If we're attacked at 3 AM, what actually happens?

The 24x7 SOC sees the alert, classifies it, and if compromise is confirmed, remotely isolates the affected device or user account before the attacker can finish what they started. If it's suspected but not confirmed, the frontline helpdesk investigates and rings the user out of an abundance of caution. You hear about it in the morning with a written incident report, not a phone call at 3 AM.

We already have Microsoft 365 MFA. Isn't that enough?

MFA is one of the Essential Eight's eight controls, and only effective if it's phish-resistant, applied to every system (not just Microsoft 365), and enforced rather than suggested. Most businesses we assess have MFA on email and SMS codes elsewhere, which is what attackers are already bypassing in 2026. See our /essential-eight page for the maturity model and what ML1, ML2 and ML3 actually require.

Is rolling out Microsoft 365 Copilot a security risk for us?

It's not the model that's the risk; it's the access-permissions debt Copilot makes visible. Copilot can surface anything a user has permission to see, which in most tenants includes over-shared SharePoint sites, calendars that leak client names, and mailboxes with more access than anyone realised. We audit sharing, label sensitive data, pilot Copilot with a small group, and tighten the policies before a broader rollout. The risk is real but manageable.

Can our staff use ChatGPT, Claude, or other AI tools on client data safely?

Not the free consumer tiers; those can train on your inputs or retain transcripts. For business use we help clients pick an enterprise tier (ChatGPT Business / Enterprise, Claude for Work, or Microsoft 365 Copilot depending on the rest of the stack), sign the right data-processing addendum, write a short acceptable-use policy, and block the consumer tiers at DNS level. "Use the approved tool, here's how" lands better than "don't use AI" which doesn't hold.

Do you cover incident response? What if we have a live ransomware event?

Yes. We have a documented incident-response playbook and the containment tooling to execute it: remote device and identity isolation, credential rotation, privileged-account lockdown, backup recovery. For clients under an active engagement, IR is included up to the point a specialist forensic firm needs to come in (for certain kinds of insurer-mandated investigation). We've worked alongside the named DFIR firms before.

Cybersecurity services · Australia

Layered cybersecurity. The layers that actually matter.

Not a product list. Six layers, each doing a specific job, delivered end to end with a 24x7 SOC behind them. When something happens at 3 AM, it's already being handled before you wake up.

The six layers

Layered cybersecurity: EDR, 24x7 SOC, identity, DNS filtering, backups and staff training.

Endpoint detection & response (EDR)

EDR backed by a 24 by 7 security operations centre. Ransomware canaries, open-port detection, malicious-process behaviour, persistent-foothold detection. If a compromise is confirmed, the SOC isolates the device remotely. If it's suspected but not confirmed, the frontline helpdesk rings the user first, and isolates if we can't reach them.

Identity threat detection & response

Session-hijack protection, credential-theft monitoring, location and VPN anomaly detection, rogue application detection. When a user is compromised, we revoke sessions and restrict login. Works because identity is the way most incidents actually start.

Application control (allowlisting)

"Deny by default" for executables on Windows. Applications allowed by hash, location, signing cert and calling program. Ringfencing stops approved apps from doing things they shouldn't (PDFs spawning child processes, Office talking to PowerShell). External USB storage governed by policy.

DNS filtering + domain hygiene

DNS-level blocking of known bad domains, risky TLDs, and newly registered domains that haven't aged. Optional category filtering (gambling, social, AI, etc.). Domain registration, SPF/DKIM/DMARC kept correct so you're not being spoofed.

Backup with tested recovery

Daily server backups held offsite with agreed retention. Microsoft 365 backed up end-to-end (Exchange, SharePoint, OneDrive, Teams, Groups) with up to 7 years retention and point-in-time restore. Automated backup validation every business day. Full disaster-recovery test once a year with a real restore-time number we can report back.

Centralised logging + 24x7 SOC threat hunting

Firewall, server and workstation logs aggregated into a SIEM with at least 12 months retention. Analysts actively looking for signs of compromise, not just waiting for an alarm. Vulnerability scanning against the National Vulnerability Database, prioritised by EPSS score so we patch the things attackers are actually exploiting first.

Cybersecurity awareness training

Most incidents still start with a person clicking something.

You can't buy your way out of that. You can make the click less likely. Training has to be little, regular, and tied to actual tests.

Training content delivered to staff mailboxes every two weeks.
Simulated phishing testing tuned to the content they just learned.
"Learning moments" when someone fails a phishing test.
Live education sessions when something emerging warrants it.
Monthly or quarterly reporting on who's engaged and who isn't.

Password manager

Where your passwords should live, instead of a browser.

If it's not in a managed vault, we can't audit it, rotate it, or revoke it when someone leaves. Which means we can't protect you from what a leaver knows.

Zero-knowledge password manager, SSO'd to Microsoft 365.
Dark-web credential monitoring, weak and reused-password detection.
Vault Transfer enabled so a departed staff member's records don't disappear with them.
Required as part of the Client Security Baseline; we can't protect accounts if they're being kept in a browser or a spreadsheet.

Obligation · Client Security Baseline

The basics are not optional. They're written into the contract.

We require every client to maintain a documented baseline: phish-resistant MFA, application control, vulnerability management, awareness training, a password manager with SSO, HR-driven onboarding and offboarding, backups, and an incident response plan. These either run on our services or an equivalent from another provider.

If the baseline isn't met, the effectiveness of everything else drops and our liability exposure rises. We notify you in writing, give you 30 days to remedy or agree a plan, and can suspend or terminate if the gap becomes material. Not punitive. Just honest: we can't defend an environment that refuses to cover its own basics.

The full baseline lives in our Managed IT Complete Service Terms.

Common questions

Incidents, MFA, AI, and what actually happens at 3 AM.

If we're attacked at 3 AM, what actually happens?: The 24x7 SOC sees the alert, classifies it, and if compromise is confirmed, remotely isolates the affected device or user account before the attacker can finish what they started. If it's suspected but not confirmed, the frontline helpdesk investigates and rings the user out of an abundance of caution. You hear about it in the morning with a written incident report, not a phone call at 3 AM.
We already have Microsoft 365 MFA. Isn't that enough?: MFA is one of the Essential Eight's eight controls, and only effective if it's phish-resistant, applied to every system (not just Microsoft 365), and enforced rather than suggested. Most businesses we assess have MFA on email and SMS codes elsewhere, which is what attackers are already bypassing in 2026. See our /essential-eight page for the maturity model and what ML1, ML2 and ML3 actually require.
Is rolling out Microsoft 365 Copilot a security risk for us?: It's not the model that's the risk; it's the access-permissions debt Copilot makes visible. Copilot can surface anything a user has permission to see, which in most tenants includes over-shared SharePoint sites, calendars that leak client names, and mailboxes with more access than anyone realised. We audit sharing, label sensitive data, pilot Copilot with a small group, and tighten the policies before a broader rollout. The risk is real but manageable.
Can our staff use ChatGPT, Claude, or other AI tools on client data safely?: Not the free consumer tiers; those can train on your inputs or retain transcripts. For business use we help clients pick an enterprise tier (ChatGPT Business / Enterprise, Claude for Work, or Microsoft 365 Copilot depending on the rest of the stack), sign the right data-processing addendum, write a short acceptable-use policy, and block the consumer tiers at DNS level. "Use the approved tool, here's how" lands better than "don't use AI" which doesn't hold.
Do you cover incident response? What if we have a live ransomware event?: Yes. We have a documented incident-response playbook and the containment tooling to execute it: remote device and identity isolation, credential rotation, privileged-account lockdown, backup recovery. For clients under an active engagement, IR is included up to the point a specialist forensic firm needs to come in (for certain kinds of insurer-mandated investigation). We've worked alongside the named DFIR firms before.

The qualifier

Let's see if we're a fit.

Seven questions, one moment of your time. We'd rather tell you now than three months in.