Company31
Tools

Free tools for the work.

A small, growing set of tools I build for the practice. Two are live: a free, browser-based Cyber Check, and Cassandra, an offline planning assistant that turns meetings into finished deliverables on your own laptop. No upsell, no lock-in. More will follow as I build them. Below the tools is the part nobody enjoys but everybody now needs: why cyber is a small-business problem, and the AU and NZ law behind it, in plain English.

Run a free Cyber Check Why this matters
Tool 01. Free, no sign-up

Cyber Check: see your business the way an attacker does.

Point it at any domain you own and, in under a minute, it surfaces what the open internet already knows: your DNS hygiene, whether your email can be spoofed, how your TLS and web headers look, where your brand is being squatted, and which subdomains you might have forgotten. It runs in the browser. Nothing is installed, and nothing leaves your browser except the public lookups themselves. The plain-English report maps to the ACSC Essential Eight (AU) and the NZ Privacy Act 2020 breach expectations, so it doubles as evidence for an insurer or auditor.

DNS & email
DNSSEC, SPF, DKIM, DMARC, CAA
TLS & certificates
Every certificate ever issued for your domain, via CT logs
Web headers
CSP, HSTS, cookies, the rest, graded by Mozilla Observatory
Brand & exposure
Forgotten subdomains, typosquats, lookalike domains
Run a free Cyber Check See what it checks
Tool 02. Offline, yours to keep

Cassandra: the meeting ends, the plan is already written.

Cassandra is an offline planning assistant. Record the workshop, drop in your notes, even a photo of a whiteboard, and it returns a prioritised project plan, change plan, RAID log and Gantt, as Excel and Word. The language and vision models run on your own laptop, so nothing is uploaded and there is no account or subscription. It is the Company31 way turned into a tool: a plan is not a deliverable, so Cassandra writes the deliverable.

Capture
Meetings, notes, call audio and whiteboard photos
The plan
Prioritised tasks, owners, dependencies and a Gantt
Governance
Change plan, RAID log and scrum of scrums
Export
One Excel workbook and one Word report, every run
Explore Cassandra Book a demo
More tools

This list will grow.

I build small, useful things and put them here when they are good enough to trust. If there is a check or a calculator you wish existed for a small business, tell me, it might be the next one.

Why cyber matters now

Small business is not exempt any more.

For years the line was "we are too small to be a target, and the law only bites the big end of town." Both halves of that are now wrong. Attackers automate, so small is not safe, it is just cheaper to hit. And the legal floor has moved in both Australia and New Zealand. If you hold customer data, take card payments, or run email in your business name, the posture the Cyber Check looks at is the same posture regulators, insurers, and auditors look at first. None of this is meant to frighten you into a six-figure programme. It is meant to show you the small number of things that actually matter, and that most of them are within reach.

The law, in plain English

What changed, and what it asks of you.

I am not a law firm. I am a senior practitioner who has sat through enough audits, cyber insurance renewals, and incident post-mortems to know what "reasonable steps" actually looks like on the ground. Here is the shape of it, on both sides of the Tasman.

AU

Privacy Act 1988 & the NDB scheme

The Privacy Act amendments passed in late 2024 raised maximum penalties for serious breaches to the greater of $50 million, three times the benefit obtained, or 30 percent of adjusted turnover. The old small-business exemption (under $3 million turnover) is on its way out. Notifiable Data Breaches are mandatory, to the OAIC and to affected individuals.

AU

Cyber Security Act 2024

Royal assent November 2024. Mandatory ransomware payment reporting, minimum standards for smart devices, protected information-sharing with the National Cyber Security Coordinator, and a Cyber Incident Review Board. It changes how incidents are reported, by whom, and in what window.

AU

ACSC Essential Eight

Still the practical baseline regulators and insurers measure you against. Application control, patching, MFA, admin privilege management, macro settings, application hardening, backups, and OS patching. Maturity Level 1 is the floor for demonstrating "reasonable steps" under the amended Privacy Act.

NZ

Privacy Act 2020

Mandatory notification of any breach causing, or likely to cause, serious harm. Notify the Privacy Commissioner and affected individuals as soon as practicable. Failure to notify is a criminal offence carrying a fine up to NZ$10,000. IPP 3A (indirect collection transparency) applies from 1 May 2026.

NZ

NZISM, CERT NZ guidance

The NZ Information Security Manual is the public-sector bar, but it is the reference private-sector auditors reach for. CERT NZ's Critical Controls give small business a practical, plain-English checklist. Most of what the Cyber Check looks at maps directly onto both.

Both

How I work with it

Where you sit today, what "reasonable steps" means for your size, and what an auditor or insurer will ask for, before an incident rather than after. The Cyber Check is the one-minute version. The conversation is where the rest happens.

See how I work
Start with the check

One minute now beats a bad week later.

Run the Cyber Check against a domain you own and read the report. If it raises something you want a hand with, or you would rather talk through where your business actually sits, the calendar is open. No sales call, no follow-up sequence.

Run a free Cyber Check Book a conversation