BlackFlag Advisory
Threat Scan Enquire
Sydney, NSW  ·  Asia-Pacific
Certification & Compliance  ·  GRC

The Cert Tells You What Was Assessed.
The Scan Tells You What Is Exposed Now.

SOC 2 and ISO 27001 certifications are point-in-time assessments of defined scopes. Your external attack surface changes daily. There is always a gap between what the cert covers and what is actually visible right now.

What a Certification Actually Tells You

A SOC 2 report tells you that a specific set of controls were assessed at a specific point in time by a specific auditor against a specific scope. An ISO 27001 certificate tells you that an information security management system was in place and met the standard's requirements at the time of audit.

Neither tells you what is actually exposed about your organisation right now. Neither reflects what has changed since the audit. And neither is visible to the adversary, the regulator, or the client conducting due diligence — they see what your external presence reveals today, not what a report said six months ago.

The Certification Gap Certifications are point-in-time assessments of defined scopes. Your external attack surface changes continuously. New subdomains are created. Applications are updated — and sometimes downgraded. Staff credentials are exposed in breaches that occurred after your last audit. The gap between what your certification covers and what is actually exposed widens every day.

Why Clients and Regulators Are Moving Beyond Certification

Enterprise procurement teams, government agencies, and financial services regulators have recognised that certifications alone are insufficient evidence of current security posture. The trend across Australian procurement is toward requiring both certification and independent current-state assessment — the cert as a baseline, the assessment as evidence of what exists today.

APRA CPS 234 requires regulated entities to maintain information security capability commensurate with the size and extent of threats. That is a continuous obligation — not a point-in-time one. The ASD Essential Eight maturity model similarly requires ongoing implementation and testing. A certificate from eighteen months ago does not satisfy a continuous obligation.

The Insurance Position Cyber insurers are increasingly requiring evidence of current security posture — not historical certification — as a condition of cover and as a determinant of premium. Organisations that can produce an independent current-state assessment are treated differently to those that can only produce a certification. At claim time, the difference can be decisive.

What the Scan Finds That the Cert Doesn't Cover

A BlackFlag Advisory passive OSINT assessment looks at your external presence as it exists right now — not as it was defined in a certification scope. We identify exposed assets that may not have been in scope for your audit. We identify changes that occurred after your last assessment. We identify credential exposure from breaches that post-date your certification. And we identify the gap between what your certificate claims and what is actually visible and exploitable from outside.

What We Find Beyond the Certification Scope

  • Subdomains and external services not included in the audit scope
  • Credential exposure from breaches occurring after the last audit
  • Unpatched services deployed since certification — visible externally
  • Third-party integrations with privacy or security implications
  • DNS and email security gaps — SPF, DKIM, DMARC misconfigurations
  • Expired or misconfigured TLS certificates on production services
  • Legacy infrastructure not decommissioned as intended

The Right Use of Both

Certification and independent assessment are not alternatives. They are complementary. The certification demonstrates your management system meets the standard. The independent passive assessment demonstrates what your current external posture actually looks like — and gives your Board, your clients, and your insurers evidence that is current, independent, and verifiable.

Run the scan. See what the cert doesn't cover.

See What the
Cert Doesn't Cover.

The cert tells you what was assessed. The scan tells you what is actually exposed right now. There is a gap between those two things in every organisation we have ever looked at.

Run a Threat Scan →