Assessment Pricing

Transparent pricing.
No surprises.

Three fixed-price assessment tiers for Australian businesses. Every engagement uses exclusively passive, publicly available data — no systems accessed, no active scanning.

Surface
Surface Assessment
$750 AUD
Best for: SMEs wanting a quick external check
  • Single domain passive assessment
  • External attack surface overview
  • SSL/TLS certificate audit and grade
  • Email security posture — SPF, DKIM, DMARC
  • Credential breach exposure check
  • Technology stack fingerprinting
  • 2-page findings summary report
  • Top 3 priority recommendations
Get Started
Delivered within 3 business days
Most Popular
Standard
Full GRC Assessment
$2,000 AUD
Best for: Businesses needing Board-ready reporting
  • Full 18-step passive OSINT assessment
  • Complete risk register — Critical / High / Medium / Low
  • Framework mapping — ASD Essential Eight, NIST CSF, ISO 27001, CIS Controls
  • Australian Privacy Act compliance review — APP 1, 5, 8, 11
  • CVE cross-reference against confirmed technology stack
  • ACSC advisory alignment and CISA KEV flagging
  • Third-party and vendor risk summary
  • Board-level executive summary — non-technical language
  • Remediation roadmap with priority timelines
  • Google Dorking — indexed sensitive content check
Get Started
Delivered within 5 business days
Group
Multi-Entity Group
$3,500+ AUD
Best for: Corporate groups and holding companies
  • Parent company and all subsidiaries assessed individually
  • ASIC corporate structure and entity mapping
  • Per-entity attack surface and technology assessment
  • Shared infrastructure risk and lateral movement analysis
  • Consolidated group risk register
  • Group-wide framework mapping
  • Individual subsidiary recommendation profiles
  • Board-level executive summary across all entities
  • Pricing scales with number of entities — contact for quote
Get Started
Delivered within 7 business days
Ongoing Monitoring — add to any assessment Quarterly reassessment of your external footprint. Updated risk register, change alerts, and new CVE cross-referencing against your tech stack.
$500 / quarter
Sample Report

What You Actually Receive

The following is an extract from a real assessment — anonymised and reproduced here as a demonstration of deliverable quality. Client identity, domain names, and specific technical details have been changed.

Cyber Security GRC Assessment Report
Governance  |  Risk  |  Compliance  —  Passive OSINT Assessment
Sample Document
Organisation
Meridian Finance Group Pty Ltd
Assessment Type
Full GRC Assessment — Multi-Entity
Assessed By
Cluny Archibald — BlackFlag Advisory
Assessment Date
March 2026
Classification
Confidential
Why This Assessment Was Commissioned

Meridian Finance Group commissioned this assessment ahead of their annual cyber insurance renewal. Their insurer had requested evidence of a current external security review as a condition of maintaining existing coverage terms. With a group structure spanning four operating entities across consumer lending, investment management, and property finance, the Directors also sought a consolidated view of the group's external risk exposure ahead of a scheduled Board risk committee meeting.

Executive Finding Summary
3
Critical
4
High
5
Medium
3
Low
Top Findings
Critical
Domain confirmed in public breach database — 1,247 exposed credentials meridian-lending.com.au confirmed in Have I Been Pwned breach dataset. Exposed data classes include email addresses, passwords, and financial account references. Credentials likely still in active use across staff and customer accounts. Immediate forced password reset and MFA enforcement required across all internet-facing systems.
Critical
WordPress installation confirmed with 23 active CVEs including CISA KEV-flagged exploits BuiltWith confirmed WordPress CMS on primary domain. NVD cross-reference identified 23 CVEs against the confirmed plugin stack including CVE-2026-4662 (SQL Injection via JetEngine, CVSS 9.8) and CVE-2026-1908 (Stored XSS via HubSpot Forms). Two findings flagged as CISA Known Exploited Vulnerabilities — actively exploited in the wild at time of assessment.
High
DMARC policy not enforced — all four entity domains vulnerable to spoofing MXToolbox confirmed p=none (monitoring only) DMARC policy across all four Meridian entity domains. No quarantine or reject enforcement in place. Any party can send email purporting to be from @meridian-finance.com.au, @meridian-lending.com.au, or associated subsidiary domains. Direct Business Email Compromise risk for client-facing financial communications.
High
SSL/TLS certificate CA chain anomaly — certificate authority unverifiable Pentest Tools light SSL scan identified CA chain break on primary domain. Certificate is browser-trusted but CA issuer cannot be independently verified — indicating potential intermediate certificate misconfiguration. Certificate also expires within 87 days with no evidence of automated renewal in place.
Medium
HubSpot CRM confirmed transferring personal data to US — APP 8 cross-border disclosure obligations not addressed in Privacy Policy BuiltWith confirmed active HubSpot CRM integration (Feb 2024 – present) collecting lead and contact data and transferring to US-based servers. Privacy Policy reviewed — no mention of offshore data transfer or APP 8 cross-border disclosure obligations. GDPR implications also present given international investor base.
Cost of Inaction vs. Value of Remediation
$4.26M
Average cost of a data breach in Australia — IBM Cost of a Data Breach Report 2024
$50M+
Maximum OAIC penalty for serious or repeated Privacy Act breaches — 2024 amendments
🛡
$2,000
Cost of this assessment — identifying and remediating findings before they become incidents
Remediation Roadmap
Delivered with every Full GRC and Group assessment — prioritised actions mapped to ASD Essential Eight timelines
Within 48 hrs
ASD E8 Critical
Critical
Forced credential reset — all staff accounts
Three domain-linked accounts confirmed in public breach databases with passwords unchanged. Reset all credentials immediately. Enable MFA across all accounts before reactivation.
Owner: IT / Systems Administrator
Within 48 hrs
ASD E8 Critical
Critical
Patch WordPress core and all plugins — 4 critical CVEs confirmed
BuiltWith and Wappalyzer identified WordPress 6.3.1 and three outdated plugins. CVE cross-reference confirms active exploitation in the wild. Apply all available patches immediately or temporarily disable affected plugins.
Owner: Web Administrator / Developer
Within 72 hrs
High priority
High
Escalate DMARC policy to p=quarantine across all four domains
All entity domains confirmed at p=none — monitoring only. No spoofing protection in place. Update DMARC DNS record to p=quarantine immediately. Progress to p=reject within 30 days once mail flow is confirmed stable.
Owner: DNS Administrator / IT
Within 7 days
High priority
High
Reissue SSL certificate — configure automated renewal
CA chain anomaly identified on primary domain. Certificate expires in 87 days with no automated renewal in place. Reissue via primary CA with Let's Encrypt or equivalent automated renewal. Confirm HSTS header is correctly configured post-reissue.
Owner: Web Administrator / Hosting Provider
Within 30 days
Medium priority
Medium
Update Privacy Policy — address APP 8 cross-border disclosure obligations
HubSpot CRM confirmed transferring data to US-based servers. Privacy Policy reviewed — no mention of offshore transfer or APP 8 obligations. Update policy to disclose third-party providers, data destinations, and cross-border transfer arrangements. Legal review recommended prior to publication.
Owner: Legal / Compliance / Marketing
Next Board meeting
Governance
Governance
Board risk committee briefing — executive summary tabled
The Board-level executive summary is delivered as a standalone document, written in non-technical language. It summarises findings by severity, maps to regulatory obligations, and presents the remediation roadmap with ownership and timelines for Board sign-off.
Owner: CEO / Risk Officer / Company Secretary
Ready to see what we find on your organisation? Submit your domain and we will conduct a passive assessment and come back with a findings report like this one.
Submit Your Domain →
Questions

Common Questions

Do you access our systems or network?
No — never. Every assessment uses exclusively passive OSINT techniques and publicly available data sources. No systems, networks, or accounts are accessed, probed, or tested at any time. This is not a penetration test.
How long does an assessment take?
Surface assessments are delivered within 3 business days. Full GRC assessments within 5 business days. Multi-entity group assessments within 7 business days depending on the number of subsidiaries.
What format is the report delivered in?
Reports are delivered as professionally formatted PDF documents. The full assessment includes an executive summary, risk register, framework mapping table, and remediation roadmap — all in a single document suitable for Board presentation.
Can I see a sample report before committing?
Yes — the sample extract above is drawn from a real anonymised assessment. A full sample report is available on request. Contact us directly and we will send it through.
Is this suitable for cyber insurance requirements?
Yes. Many insurers now require evidence of an external security review as a condition of coverage or renewal. Our assessment report — with its structured risk register and framework mapping — is designed to satisfy this requirement.
How do I pay?
Payment is by card via Stripe — secure, instant, and receipted. You will receive a payment link once your assessment scope has been confirmed. No payment is required upfront when you submit your domain.
Important: All Visible Risk assessments are conducted exclusively using passive OSINT techniques and publicly available data sources. No systems, networks, or accounts belonging to any assessed organisation are accessed, probed, or tested at any time. No active scanning is performed. Visible Risk assessments are not penetration tests. The sample report extract above is based on a real anonymised assessment — all identifying details have been changed.