Secure agentic AI for regulated, air-gapped industrial SMBs

Manual penetration testing for Australia’s regulated operators

Cyber Node tests OT plants, agentic AI systems, and the compliance-bound platforms Australian operators run on. Every engagement is delivered by a senior practitioner. No offshore delivery, no scanner output dressed up as a pen test.

Get a Quote → Scan my domain for A$399 →

Free scoping call. Fixed-price proposal within 48 hours.

6 Critical

63 High

147 Medium

198 Low

63 Info

477 findings across 54 engagements

Pick your path

Where do you start

Three doors. The same operator scopes every engagement. Pick the one that matches your reason for being here.

Path 1

I run an industrial site

Engineer-led OT and ICS testing for resources, energy, water, and SOCI-covered operators. IEC 62443 and AESCSF scoped.

Talk to an engineer →

Path 2

I have a compliance deadline or an auditor asking

Manual penetration testing and vCISO support scoped to APRA CPS 234, ISO 27001, SOC 2, PCI DSS, and Essential Eight. Reports your auditor will accept.

Scope an engagement →

Path 3

I am putting AI into production

Manual testing for LLM apps, RAG pipelines, and agentic systems. Prompt injection, tool-use abuse, RAG leakage, model supply chain.

Scope an AI review →

Led by

Matt Breuillac, MIEAust

Chemical and process engineer turned cybersecurity specialist. Prior work includes Shell Prelude FLNG (Western Australia), Albemarle Kemerton lithium hydroxide refinery, AREVA nuclear projects, and Kazakhstan ISL uranium operations. Holds a Masters in Chemical Engineering, EMBA, PMP, and AWS Certified Security Specialist. Registered member of Engineers Australia. The same operator scopes every engagement, regardless of which path you took to get here.

Read Matt’s story →

Three years on the frontline

What we’ve found inside Australian businesses

Across 54 manual penetration testing engagements spanning 15 sectors, from neobanks and AI FinTechs to state utilities, government facilities, medical devices, and EdTech, every single engagement produced findings. These are the numbers.

01 / headline

100%

Engagements that produced findings

54 of 54, no clean sheets

02 / severity

39%

Had Critical or High-risk findings

21 of 54 carried serious exposure

03 / volume

477

Distinct vulnerabilities logged

8.8 average findings per engagement

Where we work

Perth / Brisbane / Sydney / Melbourne / Australia-wide

IEC 62443 AESCSF SOCI Act APRA CPS 234 PCI DSS ISO 27001 IEC 62443 AESCSF SOCI Act APRA CPS 234 PCI DSS ISO 27001

Trusted by Australian organisations

Engagements with state utilities, financial services, government facilities, EdTech platforms, and industrial operators across Australia. Confidentiality is the default. Named-client references available on request.

Cyber Exposure Snapshot · March-April 2026 research

1,000+ Australian SMB domains scanned. 78% rated HIGH or CRITICAL.

Between March and April 2026, Cyber Node ran the Cyber Exposure Snapshot across more than 1,000 Australian SMB domains. 99% had at least one high-severity exposure, and the scans surfaced 5,100+ actionable findings ranging from exposed admin panels to expired certificates and misconfigured services. The full breakdown sits on the research page.

Nothing was touched. No credentials used. No internal systems accessed. Just the drive-by view an attacker already has, with a list your MSP can close in days.

Read the research → Scan my domain for A$399 →

78%

Rated HIGH or CRITICAL

1,000+

Australian domains scanned

5,100+

Actionable findings surfaced

99%

With a high-severity exposure

How we work

Four steps, no surprises

Every engagement follows the same methodology. You know what to expect at every stage, and so do your auditors.

Scope

Short call to understand your environment, compliance drivers, and what you actually need tested. Fixed-price proposal within 48 hours.

Test

Manual testing by a named human. Scanners for coverage, not conclusions. Chained findings, business logic flaws, real exploitation attempts.

Report

Findings rated by real-world impact, not CVSS alone. Executive summary for the board. Technical detail for the engineer fixing it.

Retest

Free retest on all findings within 60 days to confirm remediation worked. No charge if the fix lands the first time.

Operator-side

A lithium hydroxide refinery does not stop because a network engineer pulls a cable. Process safety, not packet inspection, decides whether a fault becomes an incident. Matt ran capital projects on plants like Albemarle Kemerton before pivoting to cybersecurity, which is why an OT assessment from Cyber Node reads the P&ID before the network diagram.

Albemarle Kemerton lithium hydroxide refinery (WA) · pre-Cyber Node engineering background. See our OT capability →