What's included
The short answer
A security posture assessment is an independent review of how exposed your business is to attack. It looks at your network, cloud environment, identity management, and security controls, and tells you where you are vulnerable before an attacker does.
What you walk away with
The deliverables
At the end of the engagement you receive a complete documentation package. Your leadership team can act on it directly. You can also share it with a board, insurer, or prospective client as evidence of your security posture.
Executive Report
Plain-English summary your leadership team can read and act on. Not a list of CVEs. Written so a non-technical owner can understand what was found and what to do next.
Risk Matrix
Every finding ranked by real-world exploitability, not just CVSS score. Shows what needs fixing now versus what can wait, so your team puts effort where it counts.
Remediation Roadmap
Prioritised fix list with effort estimates and quick wins highlighted. Practical enough to hand straight to your IT provider without needing us to interpret it.
Walk-Through Call
We walk through every finding with your team and answer questions. It comes with every engagement, at no extra charge.
How it works
The assessment process, step by step
Here is what happens during an engagement, in order. Every phase is included as standard.
Scoping and Pre-Engagement
We agree what is in scope, confirm testing boundaries, and collect prerequisites before work starts. No surprises mid-assessment. You know exactly what will be tested and when.
Discovery and Reconnaissance
External footprint mapping, port scanning, and service enumeration. We see what an attacker sees before they do: exposed services, DNS records, subdomains, and any credentials left publicly accessible.
Vulnerability Assessment
Authenticated and unauthenticated scans across your internal and external environment, followed by manual validation to cut false positives. Credential checks on every discovered service.
Security Controls Review
Firewall rules, Active Directory hygiene, MFA coverage gaps, email security controls, and logging coverage. The layer most generic assessments skip and attackers rely on.
Risk Ranking and Analysis
Findings ranked by real-world exploitability and business impact, not just CVSS scores. Attack chains mapped and contextualised to your industry and the threats that target it.
Reporting and Delivery
Peer-reviewed report, walk-through call, follow-up Q&A, and an optional re-test window to confirm critical remediations landed correctly.
Pricing and timeline
What to expect
For a typical Australian SME (10–200 employees)
Typical end-to-end delivery
The final cost depends on scope: external-facing systems, internal sites, cloud platforms, and overall environment size. Most SME engagements sit at the lower end of that range.
A single experienced assessor owns the work from start to finish. No hand-offs, no waiting on another team. That is why turnaround is faster than you would expect from a larger consultancy.
For context: a full assessment starts at $5,000. The average ransomware recovery for an Australian SME costs $250,000 in downtime, data loss, and recovery fees. Prevention is always cheaper.
FAQ
Common questions
How long does a cybersecurity assessment take?
Most assessments complete within two to three weeks from kick-off to report delivery. The exact timeline depends on the size of your environment and the number of systems in scope. We agree on a schedule before we begin so there are no surprises.
Do you need access to our systems during the assessment?
Yes, for the internal phases. Authenticated scanning requires read-level access to your systems. External reconnaissance requires nothing from you upfront. We use read-only credentials wherever possible and document what access was used.
Will the assessment disrupt our day-to-day operations?
Scanning is non-destructive and can be scheduled around business hours. Most clients notice nothing during the assessment. We agree testing windows upfront so your team knows what to expect.
What's the difference between an assessment and a penetration test?
An assessment finds and ranks your vulnerabilities. A penetration test actively exploits them to show real-world impact. For most SMEs, an assessment is the right starting point. You get a clear view of your exposure without the cost and complexity of full exploitation testing.
Do we need to prepare anything before the assessment starts?
We send a pre-engagement checklist covering network diagrams if available, a list of key systems, and read-only credentials for internal scanning. We keep prerequisites light. Most clients are ready in under an hour.
Can we use the assessment report for cyber insurance applications?
Yes. Our reports cover your security posture, existing controls, and remediation roadmap. That is exactly what insurers ask for. Several clients have used their report to support better premiums or satisfy policy requirements at renewal.
What happens after the assessment? Do you help us fix things?
The report and roadmap are written so your IT provider can execute them directly. We are happy to answer follow-up questions. For clients who want ongoing support, our vCISO service picks up where the assessment leaves off.