Evidence-based analysis of active threats, regulatory developments, and security failures affecting Australian organisations. All passive OSINT — no systems accessed.
A court has now fined executives personally — $1.1 million between them, thirteen years’ disqualification — for negligence, not fraud. From RI Advice to the $2.5M FIIG penalty to letter 26-092MR, cyber is a licence obligation and a director’s duty of care. What ASIC now expects boards to evidence, not assert.
APRA’s CPS 230 takes full effect on 1 July 2026. A signed service-provider clause is not evidence of a managed risk — and the accountability now sits with the board, not the vendor. What the standard asks once the auditors leave, and the external view that answers it.
On 24 June 2026 ASD confirmed it will retire the Essential Eight within two years, replacing it with the outcomes-based Essentials series. Consultation closes 12 July. Why the benchmark everyone hid behind is being pulled up — and why the audits show most never reached it anyway.
You don’t need our opinion on where Australian breaches come from — the OAIC publishes the numbers every six months. Read against the data, the cause barely changes: stolen logins, convincing messages, records sent to the wrong place. The controls already exist. The door stays open.
Your GRC platform is a system of record — it records what you tell it. It has no idea what you’ve left exposed on the open internet. Why “robust” means external ground truth, not workflow maturity, and why a green dashboard can sit over an open door.
The Five Eyes cyber agencies warned that AI has shrunk the gap between a vulnerability and its exploitation from years to months — and FortiBleed proved it in days. Why point-in-time compliance is failing, what the AI security vendors are really built to watch, and where the major Australian breaches actually enter: the external edge, not the internal stack.
Australia’s national electricity grid now runs through more than four million internet-connected homes — devices regulated as consumer gadgets, not critical infrastructure, on a supply chain concentrated in a handful of foreign vendors. A national-security exposure that is observable from the outside, mapped to SOCI, the Essential Eight and APRA — and a mirror for every organisation’s own.
Australian government grades its own cyber compliance and rarely checks the grade. Where independent auditors have looked — federal and every state — the mandatory rules aren’t being met: self-assessments that were wrong, controls that were ineffective, and in NSW 59% of agencies with no independent assurance at all. Sourced entirely to government.
A plain-English map of the two-tier cyber regime over every Australian department: the federal reference architecture (ASD ISM, the Essential Eight, the Cyber Security Act 2024) and the NSW assurance overlay (the Cyber Security Policy, DCS-2025-04, crown jewels by 30 June 2026, 24-hour reporting) — and the protections government extends to citizens.
ServiceNow’s June 2026 exposure let unauthenticated requests read customer instance data through a misconfigured endpoint — no patch to apply, and an advisory that sat behind a customer login. AI and a governance certificate are no shield when you cannot say what you expose. The same war, a new logo — and what actually closes the gap.
Medibank, Optus, Latitude, MediSecure, Genea, Qantas, now QLearn — Australia keeps suffering the same breach, year after year, on stolen credentials and trusted-vendor access. Meanwhile the industry sells AI as the cure for the one attack it structurally cannot see. Why the method never changes, why doing nothing has been rational, and what actually closes the door.
The Match Group hack exposed 10 million records across Tinder, Hinge, and OkCupid — and it started not with code, but with a phone call. Before that call, attackers used passive OSINT to identify the SSO provider, profile the staff, and harvest credentials from prior breach databases. Millions of Australians are in this dataset. This is our analysis of the full attack chain and what it means for your organisation.
A 600Gbps DDoS attack overwhelmed Australia’s largest privately owned digital service provider — the second major Australian operator targeted by the same threat actor in two weeks. Two major telco transit providers were taken completely offline as collateral damage. The risk profile has permanently changed. This is our analysis of what happened, the GRC gaps it exposed, and the OSINT intelligence picture that preceded it.
CVE-2026-43284 and CVE-2026-43500 give any attacker with any local foothold on a Linux system complete root access in a single command. Nine years of kernels are affected. A working exploit was published before patches existed. Microsoft has confirmed active in-the-wild exploitation. This is our analysis of what happened, how the attack works, and why a passive OSINT baseline belongs in your GRC framework before the next vulnerability is disclosed.
ShinyHunters exfiltrated 3.65 terabytes from Instructure’s Canvas platform through a Free-For-Teacher account vulnerability, compromising 275 million records across 8,809 institutions worldwide. Queensland’s QLearn platform — every state school student and staff member since 2020 — is caught up in it. This is our analysis of five controls that should have been in place before 29 April 2026, and what every Australian organisation using SaaS platforms must do today.
The Privacy Commissioner has handed down a landmark ruling against 2Apply — finding that manipulative design tactics used to collect personal information from 8.5 million Australians breach the Australian Privacy Principles. Every business collecting data online should read this today.
The Australian Privacy Act 1988 applies to far more businesses than most realise. With regulatory enforcement increasing and the 2024 amendments in effect, the cost of non-compliance is no longer theoretical. Here is what you are actually required to do — and what most organisations are getting wrong.
APRA doesn’t fine — it made Medibank hold an extra $250 million in capital, the first ever imposed for a cyber attack. CPS 234 has been unchanged since 2019; what shifted is how hard it is enforced, and that named executives are now personally accountable under the Financial Accountability Regime.
A material cyber incident is also a disclosure event — and the disclosure clock reaches directors personally. GetSwift’s board paid $15M, its directors more than $3M, one banned for fifteen years. What Listing Rule 3.1 demands the moment an incident turns material.
Your organisation does not choose whether to have a digital footprint. It accumulates one automatically — through every system deployed, every domain registered, every staff member hired, every third party integrated. This infographic maps exactly what is visible, where it comes from, and how exposed it makes you.
SOC 2. ISO 27001. Essential Eight. Your vendor passed the audit. The cert is framed and filed. And a threat actor just found a forgotten subdomain running vulnerable software that was never in scope for any of it. Here is what certifications measure — and the significant gap between that and what is actually exposed.
Seven questions about your real environment. One honest picture of what a threat actor already sees about your organisation — based on your industry, staff turnover, third-party platforms, data holdings, security maturity, and data location. Results show your risk rating and three highest-priority findings.
Claiming Essential Eight alignment and demonstrating it under scrutiny are two very different things. As procurement requirements tighten and insurers begin demanding verified maturity, the gap between those two positions is becoming impossible to ignore.
Most cyber security reports presented to Australian Boards are technically accurate and entirely useless for governance purposes. ASIC has made clear that directors will be held accountable for inadequate oversight. Here is what effective Board-level reporting actually looks like — and the three questions every Board should be able to answer.
The breach that matters most to your organisation may not be one that happened to you. When the platforms your staff use are compromised, their credentials enter criminal markets without your knowledge — and may have been there for months or years. Most organisations have never checked.
Supply chain attacks use the trust you have extended to vendors as a weapon. Most Australian businesses have no systematic visibility into this risk — and no process for managing it.
Submit your domain and we will assess your external security posture using our structured, passive OSINT framework. No systems accessed. Board-ready report delivered.