flagged
Built for Australian businesses

About flagged

Australian small businesses face the same cyber threats as large enterprises — but without the security teams, budgets, or frameworks to deal with them. flagged exists to change that.

We built a free, plain-English cyber risk assessment that any business owner or IT manager can complete in under 20 minutes. No jargon. No sales pitch. Just clear visibility into where your business is exposed — and what to do about it.

The problem

Australian SMBs are underserved on cyber risk

Small and medium businesses account for the majority of Australian cyber incident reports to the Australian Cyber Security Centre (ACSC) each year. Yet most cyber security tools and frameworks are written for enterprise IT teams — not a 10-person professional services firm or a regional retail business.

The ACSC Essential Eight is Australia's most widely referenced baseline — but applying it without guidance is difficult for businesses without dedicated security staff. The SMB1001 standard from the Australian Cyber Security Centre of Excellence is designed specifically for small business, but awareness remains low. The Privacy Act 1988 and the Notifiable Data Breaches (NDB) scheme impose real obligations on businesses of all sizes, yet many SMBs don't know whether they apply, let alone how to comply.

flagged bridges that gap. It translates Australian cyber security frameworks into 50 practical questions any business can answer honestly — and turns those answers into a scored, prioritised action plan.

Coverage

What we assess

The assessment covers 12 security domains — the areas that matter most for Australian small businesses, drawn from the ACSC Essential Eight and SMB1001 frameworks.

01

Governance & Policy

Does your business have documented security policies, ownership of cyber risk at a leadership level, and a process for reviewing and updating them?

02

Data & Privacy

How does your business classify, store, and protect sensitive data? Are your obligations under the Privacy Act 1988 and NDB scheme understood and addressed?

03

Device Security

Are the computers, phones, and tablets your team uses configured securely? This covers encryption, screen locks, MDM, and endpoint protection.

04

Network Security

Is your business network segmented and protected? We assess firewall configuration, guest network separation, Wi-Fi security, and remote access controls.

05

Software & Patching

Are operating systems and applications kept up to date? Unpatched software is one of the most common entry points for attackers targeting Australian businesses.

06

Email Security

Email is the number-one attack vector for Australian SMBs. We assess anti-phishing controls, SPF/DKIM/DMARC configuration, and multi-factor authentication on email accounts.

07

Backup & Recovery

Can your business recover from a ransomware attack or data loss event? We evaluate backup frequency, offsite storage, encryption, and recovery testing.

08

Incident Response

Does your business have a plan for when — not if — a security incident occurs? We look at detection capability, escalation paths, and post-incident review processes.

09

Supply Chain Risk

Your security posture is only as strong as your weakest vendor. We assess how you evaluate, onboard, and monitor third-party suppliers with access to your systems or data.

10

Website Security

Is your website and any customer-facing application secured? This covers HTTPS, CMS patching, form security, and protection against common web vulnerabilities.

11

Remote Working

Hybrid and remote work has expanded the attack surface for most businesses. We assess VPN usage, home network guidance, BYOD policy, and remote access security.

12

Staff & Security Culture

People remain the most targeted part of any organisation. We evaluate security awareness training, phishing simulation, clear desk practices, and password hygiene.

Process

How it works

Three steps. No account. No installation. Your answers stay in your browser.

1

Answer 50 plain-English questions

Work through one question at a time across all 12 security domains. Every question uses plain language — no prior security knowledge required. Takes around 15 minutes.

2

Get scored across 12 domains

See your security posture domain by domain — with a risk rating, a prioritised list of gaps, and actionable recommendations ordered by impact. Know exactly what to fix first.

3

Download your PDF report

Generate a PDF evidence pack summarising your results. Share it with your IT provider, use it to brief your board, or provide it to your cyber insurance broker as a baseline assessment.

Frameworks

Aligned to Australian cyber security frameworks

flagged is built around the frameworks that matter to Australian businesses — not generic checklists designed for US or European markets.

ACSC

ACSC Essential Eight

The Australian Cyber Security Centre's Essential Eight is Australia's foundational cyber security baseline. It covers application control, patching, macro restrictions, user application hardening, admin privilege restriction, MFA, regular backups, and patch management for operating systems. flagged assesses your maturity against Essential Eight principles across all relevant domains.

Official resource →
ACSCS

SMB1001

Developed by the Australian Cyber Security Centre of Excellence, SMB1001 is a tiered certification standard purpose-built for small and medium businesses. It provides a practical, accessible baseline that scales from Bronze to Platinum. flagged maps directly to SMB1001 controls to help you understand your current level and what's needed to progress.

Official resource →
Privacy Act

Privacy Act 1988 & Australian Privacy Principles

The Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs) govern how businesses with an annual turnover above $3 million — and some smaller businesses — must handle personal information. flagged's Data & Privacy domain helps you identify gaps in your data governance practices and understand your APP obligations.

Official resource →
NDB

Notifiable Data Breaches scheme

Under the Notifiable Data Breaches (NDB) scheme, entities covered by the Privacy Act must notify the OAIC and affected individuals when an eligible data breach occurs — one that is likely to result in serious harm. flagged assesses your breach detection and response capability, and whether your incident response plan addresses NDB obligations.

Official resource →
CSA 2024

Cyber Security Act 2024

The Cyber Security Act 2024 introduced new mandatory ransomware payment reporting obligations for Australian businesses above a size threshold, along with a cyber incident review board and new security standards for smart devices. flagged's Incident Response and Governance domains address preparedness for obligations introduced under this Act.

Official resource →

Not just a compliance checklist

Compliance with a framework does not guarantee security. flagged assesses your practical security posture — not just whether you can tick boxes. Recommendations focus on real-world risk reduction, not checkbox compliance.

Audience

Who flagged is for

flagged is free and designed for three groups of people who deal with cyber risk in Australian businesses.

Australian small and medium businesses

If you run or manage an Australian SMB — from a five-person firm to a 200-person company — flagged gives you a clear picture of your current security posture and a prioritised plan to improve it. No prior cyber security knowledge required.

  • Understand your risk exposure today
  • Know what to fix first
  • Prepare for cyber insurance applications
  • Brief your board or leadership team

IT providers and MSPs

Managed service providers and IT consultants can use flagged to assess the security posture of their clients, identify gaps, and produce a professional PDF report as a basis for remediation conversations — without needing to build their own assessment tool.

  • Run structured client assessments
  • Produce branded-ready PDF reports
  • Prioritise remediation work
  • Support cyber insurance readiness

Insurance brokers

Cyber insurance underwriters increasingly require evidence of security controls before offering coverage. flagged gives brokers and their clients a free, framework-aligned baseline assessment that can be completed quickly and shared as supporting evidence.

  • Help clients understand their risk
  • Support pre-application due diligence
  • Framework-aligned assessment output
  • PDF evidence pack for underwriters

Principles

How we built flagged

Free, always

flagged is free to use with no hidden costs, no freemium limits, and no requirement to speak to a salesperson.

No sign-up required

Your answers are stored in your browser only. You don't need to create an account to complete the assessment or download your report.

Plain English throughout

Every question and recommendation is written for business owners — not security engineers. Technical terms are explained in context.

Australian-specific

The assessment reflects Australian legislation, frameworks, and threat intelligence — not generic global guidance that doesn't account for local obligations.

Ready to find out where you stand?

Free. No sign-up required. Your answers stay in your browser. Takes about 15 minutes.

Start your free assessment