Will my planning software (Xplan, AdviserLogic, COIN) or platform (HUB24, Netwealth, Praemium) be affected?

No. AttackEdge does not connect to your planning, CRM, or platform software. We only scan what your domain exposes on the public internet (the firm website, DNS, email authentication, TLS, and any portals or services reachable from outside). Client portfolios, SOAs, and fact-find data stay inside your systems.

How does this help with BEC and rollover-redirection scams?

Most business email compromise against adviser firms relies on the attacker spoofing your domain. The simplest and most effective control is email authentication (SPF, DKIM, DMARC) configured correctly, with DMARC at enforce. We report exactly where your records are weak, why it matters, and what your IT provider or domain registrar needs to change. It is not a complete defence (you still need staff training, payment-verification processes, and MFA on email accounts), but it shuts down the easiest version of the attack.

Does this satisfy our professional indemnity insurer?

AttackEdge provides dated evidence of recurring external vulnerability monitoring, which is one of the items most cyber and PI questionnaires ask about. It is evidence, not a certification. Insurers also ask about MFA, backups, training, and incident response, which sit inside your environment and are out of scope for an external scanner. We are not an accreditation body and we do not certify compliance with any insurer programme.

I am a sole-trader authorised representative under a dealer group. Which plan?

Sole-trader authorised reps with one website, one practice domain, and a couple of subdomains fit the Solo plan at A$39 per month with 15 scan units. Firms with an adviser portal, a separate marketing site, and additional subdomains usually move to SMB at A$99 per month with 50 scan units. If you only need a single PDF before a PI renewal or an ASIC ad hoc surveillance request, the Snapshot at A$149 is a one-off baseline covering up to 15 of your sites in one bundled report.

Our dealer group runs the website. What can we still monitor?

Anything published under your own domain. Even when the dealer group runs the main site, most practices have their own practice email domain, their own scheduling page, a document-share host, or a microsite. AttackEdge can monitor those. We are not the right tool for monitoring the dealer group itself unless they are also a customer.

Is the data hosted in Australia?

Primary customer records, scan results, and report metadata are stored in Fly.io Postgres in Sydney. The full data and security commitments are on the security page.

For financial advisers and AFSL holders

Website, domain, and email security for adviser firms and authorised reps.

Recurring external security monitoring on the public surface of your practice. Plain-English findings, dated evidence for ASIC cyber expectations and professional-indemnity renewal, written for the IT provider or web developer who actually fixes things. No exploitation, no platform access, no replacement for a manual penetration test.

Run a free check View sample report

Why advisers in particular

The shape of the risk for a firm like yours.

Four pressure points where external monitoring earns its keep.

ASIC cyber expectations and AFSL obligations

ASIC has signalled, through Regulatory Guide 271 (internal dispute resolution), enforcement actions, and Report 716 on cyber resilience, that AFSL holders are expected to manage cyber risk as part of their general licensee obligations. Recurring external monitoring with a dated evidence log is one of the more defensible ways to show a Responsible Manager what is in place at the firm level.

Client SOA and PDS portal exposure

Statements of Advice, Product Disclosure Statements, fact-find documents, and risk-profile questionnaires often live on adviser portals or document share links. An exposed admin path, a forgotten staging copy of the portal, or an expired TLS certificate on the document host is the kind of finding that becomes an OAIC notification, an ASIC question, and a PI claim in the same week.

Trust-related BEC and settlement fraud

Adviser firms move money on behalf of clients (rollovers, contributions, withdrawals, dealer-group trust payments). Business email compromise targets exactly this flow: attackers spoof your domain, intercept the email about the transaction, and reroute funds. Correctly enforced email authentication is the single highest-leverage control against this attack.

Professional indemnity renewal scrutiny

PI insurers serving the adviser market (Chubb, Marsh-brokered placements, the major underwriting agencies) ask increasingly detailed questions about cyber controls at renewal. Vulnerability scanning frequency, email authentication posture, TLS hygiene, and subdomain inventory all appear on the questionnaire. Without recurring evidence you either guess, or pay a consultant for a one-off report that is stale by the time the policy binds.

What we check

The checks that matter for an adviser firm.

We focus on the public surface of your practice: the firm website, the document-share host, the client portal, email authentication, TLS, and any services you expose to clients, referrers, or your dealer group.

What we checkWhy it mattersWho fixes it

Email authentication (SPF, DKIM, DMARC)Stops attackers from sending rollover, contribution, or invoice emails that look like they come from your firm. The single highest-impact control against BEC and settlement-fraud attacks on adviser practices.Your IT provider or whoever manages the domain. Usually a single afternoon to set up properly.

TLS certificate health and expiryExpired or weak TLS on a client portal, a document-share page, or a fact-find form breaks trust and triggers browser warnings. PI assessments flag weak cipher suites and short-key certificates.Hosting provider or web developer.

Web application exposures (admin panels, exposed config files)Adviser portals, document upload pages, intake forms, and older WordPress installations are common entry points. We flag exposed admin paths, known vulnerable software versions, and orphaned plugins.Web developer or MSP.

Subdomain hygiene and shadow ITA staging copy of the firm website, a retired adviser microsite, or a campaign landing page that still resolves in DNS is a real risk. We discover and report subdomains so nothing is forgotten between dealer-group migrations or firm rebrands.Web developer or MSP.

HTTP security headersA small set of headers (HSTS, CSP, X-Frame-Options) stops large categories of browser-side attack against the firm website, the client portal, and any document-share login page.Web developer or hosting provider.

Public exposure of firm-owned IP addressesIf the office or a remote-access setup exposes services on a public IP (a mail server, an old file share, an RDP gateway), we report what is reachable and what looks risky.IT provider or MSP.

See full methodology

What we do not do

Where the line sits.

Honesty about scope is part of the product.

No exploitation

AttackEdge observes what is externally visible. We do not exploit findings, brute-force credentials, or send payloads. Nothing we do affects your client transactions, your trust accounts, or your advice records.

No platform integration

AttackEdge never connects to Xplan, AdviserLogic, COIN, Iress, Praemium, HUB24, Netwealth, Macquarie Wrap, BT Panorama, or any planning, platform, or trust-account system. We only check what is on the public internet under your domain. Client records stay inside your systems.

Not a manual penetration test

Automated external scanning is not the same thing as a human-led penetration test. If your dealer group, a large institutional partner, or a regulator requires a pen test, you still need one. AttackEdge runs alongside, not instead.

No advice on ASIC compliance

We are not lawyers or licensees and we do not certify compliance with the Corporations Act, AFSL conditions, FASEA standards, or any ASIC Regulatory Guide. AttackEdge gives you dated evidence of one specific control: recurring external monitoring on your public surface.

What you get

Plain-English report, same shape every cycle.

Owner summary first, then prioritised findings, then technical detail and remediation steps for the IT provider, MSP, or web developer who actually fixes things. Dated, exportable as a PDF, ready to attach to a PI renewal submission.

View sample report See full methodology

Plan that fits

Most adviser firms pick SMB.

A typical practice has a main website, a client portal or document-share subdomain, an authenticated scheduling page, and a couple of legacy hosts. That lands around fifteen active assets, which is the SMB cap at A$99 per month. Annual billing gives you twelve months for the price of ten. Sole-trader authorised representatives with one website and one practice domain can start on Solo at A$39 per month. If you only need a single PDF before a PI renewal or an ASIC surveillance ask, the Snapshot at A$149 is a one-off baseline.

View subscriptions View Snapshot Run a free check

Sister guides

Related verticals and insurer guides.

Adviser firms often need the same evidence pack as a law firm and the same renewal answers as a Chubb-insured business.

Law firms and conveyancers

The same trust-related BEC and document-portal exposures show up across legal practice. Often the same fixes.

Read the guide →

Chubb Cyber ERM evidence

Chubb is one of the larger PI and cyber underwriters in the Australian adviser segment. Question-by-question mapping for the Cyber ERM proposal form.

Read the guide →

Accountants and bookkeepers

Many adviser firms share staff and infrastructure with an accounting practice. Same controls, same evidence approach.

Read the guide →

Common questions

From other adviser firms.

Will my planning software (Xplan, AdviserLogic, COIN) or platform (HUB24, Netwealth, Praemium) be affected?
No. AttackEdge does not connect to your planning, CRM, or platform software. We only scan what your domain exposes on the public internet (the firm website, DNS, email authentication, TLS, and any portals or services reachable from outside). Client portfolios, SOAs, and fact-find data stay inside your systems.
How does this help with BEC and rollover-redirection scams?
Most business email compromise against adviser firms relies on the attacker spoofing your domain. The simplest and most effective control is email authentication (SPF, DKIM, DMARC) configured correctly, with DMARC at enforce. We report exactly where your records are weak, why it matters, and what your IT provider or domain registrar needs to change. It is not a complete defence (you still need staff training, payment-verification processes, and MFA on email accounts), but it shuts down the easiest version of the attack.
Does this satisfy our professional indemnity insurer?
AttackEdge provides dated evidence of recurring external vulnerability monitoring, which is one of the items most cyber and PI questionnaires ask about. It is evidence, not a certification. Insurers also ask about MFA, backups, training, and incident response, which sit inside your environment and are out of scope for an external scanner. We are not an accreditation body and we do not certify compliance with any insurer programme.
I am a sole-trader authorised representative under a dealer group. Which plan?
Sole-trader authorised reps with one website, one practice domain, and a couple of subdomains fit the Solo plan at A$39 per month with 15 scan units. Firms with an adviser portal, a separate marketing site, and additional subdomains usually move to SMB at A$99 per month with 50 scan units. If you only need a single PDF before a PI renewal or an ASIC ad hoc surveillance request, the Snapshot at A$149 is a one-off baseline covering up to 15 of your sites in one bundled report.
Our dealer group runs the website. What can we still monitor?
Anything published under your own domain. Even when the dealer group runs the main site, most practices have their own practice email domain, their own scheduling page, a document-share host, or a microsite. AttackEdge can monitor those. We are not the right tool for monitoring the dealer group itself unless they are also a customer.
Is the data hosted in Australia?
Primary customer records, scan results, and report metadata are stored in Fly.io Postgres in Sydney. The full data and security commitments are on the security page.

See what attackers see

Ready to see what your firm looks like from the outside?

The free check covers the headline issues on your domain in about a minute. A paid plan adds the full methodology, the evidence log, and recurring scans you can show a PI insurer or a dealer-group compliance review.

Start a scan Run a free check

Hosted in Sydney · Passive scanning only · From A$39 per month