Kekkai
Scan free

The automated security advisor for mid-market organisations

Know where you’re
exposed before
your insurer asks.

External posture assessment across 7 categories. Exact fix commands, board-ready and technical reports in under 90 seconds. The free first step into continuous, prescriptive guidance.

 

Free. No signup.

40+Security checks
E8 CIS ISOFrameworks
<90sScan time
AustraliaData hosting

Built by the team that managed security operations for Petbarn, IGA, and Australian government agencies. We’ve seen what breaks from the inside.

The Problem

Everything about mid-market
security is manual.

Security for the Australian mid-market runs on annual consultant engagements, a managed SOC retainer, and whatever your engineer can fit between tickets. It adds up to six figures a year, and none of it compounds. Here is where the money goes.

A $52,800-a-year snapshot, stale before the invoice clears.

Threat modelling, posture assessments, compliance evidence, board reporting. All consultant-priced at $200-$500 an hour. The PDF lands, the environment keeps drifting, and next year you buy the same snapshot again.

Your SOC watches. It doesn’t fix.

Managed detection is built for alerts, not advice. No prescriptive hardening, no conditional access guidance, no fix commands. The agreement says monitoring, and that is exactly where it stops.

Three audiences. Three reports. One of you.

The board wants plain language. The broker wants evidence for renewal. The engineer wants the exact record to change. Every quarter someone, usually you, translates one posture into three documents by hand.

The Platform

Your buyer needs an
advisor, not another tool.

Prescriptive guidance across your external posture, M365 tenant, conditional access policies, and Essential Eight maturity. Reported for two audiences, mapped to your compliance frameworks, and priced for organisations that aren’t enterprise.

External posture report

B
84%
Overall positive
Email SecurityC
TLS & CertificateB
HTTP HeadersB
DNS ConfigurationA
Web ApplicationC
Breach ExposureD
Sub DomainsB
The report your broker has been asking for. Ready in 93 seconds.

Framework mapped out of the box

Essential EightCIS Controls V8ISO 27001ASD ISMCPS 234Scan my domain
The evidence your auditor asks for and your broker needs at renewal, generated in seconds instead of weeks. Automatically cross-referenced.

Copy-paste fix commands

CRITICAL | Subdomain takeover risk

staging.example.com.au CNAME → staging-app.herokuapp.com (NXDOMAIN)

FIX | Remove dangling CNAME or reclaim the Heroku app

VERIFY | $ dig CNAME staging.example.com.au

Provider detected: Heroku.
Steps to fix are platform-specific.
Heroku

M365 & GWS Security Advisor

Microsoft 365KekkaiGoogle Workspace
OAuth Connect. No PowerShell or agents
50-80 CIS Benchmark Controls
Configuration Drift Alerts
Attack Path Context Across Findings
Insurance Questionnaire Auto-Population
Monthly Posture Trend Reports
Talk to us
Mailboxes with external forwarding rules are an active exfiltration risk. We show you how individual findings connect. Real context.

Essential Eight Assessment

Application Control
Patch Applications
Configure Macros
User Application Hardening
Restrict Admin Privileges
Patch Operating Systems
Multi-Factor Authentication
Regular Backups
Get early access
Your Essential Eight assessment was a 3-month consulting engagement. Kekkai will make it a guided self-assessment you run yourself.

Conditional Access Advisor

- Require MFA for all users

- Block legacy authentication

- Require compliant devices for admin

JSON policy templates for Entra ID

Talk to us
Not just “your conditional access is misconfigured.” The advisor will recommend the exact policies for your licensing and size, give you the JSON template to import, and show you how to test it safely.

Why Kekkai

Built for how Australian
security teams actually work.

HighCIDMARC policy set to none (no enforcement)
HighCISPF record includes too many DNS lookups
MedMTA-STS policy missing for mail domain
LowCAA record not restricting certificate issuance

Insurance-aware

Findings flagged for cyber insurance relevance.

Essential EightASD ISMCPS 234
Maturity assessmentML0ML1ML2ML3
Application controlML2
Patch applicationsML1
Configure MS Office MacrosML3
User application hardeningML0

Australian-built

Not an American product with NIST swapped out.

Executive summary
Overall risk
Medium68/100
Critical findings3
Patch applications5
User application hardening12
Technical playbook

# Fix DMARC enforcement

_dmarc TXT "v=DMARC1;p=quarantine; rua=mailto:dmarc@co.au"

# Enable DNSSEC

Cloudflare > DNS > Settings

Enable DNSSEC > Copy DS record

Dual-layer reporting

One scan, two audiences.

Other Tools

“improve your email security configuration.”

Kekkai

_dmarc TXT “v=DMARC1; p=quarantine”

Core difference

Prescriptive, Not Diagnostic. We tell you exactly what and how to fix with provider-specific fix steps.

Email required to see resultsNo signup needed
14-day trial then paywallFree scan, always
Contact sales for pricingPrices on the website
Book a demo to see the productEnter a domain, see it now

No Gates, No tricks

Every competitor gates their product behind a form, a call, or a trial. We let you scan and decide.

Pricing

Start free.
Grow into the security advisor.

Free

External scan

$0
  • All 7 assessment categories
  • Executive + technical reports
  • Compliance map (E8, CIS, ISO 27001)
  • Exact fix commands per finding
  • Shareable PDF export
Run a free scan

Monitor

Continuous monitoring

$29/mo
  • Everything in Free, on a schedule
  • Certificate expiry alerts
  • Configuration drift detection
  • New breach exposure alerts
  • Score trend dashboard + history
Start monitoring

What’s next on the platform

Essential Eight Assessment

A guided, repeatable Essential Eight self-assessment, mapped to ASD maturity levels with prescriptive remediation.

Get early access

M365 / Entra Advisor

Continuous, prescriptive guidance across your Microsoft 365 and Entra tenant, against CIS and Essential Eight, with board and insurer reporting.

Talk to us

MSP / Partner

Multi-tenant dashboard and white-label dual-layer reports for partners, billed per tenant.

Talk to us

All prices in AUD, exclusive of GST.

FAQs

Questions we hear from CISOs,
brokers, and IT managers

Yes, always. No signup, no credit card, no trial that expires. Enter your domain, get a full 7-category assessment with both executive and technical reports. The free scan is the front door to the platform, and it stands on its own.

Email security (SPF, DKIM, DMARC, MX), TLS certificates and configuration, HTTP security headers, DNS configuration, web application exposure, breach database exposure, and subdomain enumeration. 40+ individual checks across 7 categories, all from publicly available data.

No. Kekkai performs passive external reconnaissance only. We analyse publicly visible signals like DNS records, TLS certificates, HTTP headers, and breach databases. No active exploitation, no agents installed, no traffic generated that would trigger your WAF or IDS. Safe to run against production domains.

Kekkai is an automated security advisor for your own environment, not a third-party risk rating. Rating platforms score how risky an organisation looks from the outside. Kekkai tells you exactly what to fix, the DNS record to add, the command to run, the console path to change, mapped to the frameworks your board and insurer ask about.

Yes. Managed SOC providers focus on detection, monitoring logs and responding to alerts. They rarely provide prescriptive hardening guidance, conditional access policy recommendations, or compliance-mapped reporting. Kekkai covers the advisory gap that SOC providers leave open. Send them the technical report as a fix list.

Very. The report either validates what your MSP has already done or gives them a prioritised list of what they have not. Either way, you get visibility into your posture without relying solely on your provider to self-report.

Essential Eight (ASD maturity levels), CIS Controls v8 (implementation groups), ISO 27001 (Annex A controls), ASD ISM (security guidelines), and CPS 234 (APRA Section 26). Every finding is automatically cross-referenced so you know exactly where you stand before your next audit or insurance renewal.

That is one of the primary use cases. Findings are flagged for insurance relevance. The executive report is formatted for board packs and broker submissions. The PDF includes compliance mapping and posture scoring that underwriters can reference directly. Several findings map to the specific technical questions insurers now ask about email authentication, encryption, and access controls.

Scans run without an account are retained for up to 24 months so you can track how a domain's posture changes over time, then anonymised. If you have an account, your scan history is kept for the life of the account and removed within 30 days of deletion. Full detail is in our Privacy Policy.

Run your first scan.
It takes 90 seconds.

No signup. No credit card. No sales follow-up

 

Over 7 categories and 40+ checks. Free, forever.