Managed Cybersecurity · Australia & APAC

Security that lets you leap forward.

We run cybersecurity, compliance, and risk operations for organisations operating under regulatory scrutiny. So your business moves faster than your threat model, your audit calendar, or the regulator chasing them both.

Start a conversation See what we do →
Trusted by security and compliance teams at
Engaged across IRAP assessments, managed GRC, offensive security, and cyber tooling procurement. See how we work with them →
Threat Landscape · Q2 2026

What our team is tracking right now.

What our analysts are watching across regulated Australian and APAC environments. Refreshed quarterly with the campaigns, TTPs, and high-priority CVEs that matter most to our clients.

Active Campaigns
  • Scattered Spider — identity-based ransomware targeting managed service providersObserved in retail, insurance, SaaS
  • APT29 / Midnight Blizzard — OAuth token theft against M365 tenantsActive in APAC government and CNI
  • FIN7 — point-of-sale and e-commerce credential harvestingEscalated activity in AU retail and hospitality
Top TTPs This Quarter
  • MFA fatigue & push-bombing at session establishment+34% quarter-over-quarter
  • Help-desk social engineering for password resetsPrimary vector for Scattered Spider
  • Living-off-the-land binaries in cloud workloadsAzure Automation, AWS SSM abuse
Critical Vulnerabilities
  • CVE-2026-3401Ivanti Connect Secure — unauthenticated RCE, exploit observed in the wild
  • CVE-2026-2198Citrix NetScaler — session hijacking via memory disclosure
  • CVE-2026-0987VMware vCenter — authentication bypass, patch within 14 days
Curated quarterly by CypherLeap threat analysts from external telemetry and vendor intelligence partners.
01 — What we do

An operational security program, delivered as a service.

Most security firms sell point products and call it a program. We run the program for you — strategy, detection, response, compliance, and the boring parts in between. Six disciplines, one accountable team, one monthly number on your invoice.

Featured discipline · Virtual CISO

Executive security leadership, without the $400K salary.

A Virtual CISO runs your security program end-to-end — strategy, board reporting, risk appetite, incident command, vendor oversight, and the dozen quiet decisions per week that keep a company out of a breach headline.

01
Board-grade reporting

Quarterly risk posture with real numbers — not RAG charts — your board will actually read.

02
Full framework ownership

ISO 27001, SOC 2, NIST CSF, Essential 8, APRA CPS 234, PCI DSS — mapped, managed, audit-ready.

03
Incident command in hours, not weeks

Named executive on your side the moment something goes wrong. No hourly billing games.

Explore Virtual CISO
What the first 90 days look like
Week 1
Discovery and access. Existing controls inventoried, risk register baselined.
Week 4
First board-grade risk pack delivered. Quarterly reporting cadence established.
Month 3
Roadmap signed off, control owners assigned, maturity metrics baselined.
The other five disciplines

Managed GRC

Governance, risk, and compliance on autopilot. We build your ISMS, manage policies, and prepare you for every audit.

Learn more →

Managed SIEM

24/7 security monitoring, real-time threat detection, alert triage, and incident response. SIEM-agnostic, delivered through industry-leading platforms by senior analysts.

Learn more →

CTI & EASM

Dark web monitoring, leaked credential detection, and external attack surface management to stop threats before they reach you.

Learn more →

Penetration Testing

Network, application, cloud, and API penetration testing by certified ethical hackers with actionable remediation guidance.

Learn more →

Managed IT & Cyber Support

Unified IT and cyber operations. Endpoint management, identity & access control, cloud infrastructure, and helpdesk.

Learn more →

Free Dark Web Exposure Assessment

Find out if your company's credentials have been compromised. No obligation, instant results.

Check My Exposure →
Featured case study · Critical Healthcare Infrastructure

Two phone calls. Four systems compromised. Six days.

Under an unannounced engagement with a critical healthcare infrastructure operator, our offensive team ran a Scattered-Spider-style vishing simulation against the IT Service Desk and a frontline customer-facing function. Inside one working day, two pretexts landed access to the patient imaging portal, Microsoft 365, and the remote desktop environment, with MFA registered to our device.

Sector
Healthcare
Scope
OSINT + voice social engineering
Engagement window
6 days end-to-end
Read the full case study
2 of 2
pretexts successfully granted initial access and persistent foothold — a Medical Practitioner impersonation and a Contact Centre Agent impersonation, both inside 18 minutes on the phone.
Time on first call18 min
Systems reachedImaging Portal · M365 · Remote Desktop
Stakeholders aware in advance3 people only
02 — Compliance

Every framework your regulators and auditors expect.

Australian and APAC frameworks first — implemented, operated, and audit-ready. We hold the accreditations that let us assess against them, not just talk about them.

Australia — Government & Critical Infrastructure
IRAP

IRAP

ASD-endorsed assessments for OFFICIAL:Sensitive and PROTECTED systems

E8

Essential Eight

ACSC baseline mitigation strategies and maturity uplift

ISM

ISM & PSPF

Information Security Manual and Protective Security Policy Framework alignment

SOCI

SOCI Act

Critical infrastructure obligations, RMP attestation, and CIRMP support

Australia — Financial Services, Healthcare & Privacy
CPS

APRA CPS 234

Information security for APRA-regulated entities and superannuation

CPS230

APRA CPS 230

Operational risk management and third-party service-provider controls

PRIVACY

Privacy Act & APPs

Australian Privacy Principles, NDB scheme, and OAIC readiness

SOC

SOC 2 Type II

For APAC SaaS and tech firms selling into US enterprise

International Standards Recognised in APAC
ISO

ISO/IEC 27001:2022

Full ISMS build, gap analysis, and JAS-ANZ certification

PCI

PCI DSS 4.0

QSAC-led scoping, gap remediation, SAQ and ROC preparation

42001

ISO/IEC 42001

AI management systems for organisations deploying or building AI

NIST

NIST CSF 2.0

Govern, Identify, Protect, Detect, Respond, Recover

03 — Industries

Securing the sectors that can't afford a headline.

Four sectors, one focus — organisations where security is driven by regulatory pressure, audit scrutiny, and operational risk. Built for the regulated and high-accountability environments that define the Australian mid-market.

Regulated Healthcare

Hospitals, diagnostic imaging, aged care, and digital health providers. High breach impact, strict notification requirements, and oversight under OAIC, the Privacy Act, and sector-specific frameworks.

Privacy ActEssential 8ISO 27001
Explore healthcare →

Financial Services & Asset Finance

Insurance, wealth, lending, and payment processors operating under APRA, PCI DSS, CPS 234, and legacy data retention requirements — with increasing board-level accountability for cyber risk.

APRA CPS 234CPS 230PCI DSS
Explore financial services →

Government & Critical Infrastructure

State government, infrastructure operators, and publicly funded programmes. Aligned to ISM, PSPF, SOCI Act, and IRAP requirements with strict assurance and reporting expectations.

IRAPISM / PSPFSOCI Act
Explore government →

Professional & Industrial Services

Consulting firms, SaaS providers, manufacturers, and PE-backed organisations. Security driven by supply chain risk, due diligence, and investor-led governance expectations.

ISO 27001SOC 2Essential 8
Explore professional services →
04 — The difference

Why high-growth teams pick us.

We're not the cheapest option in the market and we're not trying to be. We're the firm you bring in when the next audit, regulator, or incident can't go badly — and you need people who will treat your program like it's their own.

01

Built for scale-up complexity

Purpose-built for companies growing across regions, product lines, and regulatory regimes simultaneously. Senior-level expertise, no enterprise bloat.

02

One accountable team, end to end

vCISO, GRC, SIEM, pen testing, IT — all under one roof. One vendor, one contract, one team that knows your environment as well as you do.

03

Audit outcomes, not audit advice

We don't hand you a report and leave. We build the ISMS, write the policies, run the risk register, and walk beside you through every audit. 98% first-time pass rate.

04

Global coverage, local fluency

Multi-region delivery across AU, EU, UK, and US — with analysts who speak to your regulators in the language they expect: theirs.

CypherLeap has been a highly professional and reliable cybersecurity partner. Their team combines strong technical expertise with practical, business-focused advice and has consistently delivered high-quality outcomes across multiple security initiatives. We value their collaborative approach, responsiveness, and commitment to helping strengthen our security posture.
HS
Head of Security
Leading Australian Healthcare Organisation

Ready to leap ahead on cybersecurity?

A 30-minute discovery call, a clear picture of your risk posture, and a specific path to get where you need to be. No sales theatre.

Book a discovery call →