Method
Sight. Aim. Launch. Trajectory.
Four phases. One continuous programme. Each phase produces something the next phase consumes — there's no waiting room, no handoff cliff, no quarterly slide deck masquerading as progress.
01
Sight.
We see your environment the way an attacker would, then the way an auditor would.
- 01 External attack surface discovery
- 02 Asset and identity inventory
- 03 Current-state Essential Eight maturity scoring
- 04 Threat modelling against your sector's known TTPs
Signal
4
business days
Average time-to-first-finding
02
Aim.
We prioritise by business risk, not by tool noise.
- 01 Risk register aligned to ISO 31000
- 02 Regulatory obligation mapping (ISM, SOCI, APRA, Privacy Act)
- 03 Remediation backlog with cost, effort, and maturity-gain scoring
- 04 Board-ready risk narrative
Signal
1
page
Board-ready risk narrative
03
Launch.
We implement controls, not slide decks.
- 01 Hands-on technical implementation across the Essential Eight
- 02 Identity, endpoint, application control, and patching uplift
- 03 Detection engineering and use-case build-out
- 04 Control validation via offensive testing
Signal
ML3
targets
Implementation across all eight
04
Trajectory.
Maturity isn't a state. It's a direction.
- 01 Continuous control monitoring
- 02 Quarterly maturity re-scoring
- 03 Threat-led testing cadence
- 04 Board and audit reporting pack
Signal
∞
cycle
Continuous re-measurement
See how we'd apply it to you.
The posture review is a one-session compression of the full Sight phase. You walk away with a maturity score, your top three exposures, and a one-page plan.