There is a particular kind of confidence that settles into an organisation after a successful audit. The Essential Eight maturity score has improved. The security rating platform shows green. The Board presentation went well. Leadership departs the meeting reassured that the organisation's cyber risk is well managed.
Somewhere across the world, a threat actor has just run a fifteen-minute OSINT scan on your domain. They have not looked at your maturity score. They have not read your security questionnaire. They have found a legacy subdomain, identified the software version it is running, cross-referenced it against a published CVE database, and confirmed there is an unpatched vulnerability with a public exploit. The score said you were managing risk. The external footprint said something different.
This is not a hypothetical. It is the standard methodology of opportunistic and targeted attackers alike. And the gap between how organisations assess themselves and how attackers assess them is, in 2026, the most exploited asymmetry in Australian cyber security.
Two Views of the Same Organisation
The disconnect is structural. When an organisation assesses its own security posture — through maturity frameworks, internal audits, or vendor questionnaires — it is looking at itself from the inside. It sees the controls it has implemented, the processes it has documented, and the systems it knows about. This view is accurate as far as it goes. It simply does not go far enough.
An attacker looking at the same organisation sees none of that. They see what is visible from the outside — the public-facing infrastructure, the externally accessible systems, the technology stack readable from HTTP headers, the credentials in breach databases, the job listings that reveal internal tooling. This view is also accurate. It is just a completely different picture.
- Documented systems and controls
- Known assets in the asset register
- Policies and procedures in place
- Pen test findings (scoped and historic)
- Staff awareness training completed
- Maturity score: improving quarter on quarter
- Board: satisfied. Audit: passed.
- Forgotten subdomain — CVE 9.1, unpatched
- 14 staff credentials in public breach databases
- Legacy CMS version with known exploit
- No DMARC — domain open to impersonation
- Cloud storage bucket publicly accessible
- Job ad reveals internal ticketing system
- Score: irrelevant. Entry point: identified.
Why Scores Create False Confidence
Security rating platforms and maturity frameworks are not wrong. They measure what they are designed to measure, and they do it reasonably well. The problem is what organisations do with those measurements — treating them as a proxy for actual security posture rather than as one input among several.
A maturity score tells you how well your organisation has implemented a defined set of controls. It does not tell you what is visible from the outside right now. A security rating platform scans your known infrastructure — but only what it can discover through its own methodology, which may miss the legacy environment that predates your current asset inventory. A pen test assesses what it is scoped to assess, at a point in time, against a defined target list.
None of these instruments answers the question an attacker actually asks: what can I find out about this organisation using only publicly available information?
The Methodology Gap in Practice
Consider what a threat actor actually does before targeting an organisation. They do not begin with an intrusion attempt. They begin with reconnaissance — open-source, passive, entirely legal. They search your domain in public infrastructure indexes and find your infrastructure. They check your certificates in certificate transparency logs and enumerate your subdomains. They search your domain against breach intelligence databases and find your exposed credentials. They read your job listings and infer your internal technology stack. They review your privacy policy against what your website actually collects and identify compliance gaps that suggest organisational immaturity.
By the time they have completed this reconnaissance — which takes minutes with the right tooling — they know more about your exploitable exposure than your most recent internal audit captured. And they did it without triggering a single alert.
What OSINT Reconnaissance Surfaces in Minutes
- All publicly accessible infrastructure — including what your asset register missed
- Software versions and associated published CVEs with active exploits
- Staff email addresses correlated against breach intelligence databases
- Subdomain enumeration from certificate transparency logs — including forgotten assets
- Email authentication gaps enabling domain spoofing and impersonation
- Technology stack inferred from HTTP headers, source code, and third-party scripts
- Organisational intelligence from ASIC, LinkedIn, court records, and news archives
Closing the Gap
The answer is not to abandon maturity frameworks or stop pursuing certifications. It is to add the outside view to your security programme — not as a replacement for what you already do, but as the input that tells you what attackers actually see.
This means periodically assessing your external footprint the way an attacker would: passively, from publicly available sources, without any inside knowledge. It means including your supply chain in that assessment, because your vendors' external exposure is your risk. It means briefing your Board not just on your maturity score but on what your organisation looks like from the outside — which is a materially different conversation.
The organisations that get this right are not the ones with the highest scores. They are the ones that have closed the gap between how they see themselves and how they are seen. That gap is where successful attacks begin. It is also, once you know where to look, surprisingly straightforward to measure.