Threat Intelligence &
Security Analysis.

Evidence-based analysis of active threats, regulatory developments, and security failures affecting Australian organisations. All passive OSINT — no systems accessed.

The Text Never Changed. The Enforcement Did.

APRA doesn’t fine — it made Medibank hold an extra $250 million in capital, the first ever imposed for a cyber attack. CPS 234 has been unchanged since 2019; what shifted is how hard it is enforced, and that named executives are now personally accountable under the Financial Accountability Regime.

Two Crises, One Clock.

A material cyber incident is also a disclosure event — and the disclosure clock reaches directors personally. GetSwift’s board paid $15M, its directors more than $3M, one banned for fifteen years. What Listing Rule 3.1 demands the moment an incident turns material.

The OSINT Data Trail Every Business Leaves

Your organisation does not choose whether to have a digital footprint. It accumulates one automatically — through every system deployed, every domain registered, every staff member hired, every third party integrated. This infographic maps exactly what is visible, where it comes from, and how exposed it makes you.

The Cert on the Wall Is Not Your Attack Surface

SOC 2. ISO 27001. Essential Eight. Your vendor passed the audit. The cert is framed and filed. And a threat actor just found a forgotten subdomain running vulnerable software that was never in scope for any of it. Here is what certifications measure — and the significant gap between that and what is actually exposed.

Build Your OSINT Threat Profile

Seven questions about your real environment. One honest picture of what a threat actor already sees about your organisation — based on your industry, staff turnover, third-party platforms, data holdings, security maturity, and data location. Results show your risk rating and three highest-priority findings.

The ASD Essential Eight: What It Actually Requires and Why Most Organisations Fail

Claiming Essential Eight alignment and demonstrating it under scrutiny are two very different things. As procurement requirements tighten and insurers begin demanding verified maturity, the gap between those two positions is becoming impossible to ignore.

Board-Level Cyber Reporting: What Directors Actually Need to Know

Most cyber security reports presented to Australian Boards are technically accurate and entirely useless for governance purposes. ASIC has made clear that directors will be held accountable for inadequate oversight. Here is what effective Board-level reporting actually looks like — and the three questions every Board should be able to answer.

Credential Exposure: Has Your Organisation Already Been Breached?

The breach that matters most to your organisation may not be one that happened to you. When the platforms your staff use are compromised, their credentials enter criminal markets without your knowledge — and may have been there for months or years. Most organisations have never checked.

Your Vendors Are Your Attack Surface: Third-Party Risk in Australian Organisations

Supply chain attacks use the trust you have extended to vendors as a weapon. Most Australian businesses have no systematic visibility into this risk — and no process for managing it.

Ready to See What We Find About
Your Organisation?

Submit your domain and we will assess your external security posture using our structured, passive OSINT framework. No systems accessed. Board-ready report delivered.

Request an Assessment →