Structured, evidence-based GRC advisory for organisations navigating complex, regulated environments — wherever they operate.
Using exclusively passive, publicly available data sources — no systems accessed, no active scanning — we surface what anyone with the right knowledge can already see about your organisation.
Domains, subdomains, exposed services, and infrastructure visible to the public internet — including assets you may not know exist.
The software, platforms, CMS, CRM, and third-party integrations on your public-facing systems — and whether they carry known vulnerabilities.
Whether your domains are protected against phishing and spoofing — missing email security records leave your brand open to impersonation.
The strength of your encryption, certificate validity, cipher suite weaknesses, and whether your systems meet current compliance thresholds.
Whether your organisation's domains appear in known public breach databases — indicating compromised credentials that may still be in active use.
Observable gaps in your privacy policy, data collection practices, and vendor relationships creating regulatory exposure under the Australian Privacy Act.
Every engagement begins with your domain. What follows is a structured, evidence-based assessment that gives you a clear picture of your risk posture.
Enter your primary domain and contact details. We identify all associated entities, subdomains, and publicly visible infrastructure before we begin.
Our structured, 5-phase passive assessment framework is applied across your entire external footprint. Every finding is evidenced, sourced, and mapped to a recognised framework control.
A structured professional report — risk register, framework mapping, and a Board-level executive summary — that tells you exactly what was found and what to do about it.
Structured, evidence-based GRC advisory for organisations operating in complex, regulated environments across Australia and Asia-Pacific. Every engagement is disciplined, documented, and mapped to recognised frameworks.
A comprehensive assessment of your organisation's externally visible security posture — covering attack surface, technology exposure, breach intelligence, and compliance posture.
Enquire →All findings consolidated into a structured risk register rated by likelihood and impact, mapped to ASD Essential Eight, NIST CSF, ISO 27001, CIS Controls, and the Australian Privacy Act.
Enquire →Technical findings translated into clear, non-technical language for Board and C-Suite stakeholders — a briefing document that drives informed risk decisions.
Enquire →Comprehensive assessment covering a parent company and all identified subsidiaries — mapping shared infrastructure risk and group-wide compliance posture across every entity.
Enquire →Assessment of your publicly observable compliance with Australian Privacy Principles — covering data collection, third-party disclosure, cross-border data transfer, and privacy policy obligations.
Enquire →Your confirmed technology stack cross-referenced against current threat advisories and known exploited vulnerabilities — surfacing active threats in your specific environment.
Enquire →Every assessment follows the same disciplined process. No shortcuts. No guesswork. Every finding is evidenced and mapped to a recognised framework control.
Corporate entity mapping, subsidiary identification, domain and subdomain enumeration, and email security record analysis across all associated entities.
Passive infrastructure review, certificate analysis, SSL/TLS configuration audit, and technology stack fingerprinting across all public-facing systems.
Domain breach exposure analysis, indexed sensitive content discovery, historical footprint review, and credential exposure assessment.
Privacy policy assessment against Australian Privacy Principles, current threat advisory cross-referencing, and third-party vendor risk identification.
Risk register population, framework mapping, remediation roadmap development, and Board-level executive summary production.
All findings are mapped to recognised Australian and international cybersecurity and compliance frameworks.
Live intelligence updated each time this page loads. This is the threat landscape your organisation operates in.
BlackFlag Advisory was founded by Cluny Archibald — a senior enterprise sales and business development leader with over 20 years of experience across technology, SaaS, government, financial services, and commercial property sectors across Australia and internationally.
After completing a Bachelor of Cyber Security with a GPA of 6.31/7.0 in 2025, Cluny brings a rare combination to GRC consulting: genuine commercial maturity, deep experience in regulated environments, and formal cybersecurity qualifications.
All findings are presented in structured, Board-ready reports that translate technical risk into business language accessible to non-technical decision-makers.
Most organisations assume their governance and compliance posture is adequate. Our assessments reveal what is actually visible to the outside world — before a threat actor, a regulator, or a competitor finds it first.
Submit your domain and contact details. We will be in touch to discuss scope, approach, and next steps. Sample assessment reports available on request.
Enter your primary domain and contact details below. We will reach out to discuss your specific requirements.
All assessment discussions are treated with strict confidentiality. Sample reports are available on request to demonstrate methodology and deliverable quality.