Straight answers to common questions.

Most of our clients are mid-market and growth-stage organisations — typically 50 to 2,000 people. We also work with regulated businesses that are smaller but face disproportionate compliance requirements (financial services, healthcare, government suppliers). If you have a security problem and need practical help, we're probably a good fit regardless of size.

No. Many of our clients don't have a dedicated security person. We work alongside IT teams, operations leads, or directly with founders and executives. Part of what we do is help you figure out what security capability you actually need — and what can be handled through good process and tooling rather than headcount.

Most engagements start with a Cyber Health Check or a focused review (Essential Eight, ISO 27001 readiness, cloud security). That gives us and you a clear picture of where you stand. From there, we either hand you a prioritised plan to run yourself, or we stay on to help implement. Some clients keep us on a retainer for ongoing advisory work. There's no minimum commitment — we'd rather do useful work for four weeks than bill for twelve months of vague "strategic advice."

We scope and price each engagement based on what you actually need. A Cyber Health Check for a 100-person organisation typically runs between $8,000 and $15,000. Larger programmes (ISO 27001 readiness, full security architecture) are scoped individually. We'll give you a clear proposal with fixed deliverables before any work starts — no open-ended retainers unless you specifically want one.

Yes. Call 1300 112 313 immediately. Don't wipe anything, don't delete logs, don't reset passwords across the board until we've talked. The first priority is to stop further damage while preserving evidence. We can be on a call within 15 minutes during business hours.

ISO 27001, SOC 2, Essential Eight, NIST CSF, CPS 234, PCI DSS and MITRE ATT&CK. We don't treat frameworks as checklists — we use them as structure to make sure security work is complete and defensible. The framework matters less than whether the controls actually work.

No. We're a consulting and implementation partner. We work with the tools you already have (Microsoft, AWS, CrowdStrike, Akamai and others) and help you get more value from them. If you need a new tool, we'll recommend what fits — but we don't resell products or take vendor commissions. Our advice is independent.

You get documentation, runbooks, evidence packs and a clear handover. Everything we build is designed so your team can operate it. We're not trying to create a dependency — if we've done the job well, you shouldn't need us for the same problem twice. Many clients do come back for new challenges, and that's fine, but it's always their choice.

Sydney, Australia — but we work with clients nationally and have supported organisations in New Zealand, Singapore and the UK. Most of our work can be done remotely, but we're happy to be on-site when the work calls for it.

Book a briefing. It's a 30-minute call with one of our senior consultants — not a sales pitch. We'll ask about your situation, tell you honestly whether we can help, and if it makes sense, we'll send a proposal within a few days. Start here.