For accountants and bookkeepers

Website, domain, and email security for accounting and bookkeeping firms.

Recurring external security monitoring on the public surface of your firm. Plain-English findings, dated evidence for cyber insurance and client questions, written for the IT provider or web developer who actually fixes things. No exploitation, no consulting, no replacement for a manual penetration test.

Run a free check View sample report
Why accountants and bookkeepers

The shape of the risk for a firm like yours.

Four pressure points where external monitoring earns its keep.

Client trust and identity data

Your firm holds TFNs, ABNs, payroll, BAS records, and bank details for every client. A public exposure or a spoofed email from your domain damages the trust you have built over years, and clients will ask whether their data is safe.

Invoice and payment fraud

Accounting and bookkeeping firms are a target for invoice redirection scams. Attackers spoof your domain, intercept email about a client payment, and reroute funds. Email authentication and external monitoring catch the conditions that make this possible.

ATO, ASIC, and tax practitioner board scrutiny

Tax practitioners and registered agents have professional obligations around client data. The TPB Code of Professional Conduct and the registration framework expect reasonable security. External monitoring is one practical way to show what you have in place.

Cyber insurance questions you cannot answer

Professional indemnity and cyber insurance renewal questionnaires ask whether you run recurring vulnerability assessment, whether email authentication is configured, and whether you have a documented incident response. AttackEdge gives you dated evidence for the external part of those answers.

What we check

The checks that matter for an accounting firm.

We focus on the public surface of your firm: the website, the domain, email authentication, TLS, and any portals or services you expose to clients.

What we checkWhy it mattersWho fixes it
Email authentication (SPF, DKIM, DMARC)Stops attackers from sending invoice and BAS emails that look like they come from your firm. The most common attack vector against accounting and bookkeeping practices.Your IT provider or whoever manages the domain.
TLS certificate health and expiryExpired or weak TLS breaks client portals and triggers browser warnings during tax season. Insurance assessments flag weak cipher suites.Hosting provider or web developer.
Web application exposures (admin panels, exposed config files)Practice management portals, document upload pages, and old WordPress installations are common entry points. We flag exposed admin paths and known vulnerable software versions.Web developer or MSP.
Subdomain hygiene and shadow ITA staging copy of your website or an old client portal still resolving in DNS is a real risk. We discover and report subdomains so nothing is forgotten.Web developer or MSP.
HTTP security headersA small set of headers (HSTS, CSP, X-Frame-Options) stops large categories of browser-side attack against your site and client login pages.Web developer or hosting provider.
Public exposure of firm-owned IP addressesIf your office or a remote-access setup exposes services on a public IP (mail server, file share, RDP), we report what is reachable and what looks risky.IT provider or MSP.
See full methodology
What we do not do

Where the line sits.

Honesty about scope is part of the product.

No exploitation

AttackEdge observes what is externally visible. We do not exploit findings, brute-force credentials, or send payloads. Nothing we do affects your operations or your clients.

No consulting or remediation

We do not log into your systems and fix the issues for you. The report is written for your IT provider, MSP, or web developer to action. We give you the technical detail and a one-click email handoff.

Not a manual penetration test

Automated external scanning is not the same thing as a human-led penetration test. If a regulator or large client requires a pen test, you still need one. AttackEdge runs alongside, not instead.

No accounting integration access

AttackEdge never connects to Xero, MYOB, QuickBooks, Karbon, BGL, FYI, or any accounting or practice-management system. We only check what is on the public internet under your domain.

What you get

Plain-English report, same shape every cycle.

Owner summary first, then prioritised findings, then technical detail and remediation steps for the IT provider, MSP, or web developer who actually fixes things.

View sample report See full methodology
Plan that fits

Most accounting firms pick Solo or SMB.

Solo at A$39/month gives you 15 scan units, enough to scan one website plus a few subdomains monthly. SMB at A$99/month is for firms with a client portal and a few subdomains, with 50 scan units. Annual billing on either gives you twelve months for the price of ten. The Snapshot at A$149 is a one-off if you only need a single baseline for insurance renewal or a board ask.

View subscriptions View SnapshotRun a free check
Common questions

From other accounting firms.

  • Will my Xero, MYOB, QuickBooks, Karbon, or BGL integrations be affected?

    No. AttackEdge does not connect to your accounting or practice-management systems. We only scan what your domain exposes on the public internet (your website, DNS, email authentication, and any exposed portals or services). Your data inside Xero, MYOB, or any other vendor is not touched.

  • Does this satisfy our cyber insurance questionnaire?

    AttackEdge provides dated evidence of recurring external vulnerability monitoring, which is one of the items most cyber insurance questionnaires ask about. It is evidence, not a certification. Insurers also ask about MFA, backups, and incident response, which sit inside your environment and are out of scope for an external scanner. We are not an accreditation body and we do not certify compliance.

  • How do we explain this to a client who asks about security?

    You can show them the report directly, or share the executive summary. The owner summary is written in plain English and does not require security background. Many firms add a sentence to their engagement letters or website saying they run recurring external security monitoring on the practice's public surface. It is a defensible answer to client questions.

  • We are a small two-partner firm. Is AttackEdge overkill?

    No. Most accounting and bookkeeping firms fit the Solo plan: 15 scan units a month at A$39. Larger firms with a client portal and a few subdomains usually move to SMB at A$99 per month for 50 scan units. If you only want a baseline before insurance renewal, the one-off Snapshot at A$149 covers up to 15 of your sites in one bundled report without an ongoing commitment.

  • Is the data hosted in Australia?

    Primary customer records, scan results, and report metadata are stored in Fly.io Postgres in Sydney. The full data and security commitments are on the security page.

  • How often do scans run?

    You set the cadence on Solo and SMB โ€” schedule weekly, monthly, or run manual scans whenever you want. Every scan (scheduled or manual) consumes one scan unit. The same host can be scanned up to 4 times in 24 hours, so a post-fix retest does not have to wait. One-off Snapshots run a single bundled scan and deliver a PDF with a 30-day download window.

See what attackers see

Ready to see what your firm looks like from the outside?

The free check covers the headline issues on your domain in about a minute. A paid plan adds the full methodology, the evidence log, and recurring scans you can show an insurer or a client.

Start a scan Run a free check
Hosted in Sydney ยท Passive scanning only ยท From A$39 per month