CVE-2026-43284 and CVE-2026-43500 give any attacker with any local foothold on a Linux system complete root access in a single command. Nine years of kernels are affected. A working exploit was published before patches existed. Microsoft has confirmed active in-the-wild exploitation. This is our analysis of what happened, how the attack works, and why a passive OSINT baseline belongs in your GRC framework before the next vulnerability is disclosed.
ShinyHunters exfiltrated 3.65 terabytes from Instructure’s Canvas platform through a Free-For-Teacher account vulnerability, compromising 275 million records across 8,809 institutions worldwide. Queensland’s QLearn platform — every state school student and staff member since 2020 — is caught up in it. This is our analysis of five controls that should have been in place before 29 April 2026, and what every Australian organisation using SaaS platforms must do today.
The Privacy Commissioner has handed down a landmark ruling against 2Apply — finding that manipulative design tactics used to collect personal information from 8.5 million Australians breach the Australian Privacy Principles. Every business collecting data online should read this today.
The Australian Privacy Act 1988 applies to far more businesses than most realise. With regulatory enforcement increasing and the 2024 amendments in effect, the cost of non-compliance is no longer theoretical. Here is what you are actually required to do — and what most organisations are getting wrong.
A 3am Google Maps traffic jam predicted Russia's invasion of Ukraine. FlightRadar24 exposed America's military buildup near Iran before the Pentagon said a word. The same open-source intelligence techniques are being used against Australian businesses every day — by competitors, threat actors, and regulators.
Your organisation does not choose whether to have a digital footprint. It accumulates one automatically — through every system deployed, every domain registered, every staff member hired, every third party integrated. This infographic maps exactly what is visible, where it comes from, and how exposed it makes you.
SOC 2. ISO 27001. Essential Eight. Your vendor passed the audit. The cert is framed and filed. And a threat actor just found a forgotten subdomain running vulnerable software that was never in scope for any of it. Here is what certifications measure — and the significant gap between that and what is actually exposed.
Vendors rate themselves. Auditors assess what they are shown. Attackers look at what is actually exposed — using the same publicly available tools that predicted two military invasions. The gap between how organisations assess themselves and how attackers assess them is the most exploited asymmetry in Australian cyber security.
Seven questions about your real environment. One honest picture of what a threat actor already sees about your organisation — based on your industry, staff turnover, third-party platforms, data holdings, security maturity, and data location. Results show your risk rating and three highest-priority findings.
Before a threat actor targets your organisation, they spend 60 seconds checking what your domain reveals about its defences. If the answer is nothing, your brand becomes their weapon — used to defraud your clients, redirect your payments, and compromise your people. Here is exactly what they see, and what happens next.
Every organisation has two versions of itself — the one leadership sees from the inside, and the one the outside world sees. The gap between them is where threat actors, regulators, and litigants find their leverage. The findings consistently surprise leadership teams who believed their exposure was minimal.
Claiming Essential Eight alignment and demonstrating it under scrutiny are two very different things. As procurement requirements tighten and insurers begin demanding verified maturity, the gap between those two positions is becoming impossible to ignore.
Most cyber security reports presented to Australian Boards are technically accurate and entirely useless for governance purposes. ASIC has made clear that directors will be held accountable for inadequate oversight. Here is what effective Board-level reporting actually looks like — and the three questions every Board should be able to answer.
The breach that matters most to your organisation may not be one that happened to you. When the platforms your staff use are compromised, their credentials enter criminal markets without your knowledge — and may have been there for months or years. Most organisations have never checked.
Australian organisations are paying significant premiums for cyber insurance that contains conditions most cannot satisfy. When ransomware hits, the insurer’s first action is not to process the claim — it is to audit whether those conditions were met. Most organisations have never checked.
Supply chain attacks use the trust you have extended to vendors as a weapon. Most Australian businesses have no systematic visibility into this risk — and no process for managing it.
The decisions made in the first 72 hours of a cyber incident determine most of the total cost. Organisations without a tested plan make every decision for the first time under maximum pressure, with full visibility to regulators and clients who are watching how they respond.
Somewhere in your organisation right now, a staff member is pasting client information into an AI tool with no governance policy, no data handling agreement, and no disclosure in your privacy policy. The regulatory framework is catching up faster than most organisations expect.
A target company’s cyber liabilities surface post-completion, when they become the acquirer’s problem. Most Australian M&A due diligence is structurally incapable of finding what is actually there before the deal closes.
Not every threat comes from outside. Legitimate accounts with excessive access, compromised credentials, and departed staff with unrevoked privileges represent a risk most Australian organisations have never systematically assessed.
Most Australian organisations have never assessed the apps their staff use. A passive assessment surfaces the permissions, trackers, cross-border transfers, and Privacy Act gaps that are already publicly visible.
Most organisations have never assessed the apps their staff and customers use. Under the Privacy Act 1988 and the 2024 amendments, what those apps collect is your liability.
Most Australian organisations believe their GRC is in order. Most are wrong. Take the 10-question self-assessment to find out where your real exposure is right now.
A breach response plan that has never been tested is not a plan. It is an assumption. Here is what untested incident response actually costs Australian organisations.
New legislation, record breach volumes, and shifting insurer expectations are reshaping what adequate cyber security means for Australian organisations right now.
Submit your domain and we will assess your external security posture using our structured, passive OSINT framework. No systems accessed. Board-ready report delivered.