Essential Eight Compliance & Cybersecurity Consulting for Australian SMBs
Protect what matters. Meet compliance. Stay insurable.
All without a Big 4 price tag.
Cyber Incidents Are No Longer βIfβ β Theyβre βWhenβ.
- 94% of organisations undergoing red-team testing face successful penetration β most had no idea their defences were inadequate.
- Australian SMBs are the #1 target β small enough to lack enterprise defences, large enough to hold valuable client data and financial records.
- Cyber insurers now require documented Essential Eight compliance or deny coverage β leaving unprotected businesses fully exposed to breach costs.
Transparent Pricing. Fixed Quotes. No Surprises.
Protect what matters. Meet compliance. Stay insurable. All without a Big 4 price tag.
Free Cyber Health Check
- External attack surface scan
- SSL/TLS & security headers review
- Basic vulnerability indicators
- Plain-English report in 48 hours
- Zero obligation
Essential Eight Gap Assessment
- Full ASD Essential Eight maturity assessment
- Gap analysis across all 8 strategies
- Maturity rating per strategy
- Prioritised remediation roadmap
- Compliance-ready documentation
VAPT Starter
- Automated vulnerability scanning (Nessus/OpenVAS)
- OWASP Top 10 automated coverage
- SSL/TLS, headers & port scanning
- CVE detection & CMS checks
- Automated report with CVSS ratings
Full VAPT
- Everything in Starter, plus:
- Manual penetration testing by senior consultants
- Business logic & privilege escalation testing
- Full OWASP ASVS verification
- 30-day re-test included
Full VAPT + Essential Eight
- Complete Full VAPT + Essential Eight
- Combined unified report
- Compliance mapping & gap analysis
- Ideal for cyber insurance & audits
- Timeline: 3β5 weeks
Secure Code Review
- SAST tooling (Semgrep, ESLint security)
- Manual code review by security engineers
- OWASP secure coding verification
- Remediation guidance per finding
- Available for JS/TS, Python, PHP
| Feature | E8 | Starter | Full VAPT | Full + E8 |
|---|---|---|---|---|
| Automated vulnerability scanning | β | β | β | β |
| OWASP Top 10 coverage | β | Automated | Manual verified | Manual verified |
| SSL/TLS & security headers | β | β | β | β |
| Port scanning & service enumeration | β | β | β | β |
| DNS & subdomain recon | β | β | β | β |
| Web app scanning (OWASP ZAP) | β | β | β + Burp Suite | β + Burp Suite |
| Authentication testing | β | Basic | Deep-dive | Deep-dive |
| Known CVE detection | β | β | β | β |
| CMS vulnerability checks | β | β | β | β |
| API endpoint discovery | β | Basic | Full REST/GraphQL | Full REST/GraphQL |
| Manual penetration testing | β | β | β | β |
| Business logic testing | β | β | β | β |
| IDOR / privilege escalation | β | β | β | β |
| OWASP ASVS verification | β | β | β | β |
| Essential Eight assessment | β | β | β | β |
| Compliance documentation | β | β | β | β |
| Re-test period | β | 14 days | 30 days | 30 days |
| Timeline | 2β3 weeks | 1β2 weeks | 2β3 weeks | 3β5 weeks |
What is a re-test? A re-test is a focused verification scan performed after youβve remediated the vulnerabilities found in the initial assessment. It confirms your fixes are effective and provides updated evidence for insurers and auditors. Re-tests cover only the original findings β they are not a new full assessment. VAPT Starter includes a 14-day re-test window; Full VAPT and Full VAPT + E8 include 30 days.
Built for Australian Businesses
We understand the compliance obligations and risk profile of the sectors we serve β not just the technology.
Small & Medium Businesses
Essential Eight compliance and VAPT without the Big 4 price tag.
E-commerce & Retail
Customer data protection, breach prevention and PCI DSS awareness.
Financial Services
APRA CPS 234 compliance, cyber insurance documentation and incident planning.
Healthcare
Privacy Act obligations, patient data security and ransomware resilience.
Professional Services
Client data protection and cyber insurance eligibility for law firms and consultants.
Government Suppliers
PSPF and Essential Eight evidence package for panel managers.
How It Works
From first contact to findings β five clear steps, no surprises.
Free Health Check
External attack surface review delivered in 48 hours β at no cost.
Scoping Call
30 minutes to align on environment, obligations, and a fixed-price quote.
Assessment
ASD, OWASP, and NIST-aligned gap analysis or penetration test.
Findings & Roadmap
Plain-English report with risk-prioritised actions and board summary.
Cyber Shield
Optional annual plan for ongoing monitoring, bi-annual assessments, and dedicated support.
Frequently Asked Questions
Straightforward answers to the questions we hear most often.
What is an Essential Eight Gap Assessment?
The Australian Signals Directorateβs (ASD) Essential Eight is the baseline cybersecurity framework for Australian organisations. It covers eight strategies: application control, patch management, macro configuration, user application hardening, administrative privilege restriction, OS patching, multi-factor authentication, and backups.
A Gap Assessment benchmarks your current controls against all eight strategies and produces a maturity level score (0β3) for each. The deliverable is a plain-English report with findings and a risk-prioritised remediation roadmap β the documentation your cyber insurer and government panel manager require. Our assessment starts at $8,500 AUD with a 2β3 week timeline.
Do I need Essential Eight compliance for cyber insurance?
Increasingly, yes. Australian cyber insurers are tightening underwriting requirements. Many now require evidence of Essential Eight Maturity Level 1 or higher as a baseline condition for coverage. Without documented controls, premiums rise significantly or coverage is declined entirely.
A rabbiico Gap Assessment produces the compliance documentation your broker and insurer need.
What is the difference between VAPT Starter and Full VAPT?
VAPT Starter ($7,500) is an automated + guided vulnerability assessment ideal for a first security test. It covers automated scanning, OWASP Top 10 (automated checks), port scanning, DNS recon, CVE detection, and includes a 14-day re-test.
Full VAPT ($12,000) is the gold standard. It includes everything in VAPT Starter plus manual penetration testing by senior consultants β advanced injection testing, business logic analysis, API security, OWASP ASVS verification, proof-of-concept exploitation, and a 30-day re-test. Itβs how red teams operate and what we recommend for any business with a web application, API, or complex environment.
What are the Cyber Shield annual plans?
Cyber Shield plans give you ongoing protection at a significant saving compared to booking standalone assessments. Each plan includes two assessments per year plus continuous support between tests:
- Cyber Shield ($12,500/year) β 2 VAPT Starter assessments, vulnerability alerts, priority booking, monthly security digest. Save $2,500.
- Cyber Shield Pro ($19,500/year) β 2 Full VAPT assessments, continuous monitoring, dedicated consultant, quarterly posture report. Save $4,500.
- Cyber Shield Complete ($29,500/year) β 2 Full VAPT + E8 assessments, compliance tracking, annual strategy session, board-ready reporting. Save $7,500.
All Cyber Shield plans are annual with no hidden fees.
What is VAPT (Vulnerability Assessment and Penetration Testing)?
VAPT combines two complementary activities. A vulnerability assessment systematically identifies weaknesses across your systems. Penetration testing goes further β a security expert actively attempts to exploit those weaknesses the way an attacker would, demonstrating real-world risk.
rabbiico offers VAPT Starter from $7,500 AUD (automated + guided) and Full VAPT from $12,000 AUD (including manual penetration testing by senior consultants). For complete coverage including Essential Eight compliance, the Full VAPT + Essential Eight package starts at $18,500 AUD. All findings are reported with CVSS severity scores and actionable remediation recommendations.
How long does an assessment take?
Timelines depend on the engagement:
- Essential Eight Gap Assessment: 2β3 weeks
- VAPT Starter: 1β2 weeks
- Full VAPT: 2β4 weeks
- Full VAPT + Essential Eight: 3β5 weeks
- Secure Code Review: 1β3 weeks
A scoping call (30 minutes) establishes timelines before we begin. We do not start billable work until a fixed scope and price are agreed.
Do you provide remediation support after the assessment?
Yes. After your assessment we can scope a fixed-price remediation project to address findings systematically. Ongoing Cyber Shield annual plans are also available for VAPT tiers β contact us to discuss the right arrangement for your business.