Will my Xero Tax, MYOB AE, QuickBooks, Karbon, or FYI integration be affected?

No. AttackEdge does not connect to your tax or practice-management software. We only scan what your domain exposes on the public internet (the practice website, DNS, email authentication, TLS, and any portals or services reachable from outside). Client tax data, lodgement queues, and ATO Online connections are not touched.

Does this satisfy the TPB Code of Professional Conduct?

AttackEdge provides dated evidence of recurring external vulnerability monitoring, which is one of the items the TPB Code points to under the obligation to take reasonable steps to protect client information. It is evidence, not a certification. The TPB obligations also cover internal controls (MFA, training, access management, incident response) that sit inside your environment and are out of scope for an external scanner. We are not the TPB and we do not certify compliance with the Code.

Can the time we spend reviewing the report count toward CPE?

The TPB has published guidance that learning activities relevant to the agent's registration can count toward continuing professional education, and cyber-security awareness has been signalled as a relevant area. Whether time spent reviewing an AttackEdge report counts in your specific case is a question for your professional association or the TPB directly. AttackEdge does not issue CPE certificates and we are careful not to overclaim on this.

We are a sole practitioner with one website and one email domain. Is this overkill?

No. Sole-trader registered agents with one website and one practice domain fit the Solo plan at A$39 per month with 15 scan units. Practices with a client portal, a separate marketing site, and a couple of subdomains usually move to SMB at A$99 per month with 50 scan units. If you only need a single PDF before a TPB renewal, an ATO security review, or a corporate-client question, the Snapshot at A$149 is a one-off baseline covering up to 15 of your sites in one bundled report.

Will an AttackEdge report trigger a TPB or ATO investigation?

No. AttackEdge runs scans against your public surface and reports findings to you only. We do not share findings with the TPB, the ATO, or any regulator. The dated report is yours, to use as you see fit when a regulator asks about your security posture.

Is the data hosted in Australia?

Primary customer records, scan results, and report metadata are stored in Fly.io Postgres in Sydney. The full data and security commitments are on the security page.

For TPB-registered tax and BAS agents

Website, domain, and email security for tax practices and BAS agents.

Recurring external security monitoring on the public surface of your practice. Plain-English findings, dated evidence for TPB Code of Professional Conduct cyber obligations and cyber insurance, written for the IT provider or web developer who actually fixes things. No exploitation, no practice-management access, no replacement for a manual penetration test.

Run a free check View sample report

Why tax agents in particular

The shape of the risk for a practice like yours.

Four pressure points where external monitoring earns its keep.

TPB Code of Professional Conduct cyber obligations

The Tax Practitioners Board has signalled, through its Code of Professional Conduct guidance and follow-up information sheets, that registered agents are expected to take reasonable steps to protect client information from unauthorised access. Recurring external monitoring with a dated evidence log is one of the more defensible ways to show what is in place at the practice level when the TPB asks.

ATO digital service provider and Online services exposure

Tax agents access ATO Online services through credentials, machine credentials, and SBR-enabled software. Misconfigured TLS on a portal, a publicly exposed admin path on the practice website, or a forgotten staging copy of the client portal is the kind of finding that ends up cited in an ATO security incident review. Anything reachable under your agent domain is in scope from an attacker viewpoint.

TFN, BAS, and ABN exposure on portals

Your practice holds Tax File Numbers, ABNs, BAS records, payroll data, and bank details for every client. The Privacy Act treats TFN information with stricter handling under the Tax File Number Rule, and the Notifiable Data Breaches scheme applies when a TFN exposure is involved. An exposed admin path, a leaky intake form, or a misconfigured share kills client confidence and may trigger reporting obligations.

Practice management API tokens leaking in JS bundles

Modern tax-practice websites embed integrations with Xero, MYOB, QuickBooks, FYI, Karbon, and Practice Ignition. Done badly, those integrations leak API tokens or OAuth scopes in front-end JavaScript bundles, on staging subdomains, or in error pages. We surface secrets-looking strings and exposed environment paths so they can be rotated and removed before an attacker scrapes them.

What we check

The checks that matter for a tax practice.

We focus on the public surface of your practice: the website, the client portal, the domain, email authentication, TLS, and any services you expose to clients, the ATO, or external software vendors.

What we checkWhy it mattersWho fixes it

Email authentication (SPF, DKIM, DMARC)Stops attackers from sending BAS, invoice, or assessment-reminder emails that look like they come from your practice. The most common attack vector against tax practices is impersonation of the agent.Your IT provider or whoever manages the domain.

TLS certificate health and expiryExpired or weak TLS on a client portal or document upload page breaks client trust and triggers browser warnings during BAS or end-of-financial-year peak. Insurance assessments flag weak cipher suites.Hosting provider or web developer.

Web application exposures (admin panels, exposed config files)Client portals, secure-document upload pages, and older WordPress installations are common entry points. We flag exposed admin paths, known vulnerable software versions, and orphaned plugins.Web developer or MSP.

Subdomain hygiene and shadow ITA staging copy of the practice website or an old client portal that still resolves in DNS is a real risk. Tax practices accumulate microsites around BAS, EOFY, or tax-time campaigns. We discover and report subdomains so nothing is forgotten.Web developer or MSP.

HTTP security headersA small set of headers (HSTS, CSP, X-Frame-Options) stops large categories of browser-side attack against the practice website and any client login or document-upload page.Web developer or hosting provider.

Secrets and tokens in public JavaScript and exposed configPractice-management integrations sometimes leak API tokens or environment paths in front-end bundles. We surface secrets-looking strings and exposed environment files so they can be rotated before an attacker scrapes them.Web developer.

See full methodology

What we do not do

Where the line sits.

Honesty about scope is part of the product.

No exploitation

AttackEdge observes what is externally visible. We do not exploit findings, brute-force credentials, or send payloads. Nothing we do affects your lodgement workflow, your ATO connections, or your client records.

No practice-management integration

AttackEdge never connects to Xero Tax, MYOB AE, QuickBooks, Karbon, FYI, BGL, Class, Practice Ignition, or any tax-practice or accounting system. We only check what is on the public internet under your domain. Client data stays inside your systems.

Not a manual penetration test

Automated external scanning is not the same thing as a human-led penetration test. If a larger corporate client, a regulator, or an ATO digital service provider arrangement requires a pen test, you still need one. AttackEdge runs alongside, not instead.

Not a TPB or ATO certification

We are not the Tax Practitioners Board, the ATO, or an accreditation body. AttackEdge gives you dated evidence of one specific control: recurring external monitoring on your public surface. The TPB Code obligations cover more than that.

What you get

Plain-English report, same shape every cycle.

Owner summary first, then prioritised findings, then technical detail and remediation steps for the IT provider, MSP, or web developer who actually fixes things. Dated, exportable as a PDF, ready for a TPB renewal or a corporate-client question.

View sample report See full methodology

Plan that fits

Most tax practices pick SMB.

A typical registered-agent practice has a main website, a client portal subdomain, a document-upload page, and a couple of legacy hosts. The SMB plan is the shape at A$99 per month for 50 scan units. Annual billing gives you twelve months for the price of ten. Sole-trader agents with one website can start on Solo at A$39 per month for 15 scan units. The Snapshot at A$149 is a one-off baseline if you only need a single PDF for a TPB renewal or an ATO security review.

View subscriptions View Snapshot Run a free check

Sister guides

Related verticals and insurer guides.

Tax practices often share staff, infrastructure, and renewal questionnaires with accounting and bookkeeping firms.

Accountants and bookkeepers

The sister vertical. Many tax agents run a combined practice with bookkeeping and accounting under the same roof. Same controls, same evidence approach.

Read the guide →

Emergence Insurance evidence

Emergence is one of the AU-focused cyber underwriters often placed in tax-practice cover. Question-by-question mapping for their proposal form.

Read the guide →

Privacy Act evidence

Tax File Number information attracts stricter handling under the TFN Rule. The long-form Privacy Act page covers how external monitoring fits into APP 11.

Read the guide →

Common questions

From other tax practices.

Will my Xero Tax, MYOB AE, QuickBooks, Karbon, or FYI integration be affected?
No. AttackEdge does not connect to your tax or practice-management software. We only scan what your domain exposes on the public internet (the practice website, DNS, email authentication, TLS, and any portals or services reachable from outside). Client tax data, lodgement queues, and ATO Online connections are not touched.
Does this satisfy the TPB Code of Professional Conduct?
AttackEdge provides dated evidence of recurring external vulnerability monitoring, which is one of the items the TPB Code points to under the obligation to take reasonable steps to protect client information. It is evidence, not a certification. The TPB obligations also cover internal controls (MFA, training, access management, incident response) that sit inside your environment and are out of scope for an external scanner. We are not the TPB and we do not certify compliance with the Code.
Can the time we spend reviewing the report count toward CPE?
The TPB has published guidance that learning activities relevant to the agent's registration can count toward continuing professional education, and cyber-security awareness has been signalled as a relevant area. Whether time spent reviewing an AttackEdge report counts in your specific case is a question for your professional association or the TPB directly. AttackEdge does not issue CPE certificates and we are careful not to overclaim on this.
We are a sole practitioner with one website and one email domain. Is this overkill?
No. Sole-trader registered agents with one website and one practice domain fit the Solo plan at A$39 per month with 15 scan units. Practices with a client portal, a separate marketing site, and a couple of subdomains usually move to SMB at A$99 per month with 50 scan units. If you only need a single PDF before a TPB renewal, an ATO security review, or a corporate-client question, the Snapshot at A$149 is a one-off baseline covering up to 15 of your sites in one bundled report.
Will an AttackEdge report trigger a TPB or ATO investigation?
No. AttackEdge runs scans against your public surface and reports findings to you only. We do not share findings with the TPB, the ATO, or any regulator. The dated report is yours, to use as you see fit when a regulator asks about your security posture.
Is the data hosted in Australia?
Primary customer records, scan results, and report metadata are stored in Fly.io Postgres in Sydney. The full data and security commitments are on the security page.

See what attackers see

Ready to see what your practice looks like from the outside?

The free check covers the headline issues on your domain in about a minute. A paid plan adds the full methodology, the evidence log, and recurring scans you can show the TPB, an insurer, or a larger corporate client.

Start a scan Run a free check

Hosted in Sydney · Passive scanning only · From A$39 per month