Seven questions about your real environment. One honest picture of what a threat actor already sees about your organisation — before they ever attempt a breach.
Your sector determines which threat actors prioritise you, what data they assume you hold, and which regulatory frameworks apply when a breach occurs. Some industries face opportunistic attacks. Others are specifically targeted — because of what they know, who they serve, or what they protect.
1 / 7
Question 2 of 7
When did your organisation last have a passive OSINT assessment conducted?
A passive OSINT assessment maps what is already publicly visible about your organisation — your infrastructure, credentials, technology stack, and compliance gaps — without accessing any of your systems. If you have never had one, your external footprint has never been reviewed from the outside. That footprint exists regardless.
2 / 7
Question 3 of 7
How would you describe your staff turnover over the past two years?
Every staff departure creates a potential credential risk. Former employees retain access to external platforms they used — regardless of whether your internal systems have been updated. High turnover means a growing number of email addresses and credentials associated with your domain that are no longer under your control. These appear in breach intelligence databases and are actively traded.
3 / 7
Question 4 of 7
How many third-party platforms and SaaS tools does your organisation actively use?
Every external platform your organisation uses holds credentials, data, or access associated with your domain. Each one has its own breach history — independent of your internal controls. When any of them is compromised, data about your organisation enters criminal markets. The more platforms you use, the more exposure points exist beyond your direct visibility.
4 / 7
Question 5 of 7
What is the most sensitive category of data your organisation holds or processes?
The sensitivity of your data determines attacker motivation and regulatory consequence in a breach. A threat actor profiling your organisation will infer your data holdings from your sector, job listings, privacy policy, and registered entity structure — often before any technical reconnaissance begins. The higher the value of what you hold, the more thoroughly your organisation has already been mapped.
5 / 7
Question 6 of 7
How would you honestly describe your current security maturity?
Security maturity is an internal measure. It describes what controls you believe you have in place — not what is externally visible. Organisations with high internal maturity ratings frequently carry significant external exposure because their assessment frameworks look inward, not outward. The gap between what you have implemented and what an attacker can already observe is often larger than any internal audit has measured.
6 / 7
Question 7 of 7
Where is your organisation's data actually stored and processed?
Data location is both a compliance obligation and a target signal. Where your data sits determines which regulators have jurisdiction in a breach, which legal frameworks may compel disclosure, and which threat actors are motivated to pursue it. Most organisations are less certain about data location than they believe — and that uncertainty is itself a material finding under the Australian Privacy Act.
7 / 7
Your three highest-priority findings
This profile is based on your answers — not a live scan of your domain. Run a threat scan to see the actual data specific to your organisation.