes from, and how exposed it makes you.
View Infographic →High maturity scores create a false sense of security. Legacy vulnerabilities sit in public indexes. Attackers don't care what your vendor scored.
Read More →Vendors rate themselves. Auditors assess what they're shown. Attackers look at what's actually exposed. Here's the gap that's costing Australian organisations.
Read More →Your clients need GRC advisory. You don’t provide it — and you shouldn’t have to. BlackFlag Advisory works behind you, alongside you, or under your brand. Three models. No conflict.
Your client is facing a Privacy Act inquiry, a procurement question, or a Board request they can’t answer. You refer. We assess. You receive a referral fee and your client gets a result. No overlap with your services.
Pre-binding GRC posture assessment for cyber policy applicants. Passive, evidence-based, no systems accessed. Gives underwriters a credible independent view of risk before they price or decline.
Your clients trust you with their infrastructure. They also need Board-level GRC reporting they can take to directors and regulators. We produce it. You deliver it. No client confusion.
AFSL holders, super funds, and their advisors carry specific APRA CPS 234 and Privacy Act obligations. When your client asks about cyber governance, you have an answer. We handle the assessment.
Work with us. Not around us.
Explore Partnerships →BlackFlag Advisory brings together senior practitioners across cyber security, governance, risk, compliance, and commercial advisory — operating as a unified practice across Australia and Asia-Pacific.
Our advisors carry deep sector experience across financial services, healthcare, retail, critical infrastructure, and government. Every engagement draws on the right expertise for the specific risk environment — not a generalist team stretched thin across disciplines.
All findings are delivered in Board-ready reports that translate technical risk into business language — structured for decision-makers who need clarity, not complexity. Every finding is evidenced, sourced, and mapped to a recognised framework control.
We do not access your systems. We do not conduct penetration tests. We do not require credentials, network access, or internal cooperation. Our assessments are conducted entirely from publicly available data — which is precisely why they reveal what your internal team cannot see.
“Most organisations assume their governance posture is adequate. Our assessments reveal what is actually visible to the outside world — before a threat actor, a regulator, or a competitor finds it first.”
Submit your domain and contact details. We will be in touch to discuss scope, approach, and next steps. Sample assessment reports available on request.
Enter your primary domain and contact details below. We will reach out to discuss your specific requirements.
All assessment discussions are treated with strict confidentiality. Sample reports are available on request to demonstrate methodology and deliverable quality.