How do I co-brand the reports for my agency?

Co-branding is part of the MSP / Agency tier (contact-sales). Upload a logo and set a primary colour, and PDF reports render with that branding on the cover and footer. Reports stay AttackEdge-attributed in the methodology section so they stand up to a third-party review. Standalone Solo and SMB plans use AttackEdge branding.

Can I roll the cost into my client retainer?

Yes. On the MSP / Agency arrangement we bill your agency, not the client, and you decide how to package it inside your monthly retainer (often A$15 to A$30 per client site as a security-monitoring line). Some agencies bundle it as a free perk on annual contracts to reduce churn.

What if a client wants their own login and to see findings directly?

Inside an MSP arrangement we can stand up per-client workspaces with their own logins. If a client wants a direct relationship and a direct invoice, point them at Solo (A$39/month) or SMB (A$99/month) on attackedge.io.

Does this replace my existing maintenance plan?

No. Maintenance plans handle WordPress core, plugin and theme updates, backups, and uptime. AttackEdge monitors the external attack surface and feeds findings into that maintenance work. Together they form a credible "managed website with security monitoring" offer. Separately, neither does the full job.

How do I bring 30 client websites into AttackEdge?

Start with the SMB plan (A$99/month, 50 scan units) on a single test client to learn the report shape, then move to a custom MSP arrangement (email partners@attackedge.io) once you want to roll it out across your book. MSP pricing scales with pooled scan units, cadence, and number of client workspaces.

Will my clients see "AttackEdge" or just my agency?

On the MSP / Agency tier, the PDF report carries your agency branding on the cover, table of contents, and footer. The methodology section credits AttackEdge as the underlying scanner so the report stands up to a third-party review (insurer, procurement, security consultant). You stay the agency the client deals with; AttackEdge sits behind you.

For web agencies and freelance developers

Add security monitoring to every client website without becoming a security company.

A pooled-asset plan that watches the external surface of every site you manage. Co-brandable PDF reports. Findings written for the developer who builds the site, because that is you. No exploitation, no managed service, no replacement for a manual penetration test.

Start with one client Talk to us about MSP View sample report

Why agencies in particular

The shape of the risk for an agency book.

Four pressure points where bundled monitoring pays back the retainer.

A hacked client site lands on your name

When a website you built or maintain gets defaced, redirected, or pulled into a credit-card skimmer campaign, the client calls you first. Reputation damage to a small agency from one incident is hard to recover from, even when the underlying issue was a CMS plugin you never installed.

"Are we secure?" with no real answer

Clients increasingly ask web agencies whether their site is secure, often driven by their own insurer or a board question. Without recurring external monitoring, the honest answer is "we patched it at launch." That stops winning retainers.

Competitors bundling security with maintenance

Agencies offering "managed maintenance with security monitoring" are taking retainer business from agencies that only patch on request. Bundling a recurring scan into your monthly retainer gives you the same answer at a fraction of the cost of building it in-house.

Inheriting risk on sites you no longer touch

Old client sites from years ago still have your agency name in the footer, on the GitHub repo, or in DNS. When something breaks on one of those, you are the one the client rings. Monitoring catches the worst of it before the client does.

What we check

The checks that matter for an agency-managed site.

We focus on the public surface of every site in your pool: the CMS, the domain, email authentication, TLS, and any portals or staging copies that should or should not still resolve. Findings come back to your agency, because in almost every case you are the one who fixes them.

What we checkWhy it mattersWho fixes it

CMS and plugin version exposure (WordPress, Drupal, Joomla)Outdated WordPress core, vulnerable plugins, and exposed admin paths are the most common path into a small-business website. We flag known-vulnerable versions and exposed admin endpoints so you can update them before someone else finds them.You, the agency. Most fixes are a plugin update, a theme patch, or a hosting move.

TLS certificate health and expiryA client website with an expired certificate at 9am on a Monday is the kind of incident that destroys a retainer. We monitor expiry, weak ciphers, and chain issues across every client domain in your pool.You, or the hosting provider you put the client on.

Subdomain hygiene and forgotten staging sitesOld staging copies, abandoned dev subdomains, and dangling DNS records are how agency-managed sites leak content and source. We discover subdomains continuously and flag things that should not still resolve.You, the agency. Cleaning up DNS and decommissioning staging is your job.

HTTP security headers (HSTS, CSP, X-Frame-Options)A small set of headers blocks broad categories of browser-side attacks. They are cheap to add at the framework or hosting level, and visible to anyone running a security checklist on the client site.You, the agency. These ship in the framework or the hosting config.

Email authentication on client domains (SPF, DKIM, DMARC)Many small-business sites also send transactional email from the same domain (contact forms, order confirmations). Missing email authentication means those messages land in spam or get spoofed by scammers. Often a fast win to bundle.You or the client IT person, depending on who manages DNS.

Exposed admin paths, env files, and source control leakagePublic access to /wp-admin, /.env, /.git, or /backup zip files is the kind of finding that ends up in a public breach roll-up. We find them passively and report them with the URL and the evidence.You, the agency. Usually a hosting or deployment fix.

See full methodology

What we do not do

Where the line sits.

Honesty about scope is part of the product.

No exploitation, ever

AttackEdge observes the public surface of a site. We do not exploit, brute-force, or send payloads. Nothing we do affects a client site, a client checkout, or a client database.

Not a managed service

AttackEdge does not log into a client site and fix the issues for you. The findings come back to your agency in plain English with technical detail, so you can prioritise them inside the maintenance retainer you already run.

Not a manual penetration test

Automated external scanning is not the same as a human-led pen test. If a client needs a pen test for a procurement requirement, you still need one. AttackEdge runs alongside, monthly or weekly, in between.

No application or admin access

AttackEdge never asks for WordPress credentials, Shopify API keys, or hosting logins. We only look at what the client site exposes on the public internet. That is the surface attackers see.

Co-branded report

Your agency on the cover, AttackEdge in the methodology.

Every report leads with a plain-English owner summary, then prioritised findings, then technical detail and remediation steps a developer can action. On the MSP / Agency tier, the PDF carries your agency logo and primary colour on the cover and in the footer. The methodology section stays AttackEdge-attributed so the report stands up to a third-party review.

View sample report See full methodology

Plan that fits

Start on SMB, scale to MSP.

SMB at A$99/month for one test client (50 scan units, free re-checks on email auth, DNS, and TLS posture). Run it on one site for a month to see what the report and send-to-IT flow look like, then move to a custom MSP arrangement: pooled scan units across client workspaces, co-brandable PDF reports, partner agreement and onboarding, bespoke pricing by size and cadence.

Start on SMB Talk to us about MSP Run a free check on one site

Common questions

From other agencies.

How do I co-brand the reports for my agency?
Co-branding is part of the MSP / Agency tier (contact-sales). Upload a logo and set a primary colour, and PDF reports render with that branding on the cover and footer. Reports stay AttackEdge-attributed in the methodology section so they stand up to a third-party review. Standalone Solo and SMB plans use AttackEdge branding.
Can I roll the cost into my client retainer?
Yes. On the MSP / Agency arrangement we bill your agency, not the client, and you decide how to package it inside your monthly retainer (often A$15 to A$30 per client site as a security-monitoring line). Some agencies bundle it as a free perk on annual contracts to reduce churn.
What if a client wants their own login and to see findings directly?
Inside an MSP arrangement we can stand up per-client workspaces with their own logins. If a client wants a direct relationship and a direct invoice, point them at Solo (A$39/month) or SMB (A$99/month) on attackedge.io.
Does this replace my existing maintenance plan?
No. Maintenance plans handle WordPress core, plugin and theme updates, backups, and uptime. AttackEdge monitors the external attack surface and feeds findings into that maintenance work. Together they form a credible "managed website with security monitoring" offer. Separately, neither does the full job.
How do I bring 30 client websites into AttackEdge?
Start with the SMB plan (A$99/month, 50 scan units) on a single test client to learn the report shape, then move to a custom MSP arrangement (email partners@attackedge.io) once you want to roll it out across your book. MSP pricing scales with pooled scan units, cadence, and number of client workspaces.
Will my clients see "AttackEdge" or just my agency?
On the MSP / Agency tier, the PDF report carries your agency branding on the cover, table of contents, and footer. The methodology section credits AttackEdge as the underlying scanner so the report stands up to a third-party review (insurer, procurement, security consultant). You stay the agency the client deals with; AttackEdge sits behind you.

Bundle it into the retainer

Ready to add security monitoring to every retainer?

Start with one client on the SMB plan, see what the report looks like, then talk to us about MSP pricing when you are ready to scale across your book.

Start with one client Run a free check

Hosted in Sydney · Passive scanning only · Start on SMB at A$99/month