Essential Eight ML1 as the delivered baseline; ML2+ where regulators require it. Full Microsoft Security stack, deeply deployed. ISO 27001 audit in progress. Normally part of Managed IT — available standalone for businesses that want enterprise-grade security at SMB-friendly economics.
We don't run a "security toolkit" — we run a Microsoft-aligned security stack with nine years of operating depth. The same controls that protect your business today extend naturally to govern your AI environment tomorrow.
Endpoint detection & response, M365 phishing & malware protection, attack surface reduction across all client environments.
Cloud-native SIEM correlating signals across identity, endpoint, M365 and Azure. Available where the use case justifies it — typically regulated clients with material supervisory exposure. We run it for ourselves and for selected clients; not included in the standard $185/user/month bundle.
Sensitivity labels, DLP rules, vendor-level AI guardrails (Claude, Copilot, others), Acceptable Use Policy enforcement. The bridge between security and AI Governance.
Conditional access, device compliance, endpoint hardening, mobile device management. Windows and MacOS endpoints both fully supported.
The Australian Cyber Security Centre's Essential Eight is the de facto baseline for any regulated or regulated-adjacent Australian business. Maturity Level 1 is our delivered baseline across the client base; clients with APRA, ASIC, or government-tender obligations sit at ML2+ on a defensible, evidenced roadmap.
Approved-application whitelisting via Defender + Intune.
Critical patches within 48h; rest within 2 weeks.
Macros blocked from the internet; signed-only where needed.
Browser, M365, PDF reader hardened to ASD baselines.
Just-in-time admin via Entra PIM; privileged access workstations.
Critical patches within 48h; all systems within 2 weeks.
MFA mandatory for all users; phishing-resistant where licence permits.
Immutable backups; tested recovery quarterly; 30-day retention minimum.
ESSENTIAL EIGHT MATURITY LEVEL 3 ATTESTATION IS PART OF THE 2026 CERTIFICATIONS ROADMAP · SEE OUR ROADMAP DOCUMENT FOR DETAIL
The list below is the standard managed-security envelope we run for every client. It's inclusive — not a "starter tier" with optional add-ons. Some clients add specialist services (penetration testing, third-party SOC integration, advanced threat hunting) but the base envelope is fixed.
Microsoft Defender XDR running continuously, with same-day triage for high-severity alerts and same-business-hour response for critical events. Sentinel SIEM available as an add-on for clients with deeper monitoring needs.
Microsoft Defender for Endpoint deployed and tuned. EDR signals correlated with M365 + identity data for higher-fidelity detection.
Entra ID Conditional Access policies, MFA enforcement, risky sign-in detection, privileged access management via PIM.
Continuous vulnerability scanning of endpoints and cloud assets; patch deployment within Essential Eight tolerances; quarterly executive report.
Quarterly phishing simulations and education modules. Reported per-user and per-department. Builds the "human firewall" most security platforms can't.
Microsoft Defender for Office 365 with advanced threat protection. Phishing, BEC, malware filtering; safe links and safe attachments.
Immutable backups for M365, Azure workloads, and endpoint data. Tested recovery quarterly. RPO and RTO documented per workload.
Documented IR plan, runbooks per scenario, executive briefings during incidents, post-incident review and learning capture.
Australian SMBs in regulated industries deal with overlapping obligations from multiple regulators. We've published deep content on every one of them — not because it's good for SEO, but because we operate against each in delivery. Click any of these to read the detailed guidance.
ACSC alignment
OAIC + ADM rules
Operational risk
Cyber resilience
Tax practitioner duties
Digital service standards
Legal professional
Industrial systems
Every claim we make about AI Governance is credible because the security work underneath it is already running. Identity, M365 hardening, DLP, Essential Eight, Quarterly Business Reviews. AI Governance is the next layer on the same operating standard — using the same Microsoft Purview controls, the same Defender stack, the same audit discipline. One team. One contract. One standard.
See the AI Governance Bundle →Most clients take cybersecurity as part of our Managed IT service — same team running both, one contract, one monthly fee. For clients who want to keep their existing IT provider but upgrade their security, we run a standalone managed-security engagement with the same operating standard.
We don't claim certifications we don't hold. "Aligned to" means we map our delivery against the framework. "Certified to" only appears when an external audit has confirmed it. Two ISO certifications are in active progress through 2026.
Whether you're swapping providers or starting from scratch, the AI Readiness Sprint is the cleanest way to see what's actually in your environment — security posture, AI exposure, and the gaps before they cost you.