Pillar 3 — Managed Security
Detection, response and CPS 234 evidence. Senior named analysts on the contract. Foundation / Defence / Resilience tiers, pricing on request.
You're on this page for one of two reasons. Either you're choosing a managed security partner against a written CPS 234 obligation and a board-risk committee timeline. Or something has happened — an alert, a near-miss, a peer's incident in the press, the credential-stuffing wave that hit pension/super funds in 2025 — and the question on your desk is who answers the phone at 2am Sunday, and what evidence will they leave on Monday morning.
Mid-market firms — banks, mutuals, pension/super funds, mid-tier insurers — sit in a difficult middle. Big-four banks have the budget for an in-house security operations centre. The very small end can survive on EDR and a retainer. The middle has to buy in 24/7 detection and response, plus the evidence chain regulators, the audit committee and the cyber insurer all want — without paying tier-1 consulting fees.
Most managed-security pages tell the same story: AI-powered, next-generation, intelligent, autonomous. We tell a different one.
This is the page where we say it plainly. The detection, the triage, the containment call, the customer phone call at 2am, the evidence summary the board sees on Friday — all of it is done by named human analysts. Our SIEM (Microsoft Sentinel) and EDR (SentinelOne, CrowdStrike, where it fits) ingest signal at machine scale. The decision about what to do next is made by a person whose name is on your contract.
We made this choice deliberately. The regulatory environment — CPS 234, CPS 230, Essential Eight, APRA's cyber stocktake, equivalent prudential frameworks elsewhere — increasingly asks for evidence of human accountability in the response chain. "The model decided" is not yet, and may never be, an acceptable answer to a regulator.
Six elements that show up on every Defence and Resilience tier engagement.
Our security operations are staffed by senior named analysts. The lead is named on the contract. The P1 escalation path has a name at every step. Colombo engineering depth supports everything that isn't security — security work stays with senior named analysts.
We map your environment against CPS 234 §11, §13, §15 and §35. The mapping is documented, version-controlled and produced as an evidence pack quarterly (Foundation), monthly (Defence) or continuously plus board pack (Resilience). Auditor asks for a control-test report; it lands in their format, in their week.
We baseline against ML1, design uplift to ML2, and run the program. Per-control adoption notes in your monthly report — patching, application control, MFA, admin privilege, daily backups, hardening, MS Office macro control, user-application hardening — each tracked at the actual maturity achieved, not the aspirational one.
Detection content is built and tuned against MITRE ATT&CK. We don't ship vendor-default rules and call it security operations. Every detection has a use case, a data source, an analyst owner, a tuning history, and a TP/FP rate reported quarterly.
The team includes CREST-certified analysts. Your account has a named lead — the person who phones at 3am, runs the post-incident review, writes the board update and presents at audit committee if asked.
We publish the packaging structure, not the prices. Pricing shapes to your environment — endpoint count, log volume, data sources, evidence cadence — and lives in scoped proposals. Few managed-security firms publish tiers transparently on the open web. We publish the structure because procurement teams reward it.
Three tiers. Pricing on request — shaped to your environment. Defence is the most common shape for regulated mid-market firms.
Smaller regulated firms baselining a managed-security capability for the first time, or supplementing an in-house team's daytime coverage.
Pricing on request — shaped to your environment
Most mid-tier banks, mutuals, pension/super funds and insurers running a regulated entity. The right shape for the typical regulated mid-market firm.
Pricing on request — shaped to your environment
Firms with the highest CPS 234 / CPS 230 obligations, complex environments, or board-risk committees that want continuous evidence and dedicated human availability.
Pricing on request — shaped to your environment
Tier names slot cleanly into RFP comparison tables. None are commodity. The visual emphasis on Defence is deliberate — it's the right level for most regulated mid-market firms.
“Senior security with named accountability. Engineering depth from Colombo for everything that isn't security.”
We picked the mid-market deliberately. Your named lead doesn't get reassigned to a Big-Four bank. Senior people stay on your most important issues — not the largest customer's. If you've watched your incumbent get acquired by a global firm, you know what we mean.
Sample evidence pack
A redacted real-world sample of the monthly evidence pack we produce for a Defence-tier FS customer. CPS 234 control mapping (§11/§13/§15/§35), Essential Eight ML2 maturity with per-control notes, top detections of the period, P1 incident summary, patch posture, identity hygiene metrics, third-party status, and the audit-ready summary your CRO can take into a board meeting. The artefact, not a slide about it.
Our security operations are staffed by senior named analysts. The lead on your contract is named and personally accountable for the response chain. Engineering depth from Colombo supports everything that isn't security — service desk, infrastructure build, project surge — but the security work itself stays with senior named analysts.
On the Defence tier (the most common): 30-minute acknowledge, 1-hour containment for confirmed P1. On Resilience: 15-minute acknowledge, 30-minute containment. On Foundation (business-hours coverage): 4-hour acknowledge inside business hours. The SLA is contractual and reported on. Containment is defined as isolation of the affected asset and the attacker's dwell-time clock stopped — eradication and recovery follow their own published timelines.
A monthly evidence pack (on the Defence tier) covering: CPS 234 control mapping with status; Essential Eight ML2 maturity per control; detection volumes and tuning notes; P1/P2 incidents with timeline and root-cause; patch and identity hygiene metrics; third-party / supply-chain status; a written audit-ready summary. The Resilience tier adds a monthly board pack written for non-technical readers. Auditors ask for the document; we hand it over in their format.
Coverage, stack, SLA and evidence cadence. Foundation is business-hours with an EDR-and-logs baseline and quarterly evidence — for firms beginning a managed-security capability. Defence is 24/7/365 with SIEM, threat intelligence, monthly evidence and a named analyst — sized for the typical APRA-regulated mid-market firm. Resilience adds UEBA, DLP, on-site rotation where scoped, continuous evidence, a board pack and a dedicated CSM.
Yes. Your lead is named, with bio and certifications listed. The full roster is documented internally and shared on request. We don't run a faceless queue. If a named lead moves on (we want long careers for our people), handover is documented, overlapped and signed off in writing by you — never an unannounced reassignment.
No, and that's deliberate. Our SIEM (Microsoft Sentinel) and EDR ingest signal at machine scale and surface candidate detections — that's table stakes, not a marketing claim. Every triage, containment and customer-communication decision is made by a named human analyst whose accountability is on the contract. Regulators increasingly expect human accountability in the response chain; we don't lean on AI claims as positioning we couldn't defend in front of a reviewer.
Yes — the team includes CREST-certified analysts. CREST certification is one of the credentials FS-2 buyers ask for in RFPs; we list certifications in proposals and bring them to compliance discussions.
CPS 234 governs information security; CPS 230 governs operational resilience and critical-operations management — including third-party and outsourcing risk. The two interlock, especially when we ourselves are a material service provider under CPS 230. Our contracts and evidence packs are written to support both: CPS 234 control-test evidence on one hand, CPS 230 critical-operations dependency mapping, tolerable disruption and incident reporting on the other.
Twenty minutes. Named accountability from the first call. Sample CPS 234 evidence pack on request.