Automates evidence collection
Attest connects to your systems and collects security evidence on a policy-driven schedule. No one in your team needs to export data, compile spreadsheets, or take screenshots. Evidence arrives automatically.
APEXLyn Attest
Compliance evidence that stands up
Attest collects security evidence automatically from your existing systems, locks it in tamper-proof storage the moment it arrives, maps it to the compliance frameworks your insurer and auditor actually ask for, and generates reports that can be independently verified. No spreadsheets. No screenshots. No manual uploads.
app.apexlyn.com/attest
Dashboard
Evidence Ledger
Frameworks
Assessments
Reports
Settings
Compliance Posture
Live evidence ingestion active across 14 connectors.
System Healthy
Active Connectors
14
+2 this weekEvidence Records
1.2M
Immutable WORMFrameworks
4
ISO, E8, APRA, CISFramework Status
ISO 27001
92%
Essential 8
Lvl 2
Ingestion Volume
Last 12 hrsHASH: 0x8f9c...a3b2 | AWS SecHub
Just now
What Attest does for your organization
Locks evidence permanently
Every piece of evidence is written to tamper-proof storage and cryptographically chained to the record before it. Evidence cannot be altered, deleted, or disputed after collection, not even by APEXLyn.
Maps to compliance frameworks
Attest maps your evidence to the frameworks that matter, Essential Eight, ISO 27001, NIST CSF, APRA CPS 234, ASD ISM, Healthcare Pack, Privacy Act Pack, and more. One set of evidence satisfies multiple frameworks simultaneously.
Generates verifiable reports
Attest generates insurance-grade and audit-grade reports with executive summaries, risk scorecards, evidence proof, governance records, and chain-of-custody statements. Every report can be independently verified.
The evidence chain, how Attest turns data into proof
Attest follows a strict, deterministic sequence every time evidence is collected. This is not a process that can be skipped, reordered, or overridden. If any step fails, the evidence is not considered committed.
Attest connects to your systems through secure, tenant-bound connectors. Each connector is authorised with the minimum permissions required and bound to your specific tenant, no connector can access another organization's data. Evidence is collected on a policy-driven schedule: a full baseline at onboarding, then recurring collection at defined intervals. Delta collection runs where the source system supports it. If a connector fails or a source is temporarily unavailable, the gap is recorded honestly, Attest never fabricates evidence to fill a gap.
Supported connectors include: Microsoft 365 (Graph API), Active Directory (LDAP/Agent), AWS (Security Hub, Config, CloudTrail, IAM), Microsoft Azure, Google Cloud Platform (Security Command Center), Google Workspace, CIS scan ingestion (CIS-CAT Pro, Tenable/Nessus, Qualys), backup software (Veeam, Datto, Acronis), EDR platforms (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint), and a generic API intake for additional sources.
Every evidence record is written to WORM storage (Write Once, Read Many). WORM storage physically prevents modification or deletion of stored objects. This is not a software setting that can be turned off, it is an infrastructure-level guarantee provided by the underlying storage service. Evidence is stored in AWS Sydney (ap-southeast-2) and does not leave Australia. Each stored object is individually locked at the time of writing.
After evidence is written to WORM storage, a SHA-256 hash is computed from the evidence payload. This hash is then combined with the previous record's hash to create a new ledger block in a per-tenant hash chain. Each tenant has its own independent chain — no cross-tenant chaining exists. The chain is append-only: there is no update operation and no delete operation at any layer. If any record in the chain were altered, all subsequent hashes would become invalid, making tampering immediately detectable.
Device identity fields, including device ID, hostname, IP address, and MAC address where available, are included in the hashed evidence packet. This means the evidence is cryptographically bound to the specific device context at the time of collection.
Attest maintains a set of universal controls that are stable and framework-independent. Compliance frameworks , Essential Eight, ISO 27001, NIST CSF 2.0, APRA CPS 234, ASD ISM, and others — are views mapped onto these universal controls. This means adding a new framework requires loading requirement definitions and mapping rules, not rebuilding the engine. A single universal control (such as "MFA enforced for all users") can map to multiple framework requirements simultaneously across Essential Eight, ISO 27001, NIST, and CIS.
Framework assessment is confidence-calibrated. A control can only produce a PASS result when confidence is high — meaning the evidence is present, fresh, complete, structurally valid, from the correct source, and within scope. If any of those conditions is not met, the output is UNKNOWN (insufficient evidence), never PASS. Missing evidence never produces a passing result.
Attest generates PDF report packs with a fixed structure designed for insurers, auditors, boards, and regulators. Every report includes: an executive summary in plain English, risk scorecards with RAG (red/amber/green) status per framework, a findings table with plain-language explanations and remediation guidance for every non-passing control, an evidence proof appendix with cryptographic hashes, timestamps, event IDs, and device identity, a governance appendix with attestation records and risk acceptance history, a data residency and integrity statement, and a chain-of-custody statement.
Every report prints the exact framework version, mapping rules version, control rules version, and assessment date it is bound to. Reports are generated server-side only, never in the browser. The generated report's hash is recorded in the evidence ledger, creating a verifiable proof that the report existed in its exact form at the time of generation.
Every report generated by Attest can be independently verified through a dedicated verification endpoint. The endpoint accepts a report identifier and returns: the report hash, generation timestamp, framework versions and scope, and confirmation that the report hash is recorded in the evidence ledger. The verification response confirms whether the report is valid or invalid without revealing any tenant data beyond the verification metadata.
Reports can optionally include a QR code that links directly to the verification endpoint. An insurer, auditor, or regulator receiving a Attest report can scan the QR code and confirm independently that the report is genuine and unaltered — without needing APEXLyn platform access and without needing to trust APEXLyn.
Frameworks that matter for Australian organizations
Attest does not assess against generic checklists. It maps your real evidence to specific, version-attested compliance frameworks using a confidence-calibrated engine. If the evidence is insufficient, the result is "insufficient evidence", never a false pass.
| Framework | Scope | Evidence source |
|---|---|---|
| Essential Eight (ACSC) | All 8 mitigation strategies. Maturity levels L1, L2, L3 selectable per tenant. | Microsoft 365, Active Directory, CIS scanners, AWS, Azure, EDR |
| CIS Benchmarks | Microsoft 365 Foundations, Google Chrome, Windows 11, Windows Server 2022. Profile-based. Version-attested. | CIS-CAT Pro, Tenable/Nessus, Qualys scan results |
| ISO/IEC 27001:2022 | Clause-level and Annex A control-level. | All connected evidence sources mapped through universal controls |
| NIST CSF 2.0 | Function, category, and subcategory level. | All connected evidence sources mapped through universal controls |
| APRA CPS 234 | Information security requirements for financial services. | All connected evidence sources plus governance-linked evidence |
| HEALTHCARE PACK | My Health Records Act, RACGP standards, Healthcare Identifiers Act. | Connected sources plus governance-evidence where required |
| PRIVACY (APP) PACK | All 13 Australian Privacy Principles, OAIC guidelines, NDB scheme. Jurisdiction-aware legal-sector evaluation across all 8 Australian jurisdictions. | Connected sources plus governance-evidence where required |
| ASD ISM | Australian Signals Directorate Information Security Manual, March 2026 release. Government-grade. | Connected sources plus governance-evidence where required |
Essential Eight
(ACSC)
Scope: All 8 mitigation strategies. Maturity levels L1, L2, L3 selectable per tenant.
Evidence source: Microsoft 365, Active Directory, CIS scanners, AWS, Azure, EDR
CIS
Benchmarks
Scope: Microsoft 365 Foundations, Google Chrome, Windows 11, Windows Server 2022. Profile-based. Version-attested.
Evidence source: CIS-CAT Pro, Tenable/Nessus, Qualys scan results
ISO/IEC
27001:2022
Scope: Clause-level and Annex A control-level.
Evidence source: All connected evidence sources mapped through universal controls
NIST CSF 2.0
Scope: Function, category, and subcategory level.
Evidence source: All connected evidence sources mapped through universal controls
APRA CPS 234
Scope: Information security requirements for financial services.
Evidence source: All connected evidence sources plus governance-linked evidence
HEALTHCARE PACK
Scope: My Health Records Act, RACGP standards, Healthcare Identifiers Act.
Evidence source: Connected sources plus governance-evidence where required
PRIVACY (APP) PACK
Scope: All 13 Australian Privacy Principles, OAIC guidelines, NDB scheme. Jurisdiction-aware legal-sector evaluation across all 8 Australian jurisdictions.
Evidence source: Connected sources plus governance-evidence where required
ASD ISM
Scope: Australian Signals Directorate Information Security Manual, March 2026 release. Government-grade.
Evidence source: Connected sources plus governance-evidence where required
All frameworks map to the same universal controls. Evidence collected once satisfies multiple frameworks simultaneously. Adding new frameworks requires no platform changes.
Framework alignment reflects how Attest maps collected evidence to published framework requirements. Attest does not claim certification, accreditation, or formal compliance on behalf of any organization. Assessment outputs are evidence-based and should be reviewed by qualified professionals for formal compliance decisions.
Connects to the systems you already use
Attest collects evidence automatically through secure, tenant-bound connectors. Each connector uses the minimum permissions required and is bound to your specific organization. No manual data exports.
Microsoft 365
Users, groups, roles, admin assignments, MFA and Conditional Access signals, device and compliance signals.
Active Directory
Privileged groups, password policies, last logon records, GPO security baselines.
AWS
Security Hub findings, Config rule evaluations, CloudTrail status, IAM posture evidence.
Microsoft Azure
Security posture, policy compliance, role assignments, encryption and logging configuration.
Google Cloud Platform
IAM roles and bindings, Security Command Center findings, logging and encryption posture, organization policies.
Google Workspace
Users, groups, admin roles, MFA status, admin console security configuration, Drive sharing settings.
CIS Scanners
CIS-CAT Pro, Tenable/Nessus, and Qualys scan results. Profile-based ingestion with rule-level pass/fail evaluation.
Backup Software
Veeam, Datto, and Acronis. Backup job status, retention configuration, restore-test evidence, protected backup posture.
EDR Platforms
CrowdStrike Falcon, SentinelOne, and Microsoft Defender for Endpoint. Endpoint inventory, health, policy enforcement, and detection telemetry.
Generic API
Any additional source that produces JSON telemetry conforming to the evidence event format. Tenant-bound, validated, and audit-logged.
Governance that leaves a permanent record
Attest does not just collect evidence, it records the human decisions made about that evidence. When an approver attests that evidence is correct, or accepts a risk with a documented reason and expiry date, that governance action is written to the immutable ledger alongside the evidence it relates to.
The governance workflow operates as follows: when a report is generated, the system sends an automated review request to the designated approver. The approver receives a secure link that is one-time use, time-limited (default 60 minutes, configurable per tenant), and bound to the specific user and tenant. Accessing the secure link requires MFA re-verification.
The approver reviews non-compliant items and completes one of two actions: attestation ("I certify this evidence is correct") or risk acceptance ("I accept the risk of this finding for documented reasons"). Risk acceptance requires a reason in plain English, an owner, an expiry date, and a review date.
Every governance action writes a signature event to the immutable ledger containing: the actor's identity and role, timestamp, IP address, user agent, the evidence records referenced, their cryptographic hashes, ledger block references, and the scope context (framework, version, assessment date). This signature event is permanent and independently verifiable.
When a risk acceptance expires, the exception status is automatically removed and the underlying assessment result takes effect. The system sends reminders before expiry at 30 days, 15 days, 3 days, and 1 day.
Built for MSPs managing multiple clients
Attest is designed for managed service providers who deliver compliance evidence to their client base. White-label the platform with your branding. Manage hundreds of clients from a single portfolio dashboard. Drill from portfolio overview down to individual tenant, framework, control, and evidence proof.
Portfolio dashboard
Multi-tenant portfolio view supporting 500+ tenants with precomputed snapshots. Hotspots, heatmap, and trend views. Drill down from portfolio to tenant to framework to control to immutable evidence.
White-label reporting
Your brand on the portal header, PDF cover page, footer, and contact details. The underlying evidence, hashes, requirement IDs, and assessment statuses are never altered by branding. Your brand. Our evidence integrity.
Consolidated operations
Consolidated billing visibility, client-by-client seat accounting, template propagation across client tenants, client onboarding, client monitoring, and direct-conversion attesting when a client moves from MSP-managed to direct.
Evidence your insurer can actually use
Cyber insurance underwriting in Australia still relies heavily on self-assessment questionnaires. Your organization ticks boxes. Nobody verifies the answers.
Attest changes this. Instead of claiming your MFA is enabled, Attest provides cryptographic proof that MFA was enabled on specific systems, on specific devices, at specific times, with an unbroken chain of evidence that your insurer can independently verify.
Every Attest report includes an assertion statement describing exactly what was assessed and a non-assertion statement describing what was not. The report says precisely what it can prove and explicitly disclaims what it cannot. No ambiguity. No overclaiming.
If your insurer, auditor, or board reviewer receives a Attest report, they can verify it is genuine by checking the report hash against the evidence ledger, through a QR code on the report or through the verification endpoint. They do not need platform access. They do not need to trust APEXLyn. They verify the mathematics.
Attest pricing
Start where your organization is today. Scale as your evidence requirements grow.
Attest Standard
From A$699/month
Automated compliance evidence for small organizations — one selected outcome pack, insurer-review-ready and procurement-review-ready reporting, and assisted onboarding.
See full pricing →Attest Professional
From A$1,999/month
Multiple outcome packs and governance discipline for organizations with real compliance, audit, insurance, board, or procurement obligations.
See full pricing →Attest Enterprise
From A$7,500/month
Advanced compliance evidence authority — contracted framework scope, legal hold where entitled, chain-of-custody export where contracted, and dedicated support.
See full pricing →Attest Sovereign
Contact sales
A contracted high-assurance Attest program with extended evidence scope, customer-managed keys where scoped, Australian sovereign deployment posture where contracted, and a dedicated support model.
See full pricing →Start collecting evidence that stands up
Whether you need Essential Eight evidence for your insurer, ISO 27001 mapping for your auditor, or APRA CPS 234 reporting for your regulator, Attest turns compliance from a claim into a proof.