Will my participant-management system (Lumary, Brevity, ShiftCare) be affected?

No. AttackEdge does not connect to your participant-management, rostering, or claiming system. We only scan what your domain exposes on the public internet (the website, DNS, email authentication, TLS, and any portals or services reachable from outside). Participant records stay inside your systems.

Does AttackEdge handle participant data?

No. AttackEdge is an external scanner. It does not request, read, or store participant information. We see only what an attacker on the public internet would see (HTTP responses, DNS records, TLS certificates, response headers). Sensitive information stays inside your systems.

Does this satisfy NDIS Practice Standards or our Quality Indicators audit?

AttackEdge provides dated evidence of recurring external vulnerability monitoring, which is one of the items information-management indicators ask about. It is evidence, not a certification. The Quality Indicators also cover internal controls (MFA, training, access management, incident response) that sit inside your environment and are out of scope for an external scanner. We are not an NDIS auditor and we do not certify compliance.

We are a sole-trader support worker. Is this overkill?

Probably not necessary at the same level as a larger provider, but the answer depends on what you expose. If you have a personal website and an email domain, the Solo plan at A$39 per month with 15 scan units is the right shape and covers the basics. If you only have a Gmail address and no website at all, AttackEdge is not the most pressing control for you yet.

We are a medium provider across a few sites. Which plan?

Most medium providers fit the SMB plan at A$99 per month with 50 scan units. That covers the main site, a participant portal subdomain, a recruitment site, and a couple of campaign or legacy hosts. If you run multiple brands or operate as a multi-site service, talk to us about MSP / Agency pricing at partners@attackedge.io.

Is the data hosted in Australia?

Primary customer records, scan results, and report metadata are stored in Fly.io Postgres in Sydney. The full data and security commitments are on the security page.

For NDIS-registered providers

External security checks for NDIS-registered providers.

Recurring external security monitoring on the public surface of your service. Plain-English findings, dated evidence for the NDIS Practice Standards information-management indicators and cyber insurance, written for the IT provider or web developer who actually fixes things. No exploitation, no participant-system access, no replacement for a manual penetration test.

Run a free check View sample report

Why NDIS providers in particular

The shape of the risk for a service like yours.

Four pressure points where external monitoring earns its keep.

Participant data is sensitive information

NDIS providers hold disability-related information, support plans, NDIS numbers, plan-management bank details, and incident notes on every participant. The Privacy Act treats this as sensitive information with stricter handling rules, and the Notifiable Data Breaches scheme means a public exposure is reportable.

NDIS Practice Standards and Quality Indicators

The NDIS Practice Standards Quality Indicators ask providers to demonstrate information-management controls, including how participant information is protected from unauthorised access. Recurring external monitoring with a dated evidence log is one practical way to show what you have in place at audit.

Payment fraud and plan-management exposure

Providers (and especially plan managers) are a target for invoice-redirection scams and spoofed claim emails. Without strong email authentication on the sending domain, attackers can impersonate the provider to the participant, the nominee, or the plan manager and reroute legitimate payments.

Multi-site and support-worker sprawl

A provider with multiple service locations, a participant portal, a recruitment site, and a few campaign microsites tends to accumulate forgotten subdomains and abandoned staging copies. Each one is a way in. Continuous discovery and subdomain hygiene are the cheapest way to keep the surface honest.

What we check

The checks that matter for an NDIS provider.

We focus on the public surface of your service: the website, the domain, email authentication, TLS, intake or referral forms, and any participant or worker portals that reach the public internet.

What we checkWhy it mattersWho fixes it

Email authentication (SPF, DKIM, DMARC)Stops attackers from sending claim, invoice, or participant-update emails that look like they come from your service. The single highest-impact control against payment-redirection scams.Your IT provider or whoever manages the domain.

TLS certificate health and expiryExpired or weak TLS on a participant portal, an intake form, or a worker-onboarding page kills trust and triggers browser warnings. Quality audits ask whether transport encryption is in place.Hosting provider, your CMS vendor, or your web developer.

Web application exposures (admin panels, exposed config files)Intake forms, document upload pages, participant portals, and older WordPress installations are common entry points. We flag exposed admin paths and known vulnerable software versions.Web developer or MSP. Usually a small set of plugin updates and a path rule.

Subdomain hygiene and shadow ITA staging copy of a participant portal, an old recruitment site, or a campaign microsite that still resolves in DNS is a real exposure. We discover and report subdomains so nothing is forgotten.Web developer or MSP.

HTTP security headersA small set of headers (HSTS, CSP, X-Frame-Options) stops large categories of browser-side attack against your participant portal and your intake or referral pages.Web developer or hosting provider.

Public exposure of organisation-owned IP addressesIf your office or a remote-access setup exposes services on a public IP (a mail server, an old file share, an RDP gateway), we report what is reachable and what looks risky.IT provider or MSP.

See full methodology

What we do not do

Where the line sits.

Honesty about scope is part of the product.

No exploitation

AttackEdge observes what is externally visible. We do not exploit findings, brute-force credentials, or send payloads. Nothing we do affects supports, claims, or participant communications.

No participant-system integration

AttackEdge never connects to Lumary, Brevity, ShiftCare, MYP, Care Master, or any participant-management or rostering system. We only check what is on the public internet under your domain. Participant data stays inside your systems.

Not a manual penetration test

Automated external scanning is not the same thing as a human-led penetration test. If the NDIS Commission, a state procurement team, or a partner organisation requires a pen test, you still need one. AttackEdge runs alongside, not instead.

Not an NDIS Commission audit

We are not an NDIS auditor and we do not certify compliance with the Practice Standards. AttackEdge gives you dated evidence of one specific control: recurring external monitoring on your public surface. Quality assessments cover much more than that.

What you get

Plain-English report, same shape every cycle.

Owner summary first, then prioritised findings, then technical detail and remediation steps for the IT provider, MSP, or web developer who actually fixes things.

View sample report See full methodology

Plan that fits

The right plan depends on size.

Sole-trader support workers with a personal site fit Solo at A$39 per month for 15 scan units. Most medium providers fit SMB at A$99 per month for 50 scan units, which covers the main site, a participant portal, a recruitment site, and a couple of legacy hosts. Multi-site providers running several brands usually move to MSP / Agency pricing. Email partners@attackedge.io. The Snapshot at A$149 is a one-off baseline before a quality audit or an insurance renewal.

View subscriptions View Snapshot Run a free check

Common questions

From other NDIS-registered providers.

Will my participant-management system (Lumary, Brevity, ShiftCare) be affected?
No. AttackEdge does not connect to your participant-management, rostering, or claiming system. We only scan what your domain exposes on the public internet (the website, DNS, email authentication, TLS, and any portals or services reachable from outside). Participant records stay inside your systems.
Does AttackEdge handle participant data?
No. AttackEdge is an external scanner. It does not request, read, or store participant information. We see only what an attacker on the public internet would see (HTTP responses, DNS records, TLS certificates, response headers). Sensitive information stays inside your systems.
Does this satisfy NDIS Practice Standards or our Quality Indicators audit?
AttackEdge provides dated evidence of recurring external vulnerability monitoring, which is one of the items information-management indicators ask about. It is evidence, not a certification. The Quality Indicators also cover internal controls (MFA, training, access management, incident response) that sit inside your environment and are out of scope for an external scanner. We are not an NDIS auditor and we do not certify compliance.
We are a sole-trader support worker. Is this overkill?
Probably not necessary at the same level as a larger provider, but the answer depends on what you expose. If you have a personal website and an email domain, the Solo plan at A$39 per month with 15 scan units is the right shape and covers the basics. If you only have a Gmail address and no website at all, AttackEdge is not the most pressing control for you yet.
We are a medium provider across a few sites. Which plan?
Most medium providers fit the SMB plan at A$99 per month with 50 scan units. That covers the main site, a participant portal subdomain, a recruitment site, and a couple of campaign or legacy hosts. If you run multiple brands or operate as a multi-site service, talk to us about MSP / Agency pricing at partners@attackedge.io.
Is the data hosted in Australia?
Primary customer records, scan results, and report metadata are stored in Fly.io Postgres in Sydney. The full data and security commitments are on the security page.

See what attackers see

Ready to see what your service looks like from the outside?

The free check covers the headline issues on your domain in about a minute. A paid plan adds the full methodology, the evidence log, and recurring scans you can show an auditor or an insurer.

Start a scan Run a free check

Hosted in Sydney · Passive scanning only · From A$39 per month