The eSafety Commissioner is seeking a company to perform a Security Threat Assessment for eSafety and produce detailed findings outlining the threats identified and recommendations to mitigate risks against people, processes and technology.
The process should include system and asset discovery; an active scan for known vulnerabilities; passive analysis of security issues; a map of externally discovered ports and services; identification of attack surface and rogue infrastructure; and passive analysis of security controls for misconfigurations.
It should also include hosting infrastructure vulnerabilities; mail path analysis and anti-impersonation controls; and identification of single-factor authentication and remote access vectors.
The process also includes an online research component.
This comprises of compromised credentials sold online; malware archive evidence of C2 hosting or callbacks; identification of relevant threat actor and issue motivated groups; open and closed forum posts/mentions; open and closed secure messaging posts/mentions; and social media accounts associated with eSafety.
It also includes evidence of staff impersonation on social media; sentiment analysis in closed forums and hacker groups; sentiment analysis of intelligence provided by eSafety; identification and evaluation of threats to eSafety Commissioners; and research the online presence of the eSafety Commissioner including analysis of their digital footprint that could increase their exposure to security risks.
The request for quote closes on 27 November 2025 at 11:59pm, Canberra time.
The contract will run for an initial duration of three months and begins on 15 December 2025.
.jpg&w=100&c=1&s=0)
_(8).jpg&w=100&c=1&s=0)
.jpg&q=95&h=298&w=480&c=1&s=1)
