Security Health Check.
A fixed-scope security audit covering email authentication, website vulnerabilities, and web security headers. Delivered as a plain-English report you can act on — not a 90-page PDF no one reads.
Email authentication & deliverability
Email is the #1 attack surface for Australian SMBs. We review every record a receiver checks before deciding whether to trust your mail — and every misconfiguration attackers use to impersonate you.
- SPF — config reviewed by hand, not just presence. Lookup count, -all vs ~all, include chains.
- DKIM — selector discovery, key strength (1024-bit keys flagged), revocation state.
- DMARC — policy level, pct= value, rua/ruf reporting, subdomain policy.
- MTA-STS + TLS-RPT — inbound TLS enforcement and delivery failure reporting.
- BIMI — logo record and VMC status (if configured).
- Blacklist + send reputation — 50+ RBL check, historical delivery issues.
- M365 / Google Workspace–specific review — connector settings, selector1/2 DKIM, DMARC alignment.
Active scan of your web presence
Most SMB websites carry fixable security debt. Outdated WordPress installations, exposed admin paths, weak TLS — these are the entry points attackers use first. We find them before they do.
- CMS detection and version check — WordPress, Drupal, Joomla.
- Plugin and theme CVE scan — known vulnerabilities matched against your installed versions.
- Exposed paths — .env files, backup archives, xmlrpc.php, debug endpoints, admin panels.
- Open port scan — services exposed to the internet that shouldn't be.
- SSL/TLS configuration — cipher suites, certificate chain, HSTS preload status, mixed content.
- Subdomain exposure — dangling DNS, forgotten staging environments.
HTTP security header review
Security headers are the last line of browser-side defence. Most SMB sites serve none of the important ones — or serve them incorrectly. We grade what's there and spec what's missing.
- Content-Security-Policy — presence, strictness, unsafe-inline / unsafe-eval usage.
- HSTS — max-age, includeSubDomains, preload eligibility.
- X-Frame-Options and frame-ancestors — clickjacking protection.
- X-Content-Type-Options — MIME-sniffing prevention.
- Referrer-Policy, Permissions-Policy — data leakage and API access controls.
- CORS exposure — Access-Control-Allow-Origin misconfiguration.
Three deliverables. No ambiguity.
Written findings report
Plain-English report covering every finding, rated by severity (Critical → Informational), with a prioritised fix list. Written for a business owner, not a security conference.
30-minute walkthrough call
We walk you through the report together. You ask questions, we give straight answers. Recorded on request.
90-day follow-up access
Direct email access to the engineer who ran the audit for 90 days. You implement the fixes, we answer the questions that come up.
What this audit doesn't cover
Being clear about boundaries is part of doing this properly.
- Penetration testing — no exploitation attempts, no social engineering. That's a separate engagement starting from ~AUD $6,000.
- Internal network assessment — this is an external-facing audit only.
- Ongoing monitoring — this is a point-in-time assessment. Ask us about managed security if you want continuous coverage.
- Code review — we scan for known vulnerabilities, not custom application logic bugs.
We can fix it — not just report it
Most SMB website audits turn up the same problems: WordPress running outdated plugins, weak TLS, exposed admin paths, missing security headers. These aren't bad luck — they're what happens when a site is built and forgotten.
If the scan finds structural issues with your website, we can quote a rebuild: a modern, maintained site hardened from day one. The $2,500 audit fee is credited toward the build quote.
Ask about a rebuildKnow where you stand. Fix what matters.
Most audits take 3–5 business days from go-ahead. Fixed price, fixed scope — no surprises.
Australian businesses only. Payment on engagement — not upfront.
Frequently asked questions
- What does the Security Health Check cover?
- The audit covers three areas: email security (SPF, DKIM, DMARC, MTA-STS, BIMI, blacklist reputation), website vulnerability scanning (CMS version checks, plugin CVEs, exposed admin paths, TLS configuration, subdomain exposure), and HTTP security headers (Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, CORS). Every finding is rated by severity and delivered as a plain-English written report.
- How much does it cost?
- The Security Health Check is a fixed price of AUD $2,500. There is no ongoing retainer, no lock-in, and payment is on engagement — not upfront. If we find structural issues with your website, the $2,500 audit fee is credited toward a rebuild quote.
- How long does the audit take?
- Most audits complete within 3–5 business days from go-ahead. We run the checks, compile the findings, rate each one by severity, and write the plain-English report during that window. A 30-minute walkthrough call is then scheduled at a time that suits you.
- What do I receive when it's done?
- Three deliverables: a written findings report covering every finding rated Critical to Informational with a prioritised fix list; a 30-minute walkthrough call where we walk through the report and answer your questions; and 90-day direct email access to the engineer who ran the audit so you can ask questions as you work through the fixes.
- Is this a penetration test?
- No. The Security Health Check is a passive external audit — we don't attempt exploitation, social engineering, or internal network assessment. Penetration testing is a separate engagement starting from approximately AUD $6,000. This audit finds the configuration problems attackers rely on before they try anything more sophisticated.
- Do you need credentials or access to our systems?
- No. The audit is entirely external-facing — we check the DNS, web, and email infrastructure that is publicly observable without any credentials, agents, or access to your internal systems.