BlackFlag Advisory
Threat Scan Enquire
Sydney, NSW  ·  Asia-Pacific
Partnerships — Law Firms

Your Clients Need Cyber GRC.
You Don't Have to Provide It.

When a client faces a Privacy Act inquiry, a procurement question, or a Board request they can't answer — you refer. We assess. You receive a referral fee and your client gets a result. No overlap with your legal services.

Referral
Fixed fee per engagement
You refer the client. We conduct the assessment. You receive a fixed referral fee. No involvement required beyond the introduction.
Co-Advisory
Joint delivery
You advise on the legal and regulatory dimensions. We deliver the technical GRC assessment. The client receives one coordinated output.
White-Label
Your brand, our methodology
We produce the assessment. You deliver it under your firm's brand. The client sees one provider. No confusion, no conflict.
See a real assessment example ↓
Who This Is For

Law Firms That Advise, Not Assess

Your practice covers governance, regulation, and compliance — but not the technical assessment that sits underneath it. That's where we come in.

Privacy & Data Protection

Your client is responding to an OAIC inquiry or preparing for the 2024 Privacy Act amendments. They need an evidence-based assessment of what's actually exposed — not an opinion.

Corporate & M&A

Pre-acquisition due diligence increasingly includes cyber posture. A passive OSINT assessment gives your client a clear picture of the target's external exposure without alerting the market.

Board Advisory

Directors need to demonstrate they've exercised due care on cyber risk. A Board-ready GRC assessment gives them documented evidence of the organisation's external posture.

Regulatory Response

When APRA, the OAIC, or a sector regulator asks questions, your client needs evidence — not assurances. Our assessments provide sourced, framework-mapped findings.

Procurement & Tenders

Government and enterprise procurement increasingly requires GRC evidence. A structured assessment with framework mapping satisfies the requirements your client can't produce internally.

Incident Response Support

After a breach, your client needs to understand what was visible before the incident. A passive assessment reconstructs the external picture without interfering with forensics.

How It Works

You Refer. We Deliver.

No technical expertise required from your side. No client confusion. No overlap with your legal services.

  • You identify the client need — privacy inquiry, Board request, procurement question
  • You introduce us or we engage directly under your instruction
  • We conduct the passive OSINT assessment — no systems accessed, no client disruption
  • We deliver the report — risk register, framework mapping, Board-level summary
  • You receive a fixed referral fee per engagement
  • Your client gets a result they can take to their Board, their regulator, or their insurer
Scenario

Your client's insurer asks for a cyber posture assessment before renewal

The client calls you. You don't provide cyber assessments — and you shouldn't have to. You refer them to BlackFlag Advisory. We deliver a passive OSINT assessment within 7 days. The client gets the evidence their insurer needs. You receive a referral fee. No scope creep, no technical involvement, no conflict.

Scenario

The Board wants evidence of cyber governance for the annual report

Directors need to demonstrate due care. Your client has no internal cyber assessment capability. You refer them to us. We produce a Board-ready report — framework-mapped, risk-registered, plain English. The directors have documented evidence. You've added value without stepping outside your practice.

Based on Real Findings, 2026

What an Assessment Actually Surfaces

The following is drawn from a real passive OSINT assessment conducted in 2026. Company details have been anonymised.

Assessment Extract — ASX-Listed Healthcare Company
No privacy policy found on the company’s primary domain.

The company’s website contained no published privacy policy. Instead, the only privacy-related link redirected to a third-party whistleblower platform’s own privacy statement — which has no relevance to the company’s data collection practices. For an ASX-listed organisation in the healthcare sector, handling clinical and patient-adjacent data, this represents a direct APP 1 failure under the Privacy Act 1988.

The assessment also identified infrastructure hosted in the United States with no observable APP 8 cross-border disclosure arrangements, three WordPress admin panels accessible at default paths, and no Content Security Policy header.

On the positive side, email authentication was strong — DMARC p=reject, four DKIM selectors, SPF -all enforced. TLS 1.3 configured and a WAF in place. No credential exposure identified.

This is the kind of finding a privacy lawyer acts on immediately. The company’s legal counsel had no visibility of the gap until an external assessment surfaced it.

Based on Real Findings, 2026

See What an Assessment Actually Delivers

The following is a reduced extract from a real BlackFlag Advisory assessment conducted in 2026. Company details have been anonymised. The full engagement includes a complete risk register, framework mapping, remediation roadmap, and Board-level executive summary.

Why This Matters

GRC Is the Scaffolding, Not the Defence

Governance, risk, and compliance is not a security product. It is the scaffolding that forces an organisation to know its asset inventory, who owns which risk, what the controls are, and whether they can actually be demonstrated. In a faster threat environment, that visibility is what lets you adapt controls quickly — instead of discovering during an incident that nobody knew a system existed.

Understanding your own external attack surface — what is publicly visible about your organisation to anyone with the right tools — gets more important precisely because capable AI now makes it trivial for an attacker to aggregate your public footprint and weaponise it. Exposed credentials, forgotten subdomains, employee details that feed spear-phishing, leaked API keys in public repositories — an attacker can collect and operationalise that at scale with minimal effort.

A beautifully documented risk register does not stop an intrusion. But knowing what is externally visible — before a threat actor, a regulator, or a competitor finds it — is the foundation everything else is built on.

Executive Summary

What We Found

This ASX-listed healthcare company operates in the medical technology space, handling clinical and patient-adjacent data across Australian and international markets. The assessment identified a direct APP 1 failure — no privacy policy published on the company’s primary domain — alongside infrastructure hosted in the United States with no observable APP 8 cross-border disclosure arrangements.

On the positive side, the company’s email authentication posture was strong: DMARC p=reject, four DKIM selectors, SPF -all enforced, and TLS 1.3 configured. A WAF was in place and no credential exposure was identified.

Critical — APP 1 Non-Compliance

No privacy policy published on the company’s primary domain

The company’s website contained no published privacy policy. The only privacy-related link redirected to a third-party whistleblower platform’s own privacy statement — a document that governs the whistleblower platform’s data practices, not the company’s.

For an ASX-listed organisation handling healthcare data, this represents a direct failure under Australian Privacy Principle 1 — which requires organisations to have a clearly expressed and up-to-date privacy policy about how they manage personal information.

Verification Chain
[1] Source      Primary domain — full page crawl
[2] Method      Automated policy detection + manual review
[3] Result      No /privacy, /privacy-policy, or linked policy document found
[4] Redirect    Whistleblower link → navex.com/en-us/privacy-statement/
[5] Status      CONFIRMED — APP 1 non-compliance

Business impact: Under the 2024 Privacy Act amendments, maximum penalties for serious breaches reach $50M. The OAIC has signalled active enforcement and routinely names organisations. A healthcare company with no published privacy policy is a straightforward compliance failure that any regulator would identify.

Remediation: Publish a compliant privacy policy addressing all 13 APPs. Ensure the policy covers data collection practices, third-party disclosure, cross-border transfer (APP 8), and provides a clear privacy contact. Estimated effort: 1–2 days with legal review.

Additional Findings

Supporting Observations

High — APP 8 Cross-Border Exposure

Infrastructure hosted in the United States with no observable transfer arrangements

The company’s primary infrastructure is hosted on US-based servers. No privacy policy exists to document cross-border data transfer arrangements as required under APP 8. For a healthcare company, personal and clinical data flowing to US infrastructure without documented safeguards creates direct regulatory exposure.

Medium — Admin Panel Exposure

Three WordPress admin panels accessible at default paths

wp-admin, wp-login.php, and /admin were all accessible. While login authentication was in place, default admin paths enable automated brute-force targeting. The server header also disclosed the hosting platform (WP Engine).

What Was Working

DMARC p=reject — strongest email spoofing protection available
SPF -all enforced — only authorised servers can send as this domain
DKIM — four signing selectors configured
TLS 1.3 with AES-256-GCM — current best practice
WAF (ModSecurity) in place
No credential exposure — TruffleHog verified clean
VirusTotal — no vendor flags domain as malicious
APP Compliance Extract

Australian Privacy Principles Assessment

APPPrincipleStatusFinding
1Open & transparent managementREVIEWNo privacy policy published. Third-party redirect only.
5Notification of collectionREVIEWNo observable collection notices on public-facing pages.
8Cross-border disclosureREVIEWUS-hosted infrastructure. No documented transfer arrangements observable.
11Security of personal infoCOMPLIANTStrong email auth, WAF, TLS 1.3. No credential exposure. Admin panels at default paths are a minor gap.

This extract is based on a real assessment conducted in 2026. The full engagement includes a complete risk register rated by likelihood and impact, framework mapping across ASD Essential Eight, NIST CSF 2.0, ISO 27001, APRA CPS 234 and the Privacy Act 1988, a prioritised remediation roadmap, and a Board-level executive summary.

BlackFlag Advisory assessments are conducted exclusively via passive OSINT using publicly available data. No systems are accessed. No active scanning is performed.

Work with us. Not around us.

No lock-in. No minimum commitment. Structured to complement your practice, not compete with it.

Discuss a Partnership →