BlackFlag Advisory
Threat Scan Enquire
Sydney, NSW  ·  Asia-Pacific
Partnerships — Insurers & Brokers

Know What You're Underwriting
Before You Price It.

Pre-binding cyber posture assessments for insurers, underwriters, and brokers. Passive, evidence-based, independent. Gives you a credible view of risk before you accept it — without requiring anything from the applicant.

Pre-Binding Assessment
Independent risk view
Passive OSINT assessment of the applicant's external posture before you price or bind. No applicant involvement required. Results within 7 days.
Portfolio Screening
Batch assessment
Screen multiple applicants or existing policyholders in a single engagement. Identify the highest-risk accounts before renewal season.
White-Label
Your brand, our methodology
We produce the assessment. You deliver it under your brokerage or underwriting brand. The client sees one provider.
See a real assessment example ↓
Who This Is For

Insurers Who Want Evidence, Not Self-Assessments

The applicant's security questionnaire tells you what they think. A passive OSINT assessment tells you what's actually visible from the outside.

Cyber Underwriters

Independent pre-binding assessment of the applicant's external posture. Evidence-based, framework-mapped, produced without applicant cooperation — so the view is unfiltered.

Insurance Brokers

Differentiate your brokerage by offering clients a GRC posture assessment alongside the renewal process. Demonstrate value beyond the quote.

Claims Teams

Post-incident assessment of what was externally visible before the event. Establish whether the insured's posture matched their policy declarations.

Portfolio Risk Managers

Screen an entire portfolio of policyholders to identify the accounts carrying the highest external exposure before they become claims.

Reinsurers

Independent view of cedent portfolio quality. Passive assessment across a sample of underlying risks to validate the book's actual posture.

MGAs & Coverholders

Embed cyber posture assessment into your binding authority workflow. Evidence-based risk selection without slowing the process.

The Value

What Changes When You Can See the Risk

Before binding

Price with confidence

Stop relying on self-reported questionnaires. See the applicant's actual external posture — email security, credential exposure, infrastructure gaps, privacy compliance — before you commit capital.

At renewal

Retain and upsell

Show existing clients what's changed since their last assessment. A year-on-year comparison of their external posture gives them a reason to stay and a reason to invest in remediation.

Post-incident

Validate declarations

After a claim, assess what was externally visible before the incident. Establish whether the insured's posture matched their policy representations.

Portfolio-wide

Identify concentration risk

Screen your book to find the accounts with the highest external exposure. Address them proactively before they become loss events.

Based on Real Findings, 2026

What a Pre-Binding Assessment Actually Reveals

The following is drawn from a real passive OSINT assessment conducted in 2026. Company details have been anonymised.

Assessment Extract — ASX-Listed Technology Company (Regulated Wagering)
Five verified active API credentials found in public code repositories.

A pre-binding assessment of an ASX-listed technology company operating in the regulated wagering space identified five sets of live API credentials sitting in public GitHub repositories. All five were confirmed active against their respective provider APIs on the day of assessment.

The applicant’s security questionnaire had reported no known credential exposure. DMARC was set to p=none — offering zero protection against email spoofing. Five historical origin server IPs were found bypassing the CDN. No WAF was in place.

None of this was visible from the application form. All of it was visible from public data in under 24 hours.

The difference between what an applicant reports and what an independent assessment reveals is the difference between pricing risk and inheriting it.

Based on Real Findings, 2026

See What an Assessment Actually Delivers

The following is a reduced extract from a real BlackFlag Advisory assessment conducted in 2026. Company details have been anonymised. The full engagement includes a complete risk register, framework mapping, remediation roadmap, and Board-level executive summary.

Why This Matters

GRC Is the Scaffolding, Not the Defence

Governance, risk, and compliance is not a security product. It is the scaffolding that forces an organisation to know its asset inventory, who owns which risk, what the controls are, and whether they can actually be demonstrated. In a faster threat environment, that visibility is what lets you adapt controls quickly — instead of discovering during an incident that nobody knew a system existed.

Understanding your own external attack surface — what is publicly visible about your organisation to anyone with the right tools — gets more important precisely because capable AI now makes it trivial for an attacker to aggregate your public footprint and weaponise it. Exposed credentials, forgotten subdomains, employee details that feed spear-phishing, leaked API keys in public repositories — an attacker can collect and operationalise that at scale with minimal effort.

A beautifully documented risk register does not stop an intrusion. But knowing what is externally visible — before a threat actor, a regulator, or a competitor finds it — is the foundation everything else is built on.

Executive Summary

What We Found

This ASX-listed healthcare company operates in the regulated wagering space, providing platform infrastructure to licensed betting operators internationally. The assessment identified five verified active API credentials in public GitHub repositories — all confirmed live against their respective provider APIs on the day of assessment. The applicant’s security questionnaire had reported no known credential exposure.

On the positive side, the company’s email authentication posture was strong: DMARC was set to p=none, SPF to softfail, and five origin server IPs were bypassing the CDN. No WAF was in place. The self-assessment did not reflect the actual external posture.

Critical — Verified Active Credentials

Five active API credentials in public code repositories

The company’s website contained five sets of active API credentials across two public GitHub repositories. Three Infura keys and two Alchemy keys (Ethereum node providers), all in blockchain smart contract repos’s own privacy statement — a document All five confirmed active using TruffleHog --only-verified.

For an ASX-listed organisation handling healthcare data, this represents a direct failure under a critical credential exposure. The applicant’s security questionnaire had reported no known credential issues — the independent assessment told a different story about how they manage personal information.

Verification Chain
[1] Source      TruffleHog 3.95.3, --only-verified
[2] Method      2 public repositories (company-owned)
[3] Result      3x Infura API keys, 2x Alchemy API keys
[4] Redirect    foundry.toml, alchemy-provider.ts, StdChains.sol
[5] Status      ALL FIVE CONFIRMED ACTIVE against live APIs

Business impact: Under the 2024 Privacy Act amendments, live API credentials grant access to make calls billed to the company and interact with smart contract infrastructure. In regulated wagering, credential exposure carries both financial and regulatory implications. None of this was visible from the application form.

Remediation: Revoke all five credentials via Infura and Alchemy dashboards. Audit API activity logs. Implement pre-commit secret scanning across all public repositories.

Additional Findings

Supporting Observations

High — DMARC Not Enforced

DMARC p=none — email domain can be spoofed

The company’s primary infrastructure is set to p=none with SPF softfail and no WAF. Combined with five origin IPs bypassing the CDN, the external posture carried multiple overlapping gaps not reflected in self-reporting.

Medium — CDN Bypass

Five origin server IPs bypassing CDN protection

Five historical origin IPs were directly reachable, bypassing all CDN protections including WAF filtering, DDoS mitigation, and rate limiting.

What Was Working

TLS configured on primary domain
Certificate valid and trusted
No public S3 buckets exposed
No exposed databases
No remote desktop services exposed
Staging subdomain identified via crt.sh
VirusTotal clean
APP Compliance Extract

Australian Privacy Principles Assessment

APPPrincipleStatusFinding
1Open & transparent managementREVIEWPrivacy policy adequacy requires review given credential exposure.
5Cross-border disclosureREVIEWUS-hosted infrastructure and US-headquartered platforms. APP 8 applies.
8Cross-border disclosureREVIEWFive active credentials and DMARC p=none represent material APP 11 gaps.
11Security of personal info (2)REVIEW

This extract is based on a real assessment conducted in 2026. The full engagement includes a complete risk register rated by likelihood and impact, framework mapping across ASD Essential Eight, NIST CSF 2.0, ISO 27001, APRA CPS 234 and the Privacy Act 1988, a prioritised remediation roadmap, and a Board-level executive summary.

BlackFlag Advisory assessments are conducted exclusively via passive OSINT using publicly available data. No systems are accessed. No active scanning is performed.

See what your applicants can't tell you.

Passive. Independent. Evidence-based. No applicant involvement required.

Discuss a Partnership →