BlackFlag Advisory
Threat Scan Enquire
Sydney, NSW  ·  Asia-Pacific
Partnerships — Accountants & Advisory

Your Clients Have Regulatory Obligations.
They Need Evidence, Not Assurances.

Your clients — SMEs, listed companies, AFSL holders — face Privacy Act obligations, APRA requirements, and Board-level cyber governance questions they cannot answer internally. You refer. We assess. You receive a referral fee and your client gets Board-ready evidence.

Referral
Fixed fee per engagement
You refer the client. We conduct the assessment. You receive a fixed referral fee. No involvement required beyond the introduction.
Co-Advisory
Joint delivery
You advise on the legal and regulatory dimensions. We deliver the technical GRC assessment. The client receives one coordinated output.
White-Label
Your brand, our methodology
We produce the assessment. You deliver it under your firm's brand. The client sees one provider. No confusion, no conflict.
See a real assessment example ↓
Who This Is For

Accountants & Advisory That Guide, Not Audit

Your advisory practice covers strategy, compliance planning, and regulatory guidance — but not the technical assessment that proves posture. That's where we come in.

Privacy & Data Protection

AFSL holders and super funds carry specific APRA CPS 234 and Privacy Act obligations. When your client asks about cyber governance, you have an answer. We handle the assessment.

Corporate & M&A

Business advisory clients increasingly face cyber questions from insurers, procurement teams, and regulators. A GRC assessment gives them documented evidence without requiring technical expertise from your practice.

Board Advisory

Directors need to demonstrate they've exercised due care on cyber risk. A Board-ready GRC assessment gives them documented evidence of the organisation's external posture.

Regulatory Response

When APRA, the OAIC, or a sector regulator asks questions, your client needs evidence — not assurances. Our assessments provide sourced, framework-mapped findings.

Procurement & Tenders

Government and enterprise procurement increasingly requires GRC evidence. A structured assessment with framework mapping satisfies the requirements your client can't produce internally.

Incident Response Support

After a breach, your client needs to understand what was visible before the incident. A passive assessment reconstructs the external picture without interfering with forensics.

How It Works

You Refer. We Deliver.

No technical expertise required from your side. No client confusion. No overlap with your legal services.

  • You identify the client need — privacy inquiry, Board request, procurement question
  • You introduce us or we engage directly under your instruction
  • We conduct the passive OSINT assessment — no systems accessed, no client disruption
  • We deliver the report — risk register, framework mapping, Board-level summary
  • You receive a fixed referral fee per engagement
  • Your client gets a result they can take to their Board, their regulator, or their insurer
Scenario

Your SMSF client's auditor flags cyber governance as a material risk

The trustee has no cyber assessment capability. You refer them to BlackFlag Advisory. We deliver a passive assessment within 7 days — risk register, framework mapping, Board-ready summary. The auditor gets the evidence they need. You receive a referral fee and your client relationship is strengthened.

Scenario

A client's insurance renewal requires evidence of cyber posture

The insurer wants independent evidence before they price the policy. Your client has nothing to show them. You refer them to us. We produce the assessment. The insurer gets what they need, the client gets renewed, and you've added tangible value to the relationship.

Based on Real Findings, 2026

What an Assessment Actually Surfaces

The following is drawn from a real passive OSINT assessment conducted in 2026. Company details have been anonymised.

Assessment Extract — ASX-Listed Retail Company
DMARC set to p=none — zero email spoofing protection.

An ASX-listed retail company with over 200 locations nationally had its DMARC policy set to p=none — meaning anyone on the internet can send emails that appear to come from the company’s domain. No DKIM signing was configured. SPF was set to softfail.

In practical terms, a phishing email sent to a supplier, a customer, or a staff member — appearing to come from the company’s own domain — would pass most email filters. The company had no visibility of this. No privacy policy was published on their website.

The remediation was straightforward — configure DMARC to p=reject, add DKIM signing, and tighten SPF to -all. The cost: negligible. The exposure before the fix: significant.

An advisory client’s accountant or business advisor is often the first person they call when something goes wrong. Knowing this gap exists before the phishing email lands is the value of an external assessment.

Based on Real Findings, 2026

See What an Assessment Actually Delivers

The following is a reduced extract from a real BlackFlag Advisory assessment conducted in 2026. Company details have been anonymised. The full engagement includes a complete risk register, framework mapping, remediation roadmap, and Board-level executive summary.

Why This Matters

GRC Is the Scaffolding, Not the Defence

Governance, risk, and compliance is not a security product. It is the scaffolding that forces an organisation to know its asset inventory, who owns which risk, what the controls are, and whether they can actually be demonstrated. In a faster threat environment, that visibility is what lets you adapt controls quickly — instead of discovering during an incident that nobody knew a system existed.

Understanding your own external attack surface — what is publicly visible about your organisation to anyone with the right tools — gets more important precisely because capable AI now makes it trivial for an attacker to aggregate your public footprint and weaponise it. Exposed credentials, forgotten subdomains, employee details that feed spear-phishing, leaked API keys in public repositories — an attacker can collect and operationalise that at scale with minimal effort.

A beautifully documented risk register does not stop an intrusion. But knowing what is externally visible — before a threat actor, a regulator, or a competitor finds it — is the foundation everything else is built on.

Executive Summary

What We Found

This ASX-listed healthcare company operates in the retail sector with over 200 locations nationally, processing customer payment and personal data at scale. The assessment identified a critical email security gap — DMARC set to p=none with no DKIM signing on the company’s primary domain — meaning anyone on the internet can send emails appearing to come from the company's domain. No privacy policy was published.

On the positive side, the company’s email authentication posture was strong: TLS 1.3 was configured, the certificate was valid, and no credential exposure was found. The gaps were governance and configuration, not engineering.

Critical — Email Security Failure

DMARC p=none — zero protection against email spoofing

The company’s website contained DMARC policy set to p=none — an explicit instruction to take no action on emails that fail authentication. No DKIM signing configured. SPF set to softfail’s own privacy statement — a document A phishing email sent to a supplier, customer, or staff member appearing from this domain would pass most email filters.

For an ASX-listed organisation handling healthcare data, this represents a direct failure under basic email security best practice. Business email compromise (BEC) is the single largest category of cyber crime in Australia by financial loss about how they manage personal information.

Verification Chain
[1] Source      DNS TXT record query — _dmarc.domain
[2] Method      DMARC/SPF/DKIM passive verification
[3] Result      DMARC p=none — no enforcement
[4] Redirect    No DKIM selectors found · SPF ~all (softfail)
[5] Status      CONFIRMED — domain can be spoofed by anyone

Business impact: Under the 2024 Privacy Act amendments, a spoofed email requesting a payment change would be indistinguishable from legitimate. The OAIC has signalled active enforcement and routinely names organisations. The cost to fix: negligible DNS changes. The exposure before the fix: significant.

Remediation: Configure DMARC to p=reject, add DKIM signing, tighten SPF to -all. Ensure the policy covers data collection practices, third-party disclosure, cross-border transfer (APP 8), and provides a clear privacy contact. Estimated effort: hours — DNS configuration changes only.

Additional Findings

Supporting Observations

High — No Privacy Policy

No privacy policy on the company’s website

The company’s primary infrastructure is had no published privacy policy. For a retail company processing customer data across 200+ locations, this is a direct APP 1 failure alongside the email security gap.

Medium — Missing Security Headers

No CSP, HSTS, or X-Frame-Options headers configured

Standard security headers were absent: no Content Security Policy, no HSTS, no X-Frame-Options. These protect against cross-site scripting, clickjacking, and protocol downgrade attacks.

What Was Working

TLS 1.3 configured — strongest email spoofing protection available
SPF -all enforced — only authorised servers can send as this domain
DKIM — four signing selectors configured
No public S3 buckets exposed
No exposed databases
No credential exposure in public repos
VirusTotal clean
APP Compliance Extract

Australian Privacy Principles Assessment

APPPrincipleStatusFinding
1Open & transparent managementREVIEWNo privacy policy on primary domain.
5Use or disclosureREVIEWThird-party analytics and tracking identified. Data sharing undocumented.
8Cross-border disclosureREVIEWUS-headquartered SaaS platforms in use. APP 8 obligations apply.
11Security of personal infoREVIEWDMARC p=none and no DKIM represent material APP 11 gaps for customer data.

This extract is based on a real assessment conducted in 2026. The full engagement includes a complete risk register rated by likelihood and impact, framework mapping across ASD Essential Eight, NIST CSF 2.0, ISO 27001, APRA CPS 234 and the Privacy Act 1988, a prioritised remediation roadmap, and a Board-level executive summary.

BlackFlag Advisory assessments are conducted exclusively via passive OSINT using publicly available data. No systems are accessed. No active scanning is performed.

Work with us. Not around us.

No lock-in. No minimum commitment. Structured to complement your practice, not compete with it.

Discuss a Partnership →