Passive OSINT & GRC Assessment — Sydney

See your organisation the way an
attacker already does.

Evidence-based cyber security assessments — no systems accessed, no active scanning. Risk register, Privacy Act compliance review and Board-level reporting delivered within days.

Passive OSINT Threat Scan
Scan your domain
www.
Passive only — no systems accessed, no credentials required
5 days
Board report delivered
$50M
Max Privacy Act penalty
0
Systems accessed
6+
Frameworks mapped
Discover More

What We See. What We Do About It.

Seeing what’s exposed means nothing without a framework to assess, report and act on it. We do both — most firms do only one.

OSINT — What We See
Your External Attack Surface

Using only publicly available data — the same view a threat actor, a regulator or a competitor has — we map what’s visible about your organisation from the outside.

  • Credential exposure in public repositories
  • Infrastructure, ports & service visibility
  • Email security configuration
  • SaaS & third-party footprint
  • Breach intelligence & data exposure
GRC — What We Deliver
Governance That Drives Action

Every finding is rated, owned and mapped — turned into a living risk picture your Board can act on, not a report that goes nowhere.

  • Risk register rated by likelihood & impact
  • Framework mapping (E8, NIST, ISO, APRA)
  • APP 1–13 compliance assessment
  • Board-level executive summary
  • Prioritised remediation roadmap

External intelligence, translated into governance you can act on.

Discretion Isn’t a Marketing Position.
It’s How We Operate.

Confidentiality by Design

No client names, no logos. Every engagement is treated with the same confidentiality we assess others against — for a firm that evaluates privacy, practising what we preach isn’t optional.

Across Every Sector

Healthcare, finance, government and retail — listed and private, regulated and emerging. The exposure patterns repeat; only the obligations differ.

White-Label Ready

Findings delivered under your brand through established law-firm and insurance partnerships — your advisory, our engine.

Our findings speak for themselves. Our clients don’t have to.

What Is Exposed About Your
Organisation Right Now

Using exclusively passive, publicly available data sources — no systems accessed, no active scanning — we surface what anyone with the right knowledge can already see about your organisation.

All findings mapped to ASD Essential Eight · NIST CSF 2.0 · ISO 27001 · APRA CPS 234 · Privacy Act 1988

Your External Attack Surface

Domains, subdomains, exposed services, and infrastructure visible to the public internet — including assets you may not know exist.

Your Technology Stack

The software, platforms, CMS, CRM, and third-party integrations on your public-facing systems — and whether they carry known vulnerabilities.

Your Email Security Posture

Whether your domains are protected against phishing and spoofing — missing email security records leave your brand open to impersonation.

Your SSL/TLS Configuration

The strength of your encryption, certificate validity, cipher suite weaknesses, and whether your systems meet current compliance thresholds.

Your Credential Exposure

Whether your organisation's domains appear in known public breach databases — indicating compromised credentials that may still be in active use.

Your Compliance Gaps

Observable gaps in your privacy policy, data collection practices, and vendor relationships creating regulatory exposure under the Australian Privacy Act.

What We Deliver

Structured, evidence-based GRC advisory for organisations operating in complex, regulated environments across Australia and Asia-Pacific. Every engagement is disciplined, documented, and mapped to recognised frameworks.

Assessment Services — Passive OSINT
Passive OSINT GRC Assessment

A comprehensive assessment of your organisation's externally visible security posture — covering attack surface, technology exposure, breach intelligence, and compliance posture.

Enquire →
Privacy Act Compliance Review

Assessment of your publicly observable compliance with Australian Privacy Principles — covering data collection, third-party disclosure, cross-border data transfer, and privacy policy obligations.

Enquire →
Multi-Entity Group Assessment

Comprehensive assessment covering a parent company and all identified subsidiaries — mapping shared infrastructure risk and group-wide compliance posture across every entity.

Enquire →
Mobile App GRC Assessment

Passive assessment of the mobile applications your organisation uses — permissions, embedded trackers, cross-border data transfers, and Australian Privacy Act compliance. No systems accessed.

Enquire →
Advisory Services
Risk Register & Framework Mapping

All findings consolidated into a structured risk register rated by likelihood and impact, mapped to ASD Essential Eight, NIST CSF, ISO 27001, CIS Controls, and the Australian Privacy Act.

Enquire →
Board-Level Executive Reporting

Technical findings translated into clear, non-technical language for Board and C-Suite stakeholders — a briefing document that drives informed risk decisions.

Enquire →
GRC Advisory & Remediation

ASD Essential Eight maturity assessment, gap analysis, and an uplift roadmap. Risk register development and security policy documentation, with embedded GRC support available on-site and remote.

Enquire →
Pre & Post Pentest Advisory

A pre-engagement passive OSINT baseline for pentest providers, and post-engagement GRC translation of findings into a Board-ready risk register with framework mapping and executive summary.

Enquire →
Important: All BlackFlag Advisory assessments are conducted exclusively using passive OSINT techniques and publicly available data sources. No systems, networks, or accounts belonging to any assessed organisation are accessed, probed, or tested at any time. No active scanning is performed. BlackFlag Advisory assessments are not penetration tests.

Latest Intelligence

Evidence-based analysis on the threats, obligations and risks facing Australian organisations right now.

New — 23 June 2026
Critical Infrastructure & GRC

Critical National Infrastructure Exposure

Australia’s national grid now runs through four million internet-connected homes — regulated as consumer gadgets, not critical infrastructure, on a concentrated foreign supply chain. A national-security exposure in plain sight, and what it means for every organisation’s own.

Read Analysis →
New — 23 June 2026
Threat Intelligence & GRC

The Compliance Clock Just Got Faster

The Five Eyes warned the gap between a vulnerability and its exploitation is now months, not years — FortiBleed proved it in days. Why point-in-time compliance is failing, what the AI security vendors aren’t watching, and where the major Australian breaches actually enter.

Read Analysis →
New — 20 June 2026
Threat Intelligence & GRC

Government Is Failing Its Own Cyber Rules

Australian government grades its own cyber compliance and rarely checks the grade. Where independent auditors have looked — federal and every state — the mandatory rules aren’t being met. The findings, sourced entirely to government.

Read Analysis →
View All Intelligence →
$4.26M
Average cost of a data breach in Australia — a record high.
IBM Cost of a Data Breach Report 2024
1,113
Breaches reported to the OAIC in 2024 — the highest annual total on record.
OAIC Notifiable Data Breaches Report 2024
$50M+
Maximum penalty per serious Privacy Act breach under the 2024 amendments.
Privacy & Other Legislation Amendment Act 2024

Ready to See What We Find?

BlackFlag Advisory is an independent GRC and OSINT advisory practice in Sydney. Submit your domain and contact details and we’ll discuss scope, approach and next steps — sample assessments available on request.

Request an Assessment

Enter your primary domain and contact details below. We will reach out to discuss your specific requirements.

Please complete all required fields correctly.
✓ Thank you — your request has been received. We will be in touch shortly.
Response Time
Within 24 hours of submission
Enquiries
Submit the form and we will be in touch within 24 hours
Location
Headquartered in Sydney, NSW — operating globally
Confidential Enquiries Welcome

All assessment discussions are treated with strict confidentiality. Sample reports are available on request to demonstrate methodology and deliverable quality.