Red Bridge CyberRed Bridge Cyber
Customer Login
What We CheckHow It WorksPricingResearchAboutBlogCustomer Login
Perspective2026-06-17·5 min read

Why I built Red Bridge Cyber instead of joining another consultancy

Australia’s big cyber consultancies sell a $40k-a-year product that 95% of small businesses cannot buy. Here is the market gap I left a consulting career to fill, and the numbers behind it.

ABBy Adam Burgess — Founder, Red Bridge Cyber

Red Bridge Cyber exists to serve the businesses Australia’s cyber consultancies are not built for:

  • The established consultancy model is high-touch and expensive — roughly $40,000 a year and up — the right shape for enterprise but out of reach for most small businesses
  • That leaves the ~95% of Australian small businesses without in-house IT buying nothing, or buying a scaled-down enterprise retainer that does not fit
  • Red Bridge Cyber fills that gap with continuous, plain-English website and email scanning sized for owner-operators — a live view in your account plus a weekly PDF snapshot, not a consulting engagement

The decision to build this instead of taking another principal-consultant role came down to one thing: the gap is real, it is large, and nobody was serving it at a price the market could actually pay.

There was a recruiter who used to ring me every six months. Three firms, always the same three: one of the Big Four, one of the boutique cyber consultancies, one of the international integrators. The job description was always functionally identical. Senior consultant or principal, Brisbane or Sydney, four to six months of billable work a year leading engagements, the rest writing proposals and selling.

I took the meetings out of politeness, twice. I declined both. The last call was in early 2025, and the recruiter asked me directly why I kept saying no. I gave him an answer I do not think he expected, and I want to put it on record here, because it explains what we are actually building with Red Bridge Cyber.

The product they sell

Every one of those three consultancies sells the same product. The product is a senior person spending six to twelve months on a single client, producing a 100-page report and a transformation programme, billed at $4,000 a day. The product works. Their customers are large enterprises with regulated obligations, real budgets, and internal teams to absorb the engagement output. I know it works because I have done the work for thirty years, including for some of those firms directly.

The problem is not the product. The problem is the market the product does not serve.

The maths the consultancies cannot solve

Australia has roughly 2.4 million businesses, and about 95% of them have under 20 employees. Almost all of them have a public-facing surface: a website, an email domain, some cloud software they signed up to. The minimum viable engagement from any of the three firms above starts around $40,000 a year and climbs fast. The most a 12-person allied-health clinic in Toowoomba can spend on security is, generously, $3,000 a year, and that includes the antivirus subscription.

The maths is not subtle. The consultancy product is the wrong shape for 95% of Australian businesses. Not the wrong content, the recommendations would be largely correct if the business could afford to receive them, but the wrong shape, the wrong price, the wrong delivery model. Joining one of those firms would mean spending my career not serving the market that needs serving most.

The recruiter said something polite. I do not think he understood.

What is actually missing in the market

What is missing in the Australian small business market is not advice. There is plenty of advice. The ACSC publishes excellent guidance for free. There are good blogs and good podcasts. The advice is correct.

What is missing is the layer that runs in the background. The owner-operator does not have time to read the ACSC guidance, check whether their SPF record is right, watch whether their HTTPS certificate is about to expire, confirm their CAA records are still where they should be, and notice the slow decay of their posture as suppliers change and software updates push new defaults. The advice tells them what to do. It does not do it for them, and it does not tell them when things have started to slip.

Our SMB Posture Baseline (June 2026) shows the shape of that gap. 98% of Australian small business domains run no DNSSEC. 95% publish no CAA record. Four in five have no Content-Security-Policy header. Seven in ten are missing HSTS. None of these gaps need a sophisticated attacker to exploit. All of them go uncorrected for years, because nobody is watching.

What we built instead

That is the thing we are building. Not a 100-page report. Not a $40,000-a-year programme. A continuous scan of the public-facing surface, with the findings explained in language an owner-operator can act on, at a monthly fee a real small business can pay. A live view in your account, a weekly PDF snapshot you can email to your developer, and an honest acknowledgement that we are not pretending to be a security consultancy. We are something narrower, and we think that is the right shape for the market.

The pricing is the part the consultancies cannot match without abandoning their delivery model. Monthly at $250. Annual at $2,000. Agency or MSP at $5,000 for up to sixteen domains. Custom engagements quoted for anything that does not fit. The largest of those, $5,000 a year, sits an order of magnitude below the floor at which a consultancy can profitably engage. The smallest is within reach of any business with one staff member and a card on file.

What we are not

I did not build it to disrupt anyone. Penetration testing firms should keep penetration testing. Big Four cyber teams should keep serving the federal government and the ASX 200. Managed security providers should keep doing the deep ongoing work for businesses that need a SOC. There is honest, useful work happening at every layer of the market, except the layer at the bottom.

That is the layer Red Bridge Cyber sits at. Not consultancy. Continuous scanning. Plain English. A price you can afford. A scope honest enough to be useful and narrow enough to deliver well.

The recruiter does not call anymore.

If you run an Australian small business and the question "is our security OK?" makes you a little uncomfortable because you do not actually know, we built this for you. The honest answer for most small businesses is that some things are fine and some things are not, and you cannot tell which is which without measuring. So we measure. That is the entire pitch.

#perspective#australian-business#small-business

Continue Reading

View All Articles →
Security5 min read

A reply to the PwC cyber report — what they got right and what they missed about small business

PwC’s 2025 Digital Trust survey is solid for the ASX 200 and wrong for the corner clinic. Four findings that don’t translate to Australian small business, and the honest version that does.

2026-06-17
Security5 min read

The Security Advice You’re Sold Is Sized for Someone Else

Most small business security advice is a shrunk-down enterprise plan built for staff you don’t employ. The ASD puts small-business cybercrime at $56,571 a year. Here’s the index-card version that actually fits.

2026-06-17
Security6 min read

The real reason your pen-tester didn’t find anything wrong

A clean penetration test report often proves the scope was wrong, not the business safe. With AU tests running $5k-$40k and the average breach now AUD $4.26M, here’s what to ask before you trust the result.

2026-06-18
Security6 min read

Big Budgets, F-Grade Basics: What Our 450-Domain Scan Found

We scanned 450 domains Australians rely on. Enterprise and government medianed an F on web security — same grade as small business. Budget didn’t buy basics.

2026-06-25