BlackFlag Advisory
Threat Scan Enquire
Sydney, NSW  ·  Asia-Pacific
Assessment Packages

See what we find.
Then decide.

Every package includes a sample report extract so you know exactly what you receive before you commit. Passive only — no systems accessed, no active scanning.

Website or domain External risk & compliance posture Website + mobile app Most popular — combined assessment Corporate group Multi-entity consolidated view Mobile app only Standalone app GRC assessment
Sample Reports

What You Receive

Click any report below to see an extract of what a BlackFlag Advisory assessment delivers. All client details are anonymised.

Domain & Website Assessment
Cyber Security GRC Assessment Report
Meridian Finance Group — Multi-Entity — March 2026
3 Critical4 High5 Medium
View Report
Mobile App Assessment
Mobile App GRC Assessment Report
ConnectField Pro — Android — April 2026
3 Critical3 High4 Medium
View Report
GRC + Website + App Assessment
Cyber Security GRC Assessment Report
Mid-Size Australian Bank (ADI) — Eastern Seaboard — May 2026
5 Critical7 High6 Medium
View Report
Cyber Security GRC Assessment Report
Governance  |  Risk  |  Compliance  —  Passive OSINT Assessment
Sample Document
Organisation
Meridian Finance Group Pty Ltd
Assessment Type
Full GRC Assessment — Multi-Entity
Assessed By
BlackFlag Advisory
Assessment Date
March 2026
Classification
Confidential
Why This Assessment Was Commissioned

Meridian Finance Group commissioned this assessment ahead of their annual cyber insurance renewal. Their insurer had requested evidence of a current external security review as a condition of maintaining existing coverage terms. With a group structure spanning four operating entities across consumer lending, investment management, and property finance, the Directors also sought a consolidated view of the group's external risk exposure ahead of a scheduled Board risk committee meeting.

Executive Finding Summary
3
Critical
4
High
5
Medium
3
Low
Top Findings
Critical
Domain confirmed in public breach database — 1,247 exposed credentials meridian-lending.com.au was confirmed in a public credential breach dataset. Exposed data includes email addresses, passwords, and financial account references. Credentials are likely still in active use across staff and customer accounts. Immediate forced password reset and MFA enforcement is required across all internet-facing systems.
Critical
CMS installation confirmed with 23 active CVEs including CISA KEV-flagged exploits The primary domain's content management system was assessed against the National Vulnerability Database. 23 CVEs were identified against the confirmed plugin stack, including two findings flagged as CISA Known Exploited Vulnerabilities — actively exploited in the wild at the time of assessment. One finding carries a CVSS score of 9.8.
High
Organisational intelligence exposure — material non-public information identified accessible via open sources Information not intended for public disclosure was identified accessible through open-source research. The exposed data provides threat actors with sufficient organisational intelligence to conduct targeted attacks against staff and clients. No authentication or technical capability is required to access this information.
High
Sensitive organisational materials identified accessible via open-source methods — no authentication required Documents intended for internal use were confirmed retrievable without credentials via passive research. The materials contain information that could facilitate targeted attacks and may carry regulatory obligations if accessed by unauthorised parties. Immediate access controls and a review of externally indexed assets are recommended.
Medium
CRM platform confirmed transferring personal data offshore — APP 8 cross-border disclosure obligations not addressed in Privacy Policy An active CRM integration was identified collecting lead and contact data and transferring it to US-based servers. A review of the Privacy Policy confirmed no mention of offshore data transfer or APP 8 cross-border disclosure obligations. GDPR implications are also present given the organisation's international investor base.
Cost of Inaction vs. Value of Remediation
$4.26M
Average cost of a data breach in Australia — IBM Cost of a Data Breach Report 2024
$50M+
Maximum OAIC penalty for serious or repeated Privacy Act breaches — 2024 amendments
🛡
Assessment
Cost of this assessment — identifying and remediating findings before they become incidents
What Happened Next

Meridian Finance Group acted on the Critical and High findings within 14 days of receiving this report. Forced credential reset was implemented across all staff accounts. CMS plugin patches were applied within the ASD Essential Eight 48-hour window for Critical vulnerabilities. Exposed assets were taken offline and access controls were reviewed and hardened across the group. The insurer accepted the assessment report as evidence of due diligence and renewed the policy at the existing premium — a saving of approximately $18,000 against the projected increase. The Board risk committee received the executive summary as a standalone briefing document at their next scheduled meeting.

Ready to see what we find on your organisation? Submit your domain and we will conduct a passive assessment and come back with a findings report like this one.
Submit Your Domain →
Mobile App GRC Assessment Report
Passive OSINT Assessment — No Systems Accessed
Sample Document
Application
ConnectField Pro
Developer
Apex Mobile Solutions Pty Ltd
Platform
Android (Google Play)
Assessment Date
April 2026
Overall Risk
HIGH
Executive Summary

ConnectField Pro is a field service management application used by 47 field technicians to log job records, capture client signatures, photograph completed work, and access the customer database. The passive assessment identified significant compliance concerns — the application requests permissions substantially in excess of what its stated function requires, embeds six third-party trackers including two advertising SDKs with no disclosed purpose, and transfers data to servers in the United States and Singapore without adequate disclosure.

Executive Finding Summary
3
Critical
3
High
4
Medium
2
Low
Top Findings
Critical
Two advertising SDKs embedded with no commercial justification or disclosure Advertising SDKs were identified that transmit device identifiers, location data, and usage patterns to third-party advertising infrastructure. Client personal information captured through the app may be accessible to these SDKs. Neither is disclosed in the privacy policy. There is no commercial justification for advertising SDKs in an enterprise field service application.
Critical
Cross-border data transfer to USA and Singapore not disclosed — APP 8 breach Data transmission was confirmed to servers in the United States and Singapore. The developer's privacy policy contains no mention of overseas data disclosure, no reference to APP 8 obligations, and no consent mechanism for cross-border transfer. This represents a prima facie breach of APP 8.1 under the Privacy Act 1988 as amended December 2024.
Critical
Microphone access requested with no stated purpose The application requests microphone access. The app's stated purpose — job logging, signatures, and photo capture — has no requirement for microphone access. This permission is not explained in the App Store Data Safety section, not mentioned in the privacy policy, and no in-app notification is provided before the permission is requested.
High
Developer entity unverifiable via Australian corporate registries The developer's listed Australian address does not match corporate records. The developer's website domain was registered through a privacy-protected registrar with no publicly identifiable owner. The corporate identity of the developer cannot be independently verified through Australian public records.
Australian Privacy Principles — Compliance Summary
APPPrincipleStatus
APP 1Open & transparent managementFAIL
APP 3Collection of solicited personal informationFAIL
APP 5Notification of collectionFAIL
APP 6Use or disclosure of personal informationFAIL
APP 8Cross-border disclosureFAIL
APP 11Security of personal informationPARTIAL
APP 12Access to personal informationFAIL
APP 4Dealing with unsolicited informationPASS
What Happens Next

Following receipt of this report the client suspended organisational use of ConnectField Pro pending vendor response, notified their Board of the material privacy risk, and engaged legal counsel to assess OAIC notification obligations. A replacement application with a compliant privacy posture was identified and approved within 30 days. The assessment directly prevented the continued processing of client personal information through a non-compliant application — and gave the Board documented evidence of due diligence.

Ready to assess your organisation's apps? This is what a BlackFlag Advisory Mobile App GRC Assessment delivers. Passive only. No systems accessed.
Enquire →
Cyber Security GRC Assessment Report
Governance  |  Risk  |  Compliance  —  GRC + Website + Mobile Banking App
Sample Document
Organisation
Mid-Size Australian Bank (ADI)
Assessment Type
Full GRC + Website + Mobile Banking App Assessment
Footprint
Sydney, Melbourne, Brisbane — Retail & Business Banking
Regulatory Status
APRA-regulated ADI — CPS 234 applicable
Assessed By
BlackFlag Advisory
Assessment Date
May 2026
Classification
Confidential — Board Distribution Only
Why This Assessment Was Commissioned

This Australian bank commissioned a combined external GRC, website, and mobile banking app assessment ahead of their scheduled APRA CPS 234 self-assessment submission. The Board sought an independent, evidence-based view of the bank’s externally visible security posture to validate their internal assessment and identify any gaps before submission. The bank’s mobile banking application had undergone internal testing but had not previously been assessed by an independent external party. The assessment was conducted entirely through passive open-source methods — no systems were accessed, no credentials provided, and no active scanning was performed.

Executive Finding Summary
5
Critical
7
High
6
Medium
3
Low
Top Findings — Domain & Website
Critical
Staff credentials confirmed in active breach datasets — including accounts associated with core banking access A significant volume of credentials associated with the bank’s corporate email domain were identified in publicly available breach datasets. Cross-referencing confirmed that several exposed accounts belong to staff with access to core banking infrastructure and customer data systems. The recency of the breaches and the absence of confirmed forced resets across the organisation indicates these credentials may remain active.
Critical
Subsidiary domain running legacy web infrastructure with unpatched critical vulnerabilities A subsidiary domain associated with the bank’s business banking division was identified running web infrastructure with confirmed critical vulnerabilities. The platform version was assessed against current vulnerability databases and multiple high-severity findings were confirmed, including one rated CVSS 9.6. The subsidiary domain processes business customer enquiries and collects contact and financial information.
Critical
Sensitive internal documentation indexed and accessible via open sources — contains operational and compliance references Documents containing internal operational references, compliance process descriptions, and system naming conventions were confirmed accessible without authentication via open-source methods. The exposure of internal operational language provides threat actors with intelligence sufficient to craft highly targeted attacks against staff and to identify specific internal systems and processes.
High
Privacy Policy does not address cross-border data transfers — observable third-party integrations transmit customer data offshore Passive assessment of the bank’s customer-facing web properties confirmed the presence of third-party integrations transmitting customer data to servers located outside Australia. The bank’s published Privacy Policy does not disclose these transfers or satisfy APP 8 obligations. Given the bank’s APRA-regulated status and the volume of customer personal and financial information involved, this represents both a Privacy Act and a CPS 234 third-party risk management gap.
High
Career portal collecting personal data via third-party platform — data handling not covered in Privacy Policy The bank’s career portal operates on a third-party platform that collects applicant personal information including resumes, identity details, and employment history. The Privacy Policy does not reference this platform, the data it collects, or how it is handled. This creates an observable APP 1 and APP 5 gap with regulatory exposure under the Privacy Act.
Top Findings — Mobile Banking Application
Critical
Advertising and analytics SDKs confirmed in mobile banking app — transmitting device data to third parties The bank’s mobile banking application was found to contain advertising and analytics SDKs transmitting device identifiers and usage data to third-party servers. The presence of advertising technology in a mobile banking application is inconsistent with APRA CPS 234 requirements for third-party information security risk management and is not disclosed to customers in the app’s privacy documentation.
Critical
App version available on third-party stores contains outdated dependencies with known vulnerabilities A version of the bank’s mobile banking application was identified distributed via third-party app repositories. This version contains outdated dependencies with confirmed security vulnerabilities and does not reflect the current production build. Customers downloading from these sources may be exposed to compromised versions of the application.
High
App requests device permissions inconsistent with stated banking functionality The mobile banking application requests access to device capabilities beyond those required for its stated functions. Permissions requested include access to device storage and contacts, neither of which is referenced in the app’s documented functionality or privacy notices. Unnecessary permissions increase the attack surface available to a compromised application and create regulatory exposure under the Privacy Act.
Framework Mapping
APRA CPS 234
CPS 234 paragraphs 15–18 (information security capability), paragraph 36 (third-party provider management), and paragraph 37 (notification obligations) — material gaps identified across all three areas. Board notification obligations under paragraph 36 are triggered by findings in this report.
Australian Privacy Act 1988
APP 1 (open and transparent management of personal information), APP 5 (notification of collection), APP 8 (cross-border disclosure), APP 11 (security of personal information). Four Principles with observable gaps identified across web and app properties.
ASD Essential Eight
Patching Applications (Critical — Level 0 on subsidiary domain), Patch Operating Systems (High), Multi-Factor Authentication (High). External assessment places confirmed maturity at Level 0–1 against published internal claims.
NIST CSF 2.0
Govern (GV.SC — supply chain risk management), Identify (ID.AM — asset management), Protect (PR.AC, PR.DS), Detect (DE.CM). Supply chain and third-party risk findings are the most significant gap relative to the bank’s stated risk appetite.
What Happened Next

The executive summary was delivered to the Board within five business days. The Board resolved to treat three of the five Critical findings as notifiable under APRA CPS 234 paragraph 36 and prepared the required APRA notification with the assistance of the bank’s legal counsel. The mobile banking app was immediately reviewed by the development team and the advertising SDKs were removed in the subsequent release. The BlackFlag Advisory report was incorporated into the bank’s CPS 234 self-assessment submission as the independent external evidence required under the standard. APRA accepted the submission without request for further information. The bank has engaged BlackFlag Advisory on a twice-yearly assessment cycle.

Ready to see what we find on your organisation? Submit your domain and we will conduct a passive assessment and return a findings report like this one.
Speak With an Advisor →
Compare Packages

Choose the right assessment for your situation.

The table below shows exactly what each assessment includes so you can self-qualify before you enquire.

Included
Surface
GRC Assessment
Website + App ★
Enterprise Group
External attack surface & email security
Credential breach exposure check
Privacy Act compliance review
Structured risk register
Board-level executive summary
Framework mapping (E8, NIST, ISO)
Mobile app assessment
Multi-entity / subsidiary coverage
Delivery
3 days
5 days
7 days
7–10 days
Domain & Website Assessments
Surface
Surface Assessment
Rapid evidenced view of external exposure
  • External attack surface & email security
  • Credential breach exposure check
  • Evidenced findings summary report
  • Top 3 prioritised recommendations
Delivered within 3 business days
Enquire
Surface Assessment
Please complete all fields.
Confidential — no obligation. We respond within 24 hours.
✓ Thank you — we will be in touch within 24 hours.
Essential
GRC Assessment
Board-ready view of external risk & compliance
  • Full external risk & attack surface assessment
  • Australian Privacy Act compliance review
  • Structured risk register — Critical / High / Medium
  • Board-level executive summary
  • Prioritised remediation roadmap
Delivered within 5 business days
Enquire
GRC Assessment
Please complete all fields.
Confidential — no obligation. We respond within 24 hours.
✓ Thank you — we will be in touch within 24 hours.
Most Popular
Comprehensive
Website + App Assessment
Digital presence & business-critical applications
  • Full domain, website & mobile app assessment
  • Privacy compliance & cross-border data transfer review
  • Consolidated risk register across domain and app
  • Single board-level executive summary
  • Combined remediation roadmap
Delivered within 7 business days
Enquire
Website + App Assessment
Please complete all fields.
Confidential — no obligation. We respond within 24 hours.
✓ Thank you — we will be in touch within 24 hours.
Enterprise
Multi-Entity Group
Corporate groups & multi-entity structures
  • All entities & subsidiaries assessed individually
  • Consolidated group risk register
  • Framework mapping — ASD Essential Eight, NIST CSF, ISO 27001
  • Board-level executive summary across all entities
Delivered within 7–10 business days
Enquire
Multi-Entity Group
Please complete all fields.
Confidential — no obligation. We respond within 24 hours.
✓ Thank you — we will be in touch within 24 hours.
Ongoing Monitoring Retainer
Quarterly risk register updates, external change detection and findings brief — available alongside any engagement.
Contact for scope
Mobile App Assessments
Single App
App GRC Assessment
Specific application prior to deployment or vendor review
  • Permissions, tracker & privacy label review
  • Privacy policy assessment against all 13 APPs
  • Cross-border data transfer risk assessment
  • Structured risk register with APP framework mapping
  • Board-level executive summary
Delivered within 5 business days
Enquire
App GRC Assessment
Please complete all fields.
Confidential — no obligation. We respond within 24 hours.
✓ Thank you — we will be in touch within 24 hours.
Best Value
Portfolio
App Portfolio Review
Enterprise app catalogue or BYOD risk at scale
  • Up to 5 apps assessed as a consolidated portfolio
  • Privacy compliance & cross-border data transfer review
  • Consolidated portfolio risk register
  • Risk-ranked app scorecard — approve / review / reject
  • Board-level executive summary
Delivered within 7 business days
Enquire
App Portfolio Review
Please complete all fields.
Confidential — no obligation. We respond within 24 hours.
✓ Thank you — we will be in touch within 24 hours.
Domain & Website Assessments
Surface
Surface Assessment
Enquire for scope
Ideal for organisations seeking a rapid, evidenced view of their external exposure
  • External attack surface and email security review
  • Credential breach exposure check
  • Evidenced findings summary report
  • Top 3 prioritised recommendations
Enquire
Surface Assessment
Primary Domain *
Please complete all fields.
Confidential — no obligation. We respond within 24 hours.
✓ Thank you — we will be in touch within 24 hours.
Delivered within 3 business days
Essential
GRC Assessment
Enquire for scope
Ideal for organisations that need a structured, board-ready view of their external risk and compliance posture
  • Full external risk and attack surface assessment
  • Australian Privacy Act compliance review
  • Structured risk register — Critical / High / Medium / Low
  • Board-level executive summary
  • Prioritised remediation roadmap
Enquire
GRC Assessment
Primary Domain *
Please complete all fields.
Confidential — no obligation. We respond within 24 hours.
✓ Thank you — we will be in touch within 24 hours.
Delivered within 5 business days
Most Popular
Comprehensive
Website + App Assessment
Enquire for scope
Ideal for organisations with a customer-facing digital presence and business-critical applications
  • Full domain, website and mobile app assessment
  • Privacy compliance and cross-border data transfer review
  • Consolidated risk register across domain and app
  • Single board-level executive summary
  • Combined remediation roadmap
Enquire
Website + App Assessment
Primary Domain *
App Name to Assess *
Please complete all fields.
Confidential — no obligation. We respond within 24 hours.
✓ Thank you — we will be in touch within 24 hours.
Delivered within 7 business days
Enterprise
Multi-Entity Group
Enquire for scope
Ideal for corporate groups, holding companies, and multi-entity structures requiring consolidated risk visibility
  • All entities and subsidiaries assessed individually
  • Consolidated group risk register
  • Framework mapping — ASD Essential Eight, NIST CSF, ISO 27001
  • Board-level executive summary across all entities
  • Scope and engagement structured to your group — contact us to discuss
Enquire
Multi-Entity Group
Primary Domain *
App Name to Assess (if applicable)
Please complete all fields.
Confidential — no obligation. We respond within 24 hours.
✓ Thank you — we will be in touch within 24 hours.
Delivered within 7–10 business days
Ongoing Monitoring Retainer — available on any assessment Ongoing visibility between assessments. Quarterly risk register updates, external change detection, and a concise findings brief delivered each quarter — available alongside any engagement.
Contact for scope
Mobile App Assessments

A standalone assessment of any mobile application your organisation uses, deploys, or is evaluating — mapped against the Australian Privacy Principles and assessed for data exposure risk.

Single App
App GRC Assessment
Enquire for scope
Ideal for organisations assessing a specific application prior to deployment or as part of an ongoing vendor review
  • Permissions, tracker and privacy label review
  • Privacy policy assessment against all 13 APPs
  • Cross-border data transfer risk assessment
  • Structured risk register with APP framework mapping
  • Board-level executive summary and remediation roadmap
Enquire
App GRC Assessment
App Name to Assess *
Please complete all fields.
Confidential — no obligation. We respond within 24 hours.
✓ Thank you — we will be in touch within 24 hours.
Delivered within 5 business days
Best Value
Portfolio
App Portfolio Review
Enquire for scope
Ideal for organisations reviewing their enterprise application catalogue or managing BYOD risk at scale
  • Up to 5 apps assessed as a consolidated portfolio
  • Privacy compliance and cross-border data transfer review across all apps
  • Consolidated portfolio risk register
  • Risk-ranked app scorecard — approve / review / reject
  • Board-level executive summary
  • Additional apps at contact us for scope
Enquire
App Portfolio Review
App Names to Assess *
Please complete all fields.
Confidential — no obligation. We respond within 24 hours.
✓ Thank you — we will be in touch within 24 hours.
Delivered within 7 business days
Questions

Common Questions

Why no published prices?
Scope varies by organisation — the number of subdomains, entities and applications determines scope. We quote a fixed price before starting. No surprises, no hourly rates. Submit your domain and we will respond with a scoped quote within 24 hours.
Do you access our systems or network?
No — never. Every assessment uses exclusively passive OSINT techniques and publicly available data sources. No systems, networks, or accounts are accessed, probed, or tested at any time. This is not a penetration test.
How long does an assessment take?
Surface assessments are delivered within 3 business days. Full GRC assessments within 5 business days. Multi-entity group assessments within 7 business days depending on the number of subsidiaries.
What format is the report delivered in?
Reports are delivered as professionally formatted PDF documents. The full assessment includes an executive summary, risk register, framework mapping table, and remediation roadmap — all in a single document suitable for Board presentation.
Can I see a sample report before committing?
Yes — the sample extract above is drawn from a real anonymised assessment. A full sample report is available on request. Contact us directly and we will send it through.
Is this suitable for cyber insurance requirements?
Yes. Many insurers now require evidence of an external security review as a condition of coverage or renewal. Our assessment report — with its structured risk register and framework mapping — is designed to satisfy this requirement.
How do I pay?
Payment is by card via Stripe — secure, instant, and receipted. You will receive a payment link once your assessment scope has been confirmed. No payment is required upfront when you submit your domain.
Important: All BlackFlag Advisory assessments are conducted exclusively using passive OSINT techniques and publicly available data sources. No systems, networks, or accounts belonging to any assessed organisation are accessed, probed, or tested at any time. No active scanning is performed. BlackFlag Advisory assessments are not penetration tests. The sample report extract above is based on a real anonymised assessment — all identifying details have been changed.