Red Bridge CyberRed Bridge Cyber
Customer Login
What We CheckHow It WorksPricingResearchAboutBlogCustomer Login
Original research · Red Bridge Cyber

Posture Research

Red Bridge Cyber’s Posture Research programme is a quarterly measurement of the real, public-facing security posture of five cohorts — Australian small business, medium business, enterprise & government, education, and the multinationals — scanned with the same engine that powers our customer reports. Each edition publishes score distributions and the most common findings per cohort.

The five baselines

The Australian SMB Posture BaselineAustralian small businesses — the typical Australian business websiteJune 2026The Australian Medium Business Posture BaselineSubstantial Australian businesses above the SMB tier — none ASX-listedJune 2026The Australian Enterprise & Government Posture BaselineASX-listed enterprises and federal, state and local governmentJune 2026The Australian Education Posture BaselineAustralian universities, TAFEs and schools (.edu.au)June 2026The Multinational Posture BaselineGlobal mega-cap companies on .com domains, including Australian-headquartered multinationalsJune 2026

The comparison promise

The SMB baseline alone tells you what the typical Australian small business posture looks like. The five-cohort programme tells you something no other Australian source publishes: where a typical Australian small business sits against medium business, the ASX, government, education, and the multinationals — measured by the same engine, on the same checks, in the same quarter. When someone tells a small business it should be “enterprise-grade”, these baselines show what enterprise actually scores.

Methodology

Cadence. Quarterly — June, September, December and March editions, every cohort scanned in the same window.

Sampling. Each edition draws a deterministic seeded sample per cohort from a validated pool — every pool entry has passed a DNS and HTTP liveness check before it is eligible. The seed is fixed per edition, so a draw can be reproduced exactly.

Exclusions. Domains that cannot be scanned (dead DNS, unreachable hosts, hard bot-gates) are excluded before scoring — never on score.

For questions about the methodology please Contact Us.

Quarterly commentary

Each quarter’s editions are accompanied by a cross-cohort perspective piece: Big Budgets, F-Grade Basics: What Our 450-Domain Scan Found.

Citing this research

You are welcome to cite any published baseline statistic with attribution and a link to the source, for example:

(Red Bridge Cyber SMB Posture Baseline, June 2026)

If you are linking directly to one of our articles rather than citing the research, just link the article — article links carry no citation requirement.

Further information

We do not publicly publish the domain names in our validated pools, or name any individual organisation in our findings — results are only ever published as cohort-level aggregates. Verified security researchers and organisations may contact us to request further details of our work.