Australian Sovereign Security Platform

Security testing
that never leaves
Australian soil.

Scyvex is the only Australian-built, Australian-hosted pen testing platform with a human Sovereign Gate — built for APRA, IRAP, the SOCI Act, and Essential Eight compliance from day one.

Request early access → See the platform
scyvex-scan · sovereign-gate
$scyvex mission new --target acme.com.au
→ Validating Rules of Engagement...
✓ RoE signed by tenant admin
→ Scope check: 4 domains, 12 IPs
✓ All targets within authorised scope
⚑ Sovereign Gate — awaiting human approval
Authoriser: customer-side role
Approval required before scan fires

$scyvex gate approve M-0042
✓ Mission M-0042 approved
✓ Audit log entry written (immutable)
→ Launching scanner pod ap-southeast-2...
→ Nuclei · ZAP · nmap initialised
⟳ Scan running — data stays in AU

$
AWS ap-southeast-2 only
APRA CPS 234 native
Essential Eight aligned
IRAP pathway ready
OSCP-certified testers
Human Sovereign Gate
The Thesis

The global incumbents proved the model.
We own the moat they cannot cross.

"The Australian sovereignty gap is structural — not a feature request. US-headquartered vendors cannot solve it. We can."
Scyvex — founding principle
01

Data never crosses the border

Every byte of your vulnerability data, scan results, and findings reports stays in AWS Sydney. No exceptions. No foreign-jurisdiction exposure.

02

AI augments humans — it doesn't replace them

The Sovereign Gate requires human authorisation before any scan fires. Business logic flaws and chained exploits need human judgment. We build for that reality.

03

Compliance is architecture, not paperwork

APRA CPS 234, Essential Eight ML3, IRAP, SOC 2 — these aren't checkboxes applied after the fact. They are the data model, the state machine, the audit trail.

04

Scan finds it. Resolve fixes it.

Scyvex Resolve connects your findings directly to OSCP-certified Australian experts. One platform, full lifecycle — from discovery through verified remediation.

The Platform

Two products.
One complete security lifecycle.

Find vulnerabilities. Understand them in plain English. Fix them with verified experts. Retest. Close. Repeat.

Product 01

Scyvex Scan

AI-augmented penetration testing as a service. Scyvex Scan orchestrates Nuclei, ZAP, and nmap — then uses AI to synthesise findings into plain-English reports your board can read and your developers can act on.

  • Sovereign Gate — human approval required before every scan
  • Rules of Engagement enforced at the infrastructure level
  • AI synthesis layer — Bedrock Sydney, data never leaves AU
  • Immutable audit log — every action timestamped and signed
  • APRA CPS 234, Essential Eight, SOC 2, IRAP compliance-native reports
  • Ephemeral scanner infrastructure — torn down after every engagement
Learn about Scyvex Scan
Product 02

Scyvex Resolve

Security remediation marketplace. When Scyvex Scan finds a vulnerability, one click deep-links you to Resolve — with the finding context pre-loaded. Self-service KB for indie developers, OSCP-certified experts for critical issues.

  • Knowledge base — self-service remediation guides for every finding type
  • OSCP-certified Australian SMEs for critical and high severity issues
  • Direct handoff from Scan — no copy-pasting findings
  • Verified retest loop — SME closes case, Scan retests, finding closes
  • Every resolved case becomes a KB article — compounding knowledge base
  • Compliance certificate updated automatically on finding close
Learn about Scyvex Resolve
Architecture

The Sovereign Gate — no scan fires without human authorisation.

A pen test scanner without human authorisation is legally a cyberattack. The Sovereign Gate is the architectural enforcement of that principle — not a UI checkbox, but a formal state machine baked into the mission infrastructure.

01

Rules of Engagement signed

Scope defined to IP/domain level. Customer admin signs digitally. No RoE → no mission created. Full stop.

02

Mission queued — gate closed

Mission is created in PENDING state. Scanner pod exists. Nuclei is loaded. But nothing fires. Gate is closed.

03

Human authoriser approves

A named customer-side authoriser reviews scope, confirms RoE, approves the mission. Audit log entry written — immutable, timestamped, signed.

04

Gate opens — scan fires

Mission transitions to RUNNING. Scanners activate within authorised scope only. Any out-of-scope probe attempt is blocked and logged as an incident.

05

Results → AI synthesis → report

Findings synthesised by Bedrock Sydney. Plain-English report generated. Data never leaves ap-southeast-2. Scanner pod torn down.

Compliance

Every Australian compliance framework. One platform.

Compliance frameworks aren't filters applied after the fact. They are the data schema, the report structure, and the audit evidence Scyvex generates natively.

Financial Services
APRA CPS 234
Mandatory for APRA-regulated entities. Scyvex Scan generates CPS 234-native pen test evidence and board-ready reports aligned to information security testing requirements.
Australian Government
Essential Eight ML3
ACSC's Essential Eight Maturity Level 3 requires tested controls, not assumed ones. Scyvex maps findings directly to the eight mitigation strategies.
Government ICT
IRAP
The Information Security Registered Assessors Program pathway. Scyvex's sovereign architecture — AWS Sydney, no foreign data flows — is built for PROTECTED level alignment.
Critical Infrastructure
SOCI Act 2018
Security of Critical Infrastructure obligations flow downstream to SaaS vendors. Scyvex documents your security posture for your enterprise customers' compliance obligations.
Enterprise Sales Enabler
SOC 2 Type II
The enterprise security questionnaire standard. Scyvex Scan generates the pen test evidence your SOC 2 auditors require, in the format they expect.
International Standard
ISO 27001
ISO 27001 Annex A requires penetration testing as part of information security assurance. Scyvex provides the testing, evidence, and remediation trail for certification.

Australian data sovereignty. No exceptions.

Your vulnerability data never crosses the border. Not for AI inference. Not for storage. Not ever.

AWS Sydney ap-southeast-2
AI inference stays in AU
No foreign jurisdiction
Australian Pty Ltd
OSCP-certified AU testers
How it works

From sign-up to certified. In days, not months.

The full engagement lifecycle — scoped, authorised, scanned, remediated, retested, certified — in a single platform.

01
Define scope
Define your domains, IPs, and application targets. Sign the Rules of Engagement digitally. Takes 10 minutes.
02
Sovereign Gate
A named customer-side authoriser reviews your scope and authorises the mission. Human approval every time. Audit-logged and immutable.
03
Scan + report
Scanner pod launches in AWS Sydney. Nuclei, ZAP, and nmap run. AI synthesises findings into plain-English reports. Pod tears down.
04
Resolve + certify
Click a finding → land in Scyvex Resolve with context pre-loaded. KB self-service or OSCP expert. Fix, retest, close. Certificate updated.
Who it's for

Built for two distinct Australian buyers.

Two niches. Two completely different buying triggers. One platform architected for both.

Indie developers & micro-SaaS founders
You've never had a real pen test. Your enterprise prospect just sent a security questionnaire asking for one. You need a dated pen test report within 10 days, not 10 weeks. Scyvex Scan is your answer.
First pen test10-day turnaroundSales enablerIndie pricing
🏛
B2B SaaS startups needing a compliance fast-lane
Your Series A enterprise customer requires SOC 2, ISO 27001, or APRA CPS 234 evidence before signing. You need pen test reports, remediation evidence, and a compliance trail — faster than a traditional consultancy can move.
SOC 2ISO 27001APRA CPS 234IRAPEnterprise deals
Early Access

Be first in. Shape what gets built.

Scyvex is in active development. Early access customers get direct founder access, priority onboarding, and founding-customer pricing locked for life.

Australian businesses only · No spam · Unsubscribe any time