Ask Us Anything
Plain English answers to the questions we hear most often. If yours isn't here, call us on 1800 930 329 and a real person will pick up.
No questions match that search. Try different words, or contact us.
About Red Flagg™
5 questionsWho is Red Flagg™?
Red Flagg™ is an Australian cyber security company built specifically for charities, residential communities, and small to medium businesses — the organisations that need real protection but can't justify enterprise prices.
Founded by Darryl Pickering, with more than thirty years of experience in IT, leadership and governance. Every customer gets a named analyst on their reports and a direct phone line to the team.
Where are you based and who do you serve?
We're proudly Australian owned and operated, headquartered in Australia. Our team is Australian, and we support customers across Australia, the United States, and South Africa.
For Australian customers, data is handled by Australian staff on Australian soil, governed by Australian privacy law. For USA and South African customers, we apply the equivalent local regulatory framework (see the International section below for details).
Are you actually a Microsoft Partner?
Yes. Red Flagg™ is a certified Microsoft Partner with GDAP (Granular Delegated Admin Privileges) access. That means we can purchase and manage your Microsoft 365 licences, configure your environment from scratch, and administer Microsoft Defender, Intune, Purview, Entra ID, and Conditional Access on your behalf — all under one relationship.
Why don't you list analyst or director names on the website?
Publicly, our team is referenced by role and level — not names. The cyber industry is a target-rich environment. When attackers know the individual names, photos, and contact details of a security team, they can craft more convincing social engineering attacks against that team's customers. We apply the same principle to our own team that we teach you: reduce unnecessary exposure.
Once you're a customer, this changes. Every monthly report carries your analyst's name and photo. And if you'd like to know the names of our analysts, directors, or any team member before engaging with us — just ask. We're happy to share this information privately with any genuine customer or prospective customer.
See our About page for the full explanation.
Are you a registered business?
Yes. Red Flagg Pty Ltd, ABN 81 683 346 116. Registered in Australia, operating under Australian law, subject to the Australian Privacy Principles and the Notifiable Data Breaches scheme. International operations run through the same legal entity with locally-compliant data handling.
Plans & Pricing
7 questionsHow much do your plans cost?
Business plans start from $250 per month (AUD). Final pricing depends on your organisation size (per seat), the plan tier, and any project-based extras. We quote every customer specifically — no surprises, no hidden fees.
Senior Protection plans are fixed: Protective $9.99/mo, Wrap Around $29.99/mo (ex GST, billed monthly).
For USA and South African customers, quotes are provided in local currency at the market-appropriate rate. See business plans → · See Senior Protection →
What's the difference between Business Plus and Business Shield?
Business Plus delivers Essential Eight Level 0 — 8 awareness and culture controls, MailCheck™ active reviews, DarkWebCheck™, and Microsoft 365 Security Administration. Business hours support (Mon–Fri, 8am–5pm local). Most organisations start here.
Business Shield delivers Essential Eight Level 1 — the full 48 technical controls over 12–24 months, plus a dedicated named analyst, extended 7-day support (8am–8pm local), Customer Portal access, and full Microsoft 365 administration. For larger NFPs, regulated sectors, or organisations audited by funders.
Do you really offer NFP pricing?
Yes — significantly reduced rates for registered not-for-profits and social enterprises on every plan. We accept equivalent charity status across all three regions: ACNC registration in Australia, 501(c)(3) in the USA, and NPC/PBO status in South Africa.
We also offer fully pro-bono support for organisations working with vulnerable communities where budget genuinely isn't possible. Ask us when you get in touch — we'll find a way to make it work.
Are there lock-in contracts?
No. Every plan is monthly, no lock-in, cancel any time. We bill monthly as standard and offer annual billing with a small discount if you prefer. No exit fees, no minimum term.
What payment options do you accept?
Direct debit, BPAY (Australia), ACH (USA), EFT (South Africa), and credit card. Monthly or annual billing. For Additional Services (project-based work), you can pay in one off or across 12 monthly instalments. All prices are quoted ex tax in local currency.
Can I change plans later?
Yes. You can upgrade or downgrade any time at the start of your next billing month. Most customers start on Protect or Plus and upgrade to Shield as their maturity grows — that's the path our Maturity Path is designed for.
What counts as a “seat”?
A seat is one active staff member or user you want us to protect — typically someone with an email account and a device. Volunteers who don't have their own accounts aren't counted. We'll walk through your staff list with you before quoting to make sure the number is right.
Senior Protection
6 questionsCan I set up a plan for my mum or dad?
Absolutely — this is how most Senior Protection plans start. You set it up on their behalf, we'll make a welcome call to get to know them by name, and we give them a direct hotline number.
From then on, they call us when something feels off — and you don't have to be the one answering at midnight.
What does the hotline actually do?
If a message, call or email doesn't feel right, they call us — 1800 930 329 (Australia), local toll-free numbers for USA and South Africa available on sign-up, 8am to 8pm local time, 7 days a week. A real person picks up, asks what's happening, and tells them in plain English whether it's safe, suspicious, or a scam.
No apps to install, no technical jargon. If you can make a phone call, you can use Red Flagg™.
What if Mum isn't tech-savvy?
That's exactly who Senior Protection is built for. Our team is trained to take the time needed, explain things patiently, and never make anyone feel silly for asking. No judgement — only help.
We also offer on-site sessions at residential villages where we talk to residents in person about common scams and how to use the hotline.
What's the difference between Protective and Wrap Around?
Protective ($9.99/mo) is your everyday prevention plan — hotline, email checks, phishing checks, Safe Text™, 8am–5pm support.
Wrap Around ($29.99/mo) includes everything in Protective, plus full recovery support if something does go wrong — technical case manager, forensic device cleanup, bank liaison, legal recovery support, welfare checks. Extended hours 8am–8pm.
Most families choose Wrap Around for peace of mind. Both have a 28-day trial.
What happens if Mum has already been scammed?
Call us. On the Wrap Around plan we step in straight away — we work with your bank to freeze transactions, change passwords, prepare a proper evidence pack for police, and clean up any compromised devices.
Even if she's not on a plan yet, we can help via the one-off Device Clean Up service. The sooner we're involved, the better the chance of limiting the damage.
Do you work with residential villages directly?
Yes. Our Residential Community Plan covers every resident in a village under a single community fee paid by the village — not the individual resident. We include on-site information sessions, a family portal, and quarterly scam activity reports to management.
We work with retirement villages, over-55s communities, and aged care providers across Australia, the USA, and South Africa. If you're a village manager, book a site visit and we'll talk through how it works for your community.
How We Work
6 questionsWhat is MailCheck™?
MailCheck™ is a button in Outlook that lets you forward a suspicious email straight to us. We check it and tell you whether it's safe — usually within ten minutes — before you click anything.
It's the fastest way to get a second opinion on a dodgy-looking email. Available on Business Plus and Business Shield plans.
What is DarkWebCheck™?
Monthly scans of dark web marketplaces, breach databases, and known leak sites to check if your staff credentials or organisational data have been exposed in a breach somewhere.
It's usually the first indicator of a data breach — if credentials have leaked, we catch it before attackers can use them. Included on Plus and Shield.
What is the Essential Eight?
The Essential Eight is the Australian Signals Directorate's baseline cyber security framework — eight strategies that prevent the vast majority of cyber attacks. It's become the Australian Government's standard reference for organisational cyber maturity.
Red Flagg™ structures our plans around it. Level 0 is our 8-control awareness layer that sits underneath Essential Eight. Level 1 is the full 48-control Essential Eight baseline. Level 2–3 is for higher-risk organisations and delivered project-by-project.
We also align to NIST CSF and CIS Controls v8 alongside Essential Eight — the same frameworks enterprise CISOs use, and the frameworks our USA and South African customers map against locally.
What's the difference between Level 0 and Level 1?
Level 0 (8 controls) — awareness and culture. Staff training, reporting habits, phishing simulation, the human basics that stop most scams before technical controls are even tested. Typically 3–6 months to embed.
Level 1 (48 controls) — the full Essential Eight technical baseline. Delivered progressively over 12–24 months so nothing overwhelms your team and each control actually sticks.
Who will actually look after our account?
A named analyst from our team. On Business Shield, you get a dedicated named analyst on every report and a direct line for day-to-day support. On Business Plus, our Cyber Operations Desk is your primary point of contact — and you'll still see named people on your monthly reports.
Publicly we reference our team by level (L1, L2, L3) for security reasons, but as a customer you'll know exactly who is handling your account by name. We never outsource — every Red Flagg™ analyst is Australian and vetted.
What's DeID™ Data Protection?
DeID™ is our data-protection service that removes personally identifiable information from documents and data before it enters AI tools like Microsoft Copilot or ChatGPT. Compliant with Australian Privacy Principles (APP), HIPAA (USA), and POPIA (South Africa).
This is a newer service (launched 2026) for organisations rolling out AI tools and worried about accidentally feeding sensitive data into them. Available as an Additional Service — no subscription needed.
Getting Started
5 questionsWhat is a Cyber Maturity Assessment?
A free, no-obligation review of where your organisation sits against the Essential Eight baseline (plus NIST CSF and CIS Controls v8 for USA and international organisations). We look at your current Microsoft 365 setup, staff awareness, security controls, and reporting culture — then give you a clear written report with practical recommendations.
Takes about an hour of your time. Written report arrives within 7 business days. No sales pressure afterwards — if we're not the right fit, we'll tell you.
How long does onboarding take?
Typical onboarding is 2–4 weeks depending on your plan and current setup. Business Protect is quickest (around 1–2 weeks). Business Plus takes 2–3 weeks. Business Shield takes 3–4 weeks because we're setting up the customer portal, analyst assignment, and full Level 1 plan.
We handle the technical work — you'll spend about 2 hours total with us across the whole onboarding.
What if we've already been breached?
Call us first on 1800 930 329 (or the local number we provide on sign-up for USA/South Africa). Even if you're not a customer yet, we can advise on immediate containment steps. If you need professional incident response, our Forensic Services team can deploy within one business day to investigate, contain, and prepare evidence for insurance or regulatory notification.
Don't wait. The sooner we're involved, the better the outcome.
Do we need technical staff to work with you?
No. Many of our customers have no in-house IT. We talk to whoever makes the decisions — usually the CEO, business manager, or office manager — in plain English. Our reports are written for a board, not for engineers.
If you do have technical staff, they'll get the more detailed analyst reports and direct access to our team as well.
Can we try before we commit?
Yes — start with a free Cyber Maturity Assessment. No obligation, no credit card, just a genuine review of where you stand. If you decide to come on board, Senior Protection plans include a 28-day trial, and all business plans are monthly with no lock-in.
Security & Trust
5 questionsWhere is our data stored?
All customer data is stored on Microsoft Azure, with region-specific hosting based on your jurisdiction: Australia East (Sydney) and Australia Southeast (Melbourne) for Australian customers; East US and West US 2 for USA customers; South Africa North (Johannesburg) for South African customers. All regions are ISO 27001 and SOC 2 certified.
Data sovereignty is maintained at all times. Our own operational systems are hosted in Australia.
Do you access our systems directly?
Only with your explicit permission, via Microsoft's Granular Delegated Admin Privileges (GDAP). This means our access is scoped to exactly what's needed for your plan — no more. Every action we take is logged and auditable in your Microsoft tenant. You can revoke access at any time from your Microsoft admin panel.
Who sees our data at Red Flagg™?
Only the named analyst assigned to your account and our senior leadership when required for incident response. We don't sell data, we don't share data, and we don't use customer data to train any AI system. Our data handling complies with the Australian Privacy Principles, the Notifiable Data Breaches scheme, and the equivalent regulations in the USA (including HIPAA where applicable) and South Africa (POPIA).
What happens to our data if we cancel?
You keep control of your Microsoft tenant — we simply offboard our GDAP access. Any reports, scorecards, or documents we've produced for you are yours to keep. We retain minimal billing and account records only, per local tax authority requirements (ATO in Australia, IRS in USA, SARS in South Africa), and we delete operational data within 90 days of cancellation.
Have any Red Flagg™ customers been breached?
To date, zero confirmed breaches across all Red Flagg™ customers. Zero compromised credentials found in dark web checks. 75% average phishing reporting rate across our customer base.
We don't promise this will continue forever — no one can. What we promise is that if something does happen, we'll be the first to catch it, the first to contain it, and the last to give up on you.
International (USA & South Africa)
4 questionsHow does Red Flagg™ work for USA customers?
We deliver our full service to USA organisations — NFPs (501(c)(3) included), small to medium businesses, and residential communities. USA customer data is hosted in Microsoft Azure US regions (East US and West US 2), and we align our frameworks to NIST CSF and CIS Controls v8 as the primary standards rather than ACSC Essential Eight (which remains the Australian government reference).
USA customers are supported by our Australian team during extended hours that overlap with USA business hours. 24-hour incident response is available on Business Shield.
How does Red Flagg™ work for South African customers?
We serve South African NFPs (NPCs and PBOs), small to medium businesses, and residential estates. South African customer data is hosted in Microsoft Azure South Africa North (Johannesburg), with data sovereignty compliant with POPIA (Protection of Personal Information Act).
We align to international security frameworks (NIST CSF and CIS Controls v8), and we're experienced in handling the specific scam and fraud patterns seen in the South African market — including business email compromise and SIM-swap attacks.
Do you comply with HIPAA, POPIA, and GDPR?
Yes — our data handling practices meet the requirements of the Australian Privacy Principles, HIPAA (for USA healthcare-adjacent organisations), and POPIA (South Africa). We sign Business Associate Agreements (BAAs) for HIPAA-covered entities on request, and we'll sign bespoke Data Processing Agreements (DPAs) for any customer that needs one.
GDPR compliance is maintained for any customer data that touches EU residents, even if the customer entity is outside the EU.
Do I get the same named analyst experience across regions?
Yes. Every Business Shield customer — Australian, American, or South African — gets a dedicated named analyst on their monthly reports and a direct communication channel. Cross-region incidents get escalated through the same L3 team. No outsourcing, no call centres, no hand-off to a generic support pool.
Still have questions?
Call a real person on 1800 930 329 (Australia), or request local numbers for the USA and South Africa. 8am to 8pm local time, 7 days. Or email us and we'll get back to you within one business day — often much sooner.