Will my CRM (Rex, VaultRE, AgentBox) or property-management software (PropertyMe, Console) be affected?

No. AttackEdge does not connect to your CRM or property-management software. We only scan what your domain exposes on the public internet (the agency website, DNS, email authentication, TLS, and any portals or services reachable from outside). Listings data, vendor and tenant records, and trust-account information stay inside your systems.

How does this help with trust-account BEC and deposit-redirection scams?

Most business email compromise against agencies relies on the attacker spoofing your domain. The simplest and most effective control is email authentication (SPF, DKIM, DMARC) configured correctly, with DMARC at enforce. We report exactly where your records are weak, why it matters, and what your IT provider or domain registrar needs to change. It is not a complete defence (you still need staff training, payment-verification processes with the conveyancer, and MFA on email accounts), but it shuts down the easiest version of the attack.

Does this satisfy our professional indemnity insurer?

AttackEdge provides dated evidence of recurring external vulnerability monitoring, which is one of the items most cyber and real-estate PI questionnaires ask about. It is evidence, not a certification. Insurers also ask about MFA, backups, training, and incident response, which sit inside your environment and are out of scope for an external scanner. We are not an accreditation body and we do not certify compliance.

We are a single-office agency with two principals. Is AttackEdge overkill?

No. Single-office agencies with one website and one practice email domain fit the Solo plan at A$39 per month with 15 scan units. Most agencies with a vendor portal, a recruitment site, and a couple of property microsites move to SMB at A$99 per month with 50 scan units. If you only need a single PDF before a PI renewal or a one-off vendor question, the Snapshot at A$149 is a one-off baseline covering up to 15 of your sites in one bundled report.

We run a conveyancing arm alongside the sales agency. Anything different?

The email-authentication checks matter even more for conveyancing. Property settlements are the single highest-frequency target for invoice-redirection scams in Australia. The same recurring monitoring covers both sides of the practice. The legal-practice page on this site goes into more detail on the conveyancing-specific angles.

Is the data hosted in Australia?

Primary customer records, scan results, and report metadata are stored in Fly.io Postgres in Sydney. The full data and security commitments are on the security page.

For real-estate agencies and property managers

Website, domain, and email security for sales agencies and property managers.

Recurring external security monitoring on the public surface of your agency. Plain-English findings, dated evidence against trust-account BEC and for professional-indemnity renewal, written for the IT provider or web developer who actually fixes things. No exploitation, no CRM access, no replacement for a manual penetration test.

Run a free check View sample report

Why real estate in particular

The shape of the risk for an agency like yours.

Four pressure points where external monitoring earns its keep.

Trust-account BEC and deposit-redirection scams

Business email compromise targeting deposit, settlement, or bond payments is the single highest-frequency cyber loss event in Australian real estate. Attackers spoof the agency domain, intercept the email about a property transaction, and reroute funds to a mule account. By the time the buyer or the conveyancer calls, the money is gone. Correctly enforced email authentication on the agency domain is the most leveraged single control against this attack.

Listings-portal and CRM credential exposure

Agencies push listings to REA Group (realestate.com.au), Domain, and dozens of syndication partners through CRM platforms (Rex, VaultRE, AgentBox, MRI). Credentials and API tokens for those feeds sometimes leak in JavaScript bundles on the agency site, in old subdomains, or in misconfigured staging copies. A leaked token gets used to alter listings or scrape lead data.

Auction-day website tampering

A high-stakes auction or a sensitive off-market campaign concentrates attention on the agency website at a specific moment. An outdated WordPress plugin, an admin panel left exposed, or a forgotten staging copy is the kind of finding that gets weaponised the day before the campaign goes live. The reputational cost of a tampered listing on auction day is far larger than the cost of fixing the underlying issue ahead of time.

REI state body and PII renewal scrutiny

State-level professional bodies (REINSW, REIV, REIQ, REIWA, REISA and counterparts) increasingly include cyber controls in their best-practice guidance and CPD material. Professional indemnity renewal questionnaires from the major real-estate insurers ask whether you run recurring vulnerability assessment and whether email authentication is configured. Recurring external monitoring with a dated evidence log is the most defensible answer.

What we check

The checks that matter for a real-estate agency.

We focus on the public surface of your agency: the website, the listings pages, the domain, email authentication, TLS, and any vendor, landlord, or tenant portal you expose.

What we checkWhy it mattersWho fixes it

Email authentication (SPF, DKIM, DMARC)Stops attackers from sending deposit, settlement, or bond emails that look like they come from the agency. The single highest-impact control against trust-account BEC and deposit-redirection scams.Your IT provider or whoever manages the domain. Usually a single afternoon to set up properly.

TLS certificate health and expiryExpired or weak TLS on the agency website, a property-detail landing page, or a tenant application form breaks trust on campaign day and triggers browser warnings. Insurance assessments flag weak cipher suites.Hosting provider or web developer.

Web application exposures (admin panels, exposed config files)Agency websites are often WordPress with one or two real-estate plugins, a CRM integration, and a developer who has not touched it in eighteen months. We flag exposed admin paths, known vulnerable software versions, and orphaned plugins before they get used in a tampering attack.Web developer or MSP.

Subdomain hygiene and shadow ITA staging copy of a listings page, a property microsite that closed at settlement, or an old recruitment site that still resolves in DNS is a real risk. Real-estate agencies accumulate these faster than most industries because every premium campaign generates a microsite. We discover and report subdomains so nothing is forgotten.Web developer or MSP.

HTTP security headersA small set of headers (HSTS, CSP, X-Frame-Options) stops large categories of browser-side attack against the agency website and any logged-in vendor or landlord portal.Web developer or hosting provider.

Public exposure of agency-owned IP addressesIf the office or a remote-access setup exposes services on a public IP (a mail server, an old file share, an RDP gateway, a property-management server), we report what is reachable and what looks risky.IT provider or MSP.

See full methodology

What we do not do

Where the line sits.

Honesty about scope is part of the product.

No exploitation

AttackEdge observes what is externally visible. We do not exploit findings, brute-force credentials, or send payloads. Nothing we do affects your listings, your trust account, or your client communications.

No CRM or trust-account integration

AttackEdge never connects to Rex, VaultRE, AgentBox, PropertyMe, Console, MRI, REST Professional, or any agency CRM, property-management, or trust-account system. We only check what is on the public internet under your domain. Vendor and tenant records stay inside your systems.

Not a manual penetration test

Automated external scanning is not the same thing as a human-led penetration test. If a corporate landlord, a strata client, or a large vendor requires a pen test, you still need one. AttackEdge runs alongside, not instead.

No agent of state regulator

We are not REINSW, REIV, NSW Fair Trading, Consumer Affairs Victoria, or any state agent-licensing body. AttackEdge gives you dated evidence of one specific control: recurring external monitoring on your public surface.

What you get

Plain-English report, same shape every cycle.

Owner summary first, then prioritised findings, then technical detail and remediation steps for the IT provider, MSP, or web developer who actually fixes things. Dated, exportable as a PDF, ready for a PI renewal or a state-regulator ad hoc ask.

View sample report See full methodology

Plan that fits

Most agencies pick SMB.

A typical agency has a main website, a vendor or landlord portal subdomain, a recruitment site, and a couple of property microsites. The SMB plan is the shape at A$99 per month for 50 scan units. Annual billing gives you twelve months for the price of ten. Single-office agencies with one website can start on Solo at A$39 per month for 15 scan units, with room to scan five sites monthly. The Snapshot at A$149 is a one-off baseline if you only need a single PDF for an insurer or a vendor question.

View subscriptions View Snapshot Run a free check

Sister guides

Related verticals.

Conveyancing pairs with sales agency more often than not.

Law firms and conveyancers

Conveyancing settlements are the partner side of every real-estate transaction. Same trust-related BEC risk, same fixes, same evidence shape.

Read the guide →

Accountants and bookkeepers

If your agency runs an in-house finance and bookkeeping function, the same email-authentication and portal controls apply.

Read the guide →

Emergence Insurance evidence

Emergence is one of the AU-focused cyber underwriters often placed in real-estate cover. Question-by-question mapping for their proposal form.

Read the guide →

Common questions

From other agencies.

Will my CRM (Rex, VaultRE, AgentBox) or property-management software (PropertyMe, Console) be affected?
No. AttackEdge does not connect to your CRM or property-management software. We only scan what your domain exposes on the public internet (the agency website, DNS, email authentication, TLS, and any portals or services reachable from outside). Listings data, vendor and tenant records, and trust-account information stay inside your systems.
How does this help with trust-account BEC and deposit-redirection scams?
Most business email compromise against agencies relies on the attacker spoofing your domain. The simplest and most effective control is email authentication (SPF, DKIM, DMARC) configured correctly, with DMARC at enforce. We report exactly where your records are weak, why it matters, and what your IT provider or domain registrar needs to change. It is not a complete defence (you still need staff training, payment-verification processes with the conveyancer, and MFA on email accounts), but it shuts down the easiest version of the attack.
Does this satisfy our professional indemnity insurer?
AttackEdge provides dated evidence of recurring external vulnerability monitoring, which is one of the items most cyber and real-estate PI questionnaires ask about. It is evidence, not a certification. Insurers also ask about MFA, backups, training, and incident response, which sit inside your environment and are out of scope for an external scanner. We are not an accreditation body and we do not certify compliance.
We are a single-office agency with two principals. Is AttackEdge overkill?
No. Single-office agencies with one website and one practice email domain fit the Solo plan at A$39 per month with 15 scan units. Most agencies with a vendor portal, a recruitment site, and a couple of property microsites move to SMB at A$99 per month with 50 scan units. If you only need a single PDF before a PI renewal or a one-off vendor question, the Snapshot at A$149 is a one-off baseline covering up to 15 of your sites in one bundled report.
We run a conveyancing arm alongside the sales agency. Anything different?
The email-authentication checks matter even more for conveyancing. Property settlements are the single highest-frequency target for invoice-redirection scams in Australia. The same recurring monitoring covers both sides of the practice. The legal-practice page on this site goes into more detail on the conveyancing-specific angles.
Is the data hosted in Australia?
Primary customer records, scan results, and report metadata are stored in Fly.io Postgres in Sydney. The full data and security commitments are on the security page.

See what attackers see

Ready to see what your agency looks like from the outside?

The free check covers the headline issues on your domain in about a minute. A paid plan adds the full methodology, the evidence log, and recurring scans you can show an insurer or a state regulator.

Start a scan Run a free check

Hosted in Sydney · Passive scanning only · From A$39 per month