Skip to content
Certifications & partnerships

Nothing on this page is decoration.

Every framework below is genuinely practised. Every partnership is genuinely held. Every status is the honest one — including the credential we haven’t finished earning yet. If we cannot evidence it at your assessment, it does not appear here.

The register

Four frameworks. Four honest statuses.

Australian obligations, stated the way your regulator and insurer read them — with the current, verifiable position on each.

  • Essential Eight

    Practised & assessed

    ACSC — Australian Cyber Security Centre

    The Australian baseline for mitigating cyber incidents. We assess client environments against the maturity model, set a target level with the board, and evidence the uplift — control by control.

    Verify: An Essential Eight maturity read is part of every Cyber Risk Assessment report.

  • Privacy Act 1988 & APPs

    Practice standard

    OAIC — incl. the Notifiable Data Breaches scheme

    The obligation with directors' names on it. Our controls, retention practices and incident playbooks are built so clients can demonstrate APP compliance — and act inside NDB timeframes if it ever matters.

    Verify: Ask us to walk your obligations register at the findings review.

  • ISO 27001

    Readiness path

    International standard for information-security management

    Our internal management system is built on ISO 27001, and we take clients down the certification path. We do not display a certification mark we have not completed — you will see it here when the audit is done, not before.

    Verify: Current status stated plainly, in writing, on request.

  • APRA CPS 234

    Client capability

    Australian Prudential Regulation Authority

    For regulated financial clients we map information-security capability, asset registers, control testing and incident notification to CPS 234 — the standard your regulator actually reads. We are not an APRA-regulated entity and do not claim to be.

    Verify: CPS 234 mapping delivered as a board-ready annexe for financial clients.

House policy — no exceptions

If we haven’t earned it, you won’t see it here.

An unearned trust seal is not marketing — it is a misrepresentation. A firm that cuts that corner will cut others where you cannot see. So this page refuses, in writing:

  • SOC 2 · HIPAA · PCI DSS · CMMC

    US frameworks with no bearing on an Australian SMB's obligations. Displaying them here would be decoration, not assurance.

  • IRAP

    We are not IRAP assessed and will not imply otherwise. If your work requires it, we will tell you plainly what it takes and who genuinely holds it.

  • Pay-to-display awards

    Badges that can be bought say something — just not about security.

Use this page as a test for every provider you evaluate: ask them to evidence each badge in their footer. We will pass that test on any line above — on the spot.

Deployment partners

Held partnerships. Working tools.

Not a logo wall — a deployment list. These are the platforms we resell, configure and manage inside client environments every day, each named with the job it does.

  • Sophos

    Endpoint detection & response

    The enterprise EDR we deploy and manage across every client fleet. Consumer antivirus is not protection; this is what replaces it.

  • Check Point

    Email security & BEC defence

    The dedicated layer over client mailboxes that stops the phishing and business-email-compromise default filters miss.

  • Microsoft

    Hardened 365 & cloud tenancies

    We build and harden Microsoft 365 environments to a security standard — conditional access, least privilege, monitored by default.

  • Tenable

    Vulnerability scanning

    The scanning cadence behind our quarterly vulnerability reviews — we look for the open doors on a schedule, and report what we closed.

Verification

Don’t take the page’s word. Take the evidence.

Three ways to check every claim we make — the same diligence we would tell you to run on anyone.

  1. 01

    Phone a reference

    We provide reference clients in your industry you can call — directors, not case-study composites. Ask them what we found and how we handled it.

  2. 02

    See the evidence at the review

    Every finding in the Cyber Risk Assessment arrives documented and ranked, with the method shown. Bring your accountant, your broker, or your scepticism.

  3. 03

    Read the agreement

    The 100% CRA refund guarantee and the 90-Day Confidence Guarantee are written into engagement terms — commitments you can hold, not slogans you remember.

Straight answers

Asked about our credentials

If your question isn't here, ask it at the assessment — you'll get the same candour.

Not yet — and we won't imply otherwise with a lookalike badge. Our management system is built on the standard and the certification path is underway. When the audit is complete, the mark appears here. Until then, you get the honest status: readiness, evidenced on request.

Ask us to prove any line on this page.

The Cyber Risk Assessment is where claims meet evidence — ours and your current provider’s. Book it, and judge both by what the report shows.