Assessment Pricing

Transparent pricing.
No surprises.

Three fixed-price assessment tiers for Australian businesses. Every engagement uses exclusively passive, publicly available data — no systems accessed, no active scanning.

Surface
Surface Assessment
$750 AUD
Best for: SMEs wanting a quick external check
  • Single domain passive assessment
  • External attack surface overview
  • SSL/TLS certificate audit and grade
  • Email security posture — SPF, DKIM, DMARC
  • Credential breach exposure check
  • Technology stack fingerprinting
  • 2-page findings summary report
  • Top 3 priority recommendations
Get Started
Delivered within 3 business days
Most Popular
Standard
Full GRC Assessment
$2,000 AUD
Best for: Businesses needing Board-ready reporting
  • Full 18-step passive OSINT assessment
  • Complete risk register — Critical / High / Medium / Low
  • Framework mapping — ASD Essential Eight, NIST CSF, ISO 27001, CIS Controls
  • Australian Privacy Act compliance review — APP 1, 5, 8, 11
  • CVE cross-reference against confirmed technology stack
  • ACSC advisory alignment and CISA KEV flagging
  • Third-party and vendor risk summary
  • Board-level executive summary — non-technical language
  • Remediation roadmap with priority timelines
  • Google Dorking — indexed sensitive content check
Get Started
Delivered within 5 business days
Group
Multi-Entity Group
$3,500+ AUD
Best for: Corporate groups and holding companies
  • Parent company and all subsidiaries assessed individually
  • ASIC corporate structure and entity mapping
  • Per-entity attack surface and technology assessment
  • Shared infrastructure risk and lateral movement analysis
  • Consolidated group risk register
  • Group-wide framework mapping
  • Individual subsidiary recommendation profiles
  • Board-level executive summary across all entities
  • Pricing scales with number of entities — contact for quote
Get Started
Delivered within 7 business days
Ongoing Monitoring — add to any assessment Quarterly reassessment of your external footprint. Updated risk register, change alerts, and new CVE cross-referencing against your tech stack.
$500 / quarter
Sample Report

What You Actually Receive

The following is an extract from a real assessment — anonymised and reproduced here as a demonstration of deliverable quality. Client identity, domain names, and specific technical details have been changed.

Cyber Security GRC Assessment Report
Governance  |  Risk  |  Compliance  —  Passive OSINT Assessment
Sample Document
Organisation
Meridian Finance Group Pty Ltd
Assessment Type
Full GRC Assessment — Multi-Entity
Assessed By
Cluny Archibald — BlackFlag Advisory
Assessment Date
March 2026
Classification
Confidential
Why This Assessment Was Commissioned

Meridian Finance Group commissioned this assessment ahead of their annual cyber insurance renewal. Their insurer had requested evidence of a current external security review as a condition of maintaining existing coverage terms. With a group structure spanning four operating entities across consumer lending, investment management, and property finance, the Directors also sought a consolidated view of the group's external risk exposure ahead of a scheduled Board risk committee meeting.

Executive Finding Summary
3
Critical
4
High
5
Medium
3
Low
Top Findings
Critical
Domain confirmed in public breach database — 1,247 exposed credentials meridian-lending.com.au confirmed in Have I Been Pwned breach dataset. Exposed data classes include email addresses, passwords, and financial account references. Credentials likely still in active use across staff and customer accounts. Immediate forced password reset and MFA enforcement required across all internet-facing systems.
Critical
WordPress installation confirmed with 23 active CVEs including CISA KEV-flagged exploits BuiltWith confirmed WordPress CMS on primary domain. NVD cross-reference identified 23 CVEs against the confirmed plugin stack including CVE-2026-4662 (SQL Injection via JetEngine, CVSS 9.8) and CVE-2026-1908 (Stored XSS via HubSpot Forms). Two findings flagged as CISA Known Exploited Vulnerabilities — actively exploited in the wild at time of assessment.
High
DMARC policy not enforced — all four entity domains vulnerable to spoofing MXToolbox confirmed p=none (monitoring only) DMARC policy across all four Meridian entity domains. No quarantine or reject enforcement in place. Any party can send email purporting to be from @meridian-finance.com.au, @meridian-lending.com.au, or associated subsidiary domains. Direct Business Email Compromise risk for client-facing financial communications.
High
SSL/TLS certificate CA chain anomaly — certificate authority unverifiable Pentest Tools light SSL scan identified CA chain break on primary domain. Certificate is browser-trusted but CA issuer cannot be independently verified — indicating potential intermediate certificate misconfiguration. Certificate also expires within 87 days with no evidence of automated renewal in place.
Medium
HubSpot CRM confirmed transferring personal data to US — APP 8 cross-border disclosure obligations not addressed in Privacy Policy BuiltWith confirmed active HubSpot CRM integration (Feb 2024 – present) collecting lead and contact data and transferring to US-based servers. Privacy Policy reviewed — no mention of offshore data transfer or APP 8 cross-border disclosure obligations. GDPR implications also present given international investor base.
Cost of Inaction vs. Value of Remediation
$4.26M
Average cost of a data breach in Australia — IBM Cost of a Data Breach Report 2024
$50M+
Maximum OAIC penalty for serious or repeated Privacy Act breaches — 2024 amendments
🛡
$2,000
Cost of this assessment — identifying and remediating findings before they become incidents
What Happened Next

Meridian Finance Group acted on the Critical and High findings within 14 days of receiving this report. Forced credential reset was implemented across all staff accounts. DMARC policy was escalated to p=quarantine within 72 hours and p=reject within 30 days. WordPress and HubSpot plugin patches were applied within the ASD Essential Eight 48-hour window for Critical vulnerabilities. The SSL certificate was reissued with automated renewal configured. The insurer accepted the assessment report as evidence of due diligence and renewed the policy at the existing premium — a saving of approximately $18,000 against the projected increase. The Board risk committee received the executive summary as a standalone briefing document at their next scheduled meeting.

Ready to see what we find on your organisation? Submit your domain and we will conduct a passive assessment and come back with a findings report like this one.
Submit Your Domain →
Questions

Common Questions

Do you access our systems or network?
No — never. Every assessment uses exclusively passive OSINT techniques and publicly available data sources. No systems, networks, or accounts are accessed, probed, or tested at any time. This is not a penetration test.
How long does an assessment take?
Surface assessments are delivered within 3 business days. Full GRC assessments within 5 business days. Multi-entity group assessments within 7 business days depending on the number of subsidiaries.
What format is the report delivered in?
Reports are delivered as professionally formatted PDF documents. The full assessment includes an executive summary, risk register, framework mapping table, and remediation roadmap — all in a single document suitable for Board presentation.
Can I see a sample report before committing?
Yes — the sample extract above is drawn from a real anonymised assessment. A full sample report is available on request. Contact us directly and we will send it through.
Is this suitable for cyber insurance requirements?
Yes. Many insurers now require evidence of an external security review as a condition of coverage or renewal. Our assessment report — with its structured risk register and framework mapping — is designed to satisfy this requirement.
How do I pay?
Payment is by card via Stripe — secure, instant, and receipted. You will receive a payment link once your assessment scope has been confirmed. No payment is required upfront when you submit your domain.
Important: All Visible Risk assessments are conducted exclusively using passive OSINT techniques and publicly available data sources. No systems, networks, or accounts belonging to any assessed organisation are accessed, probed, or tested at any time. No active scanning is performed. Visible Risk assessments are not penetration tests. The sample report extract above is based on a real anonymised assessment — all identifying details have been changed.