STANCE gives anyone who needs to document, analyse, and deliver a professional security design review a structured platform to do it — without the weeks of manual work.
Launching soon. Free tier available at launch — no credit card required.
STANCE structures the security design review process end to end — from the first diagram to the final document.
Describe your architecture. STANCE generates a structured diagram automatically.
AI interrogates each component. You confirm what's real.
STRIDE threat analysis and 12 design principles evaluated automatically.
Attack paths simulated with ALE financial risk quantification.
A professional Security Design Review document, ready to deliver.
Architecture-first security assessment, risk management, and compliance evidence — connected by design.
Architecture-driven security design reviews. STRIDE analysis, design principles assessment, Kill Chain simulation, and SDR document export.
Structured security risk assessments grounded in your real technology stack. Risk register with ALE financial modelling.
Centralised evidence library mapped to Australian frameworks. Manage compliance artefacts across your organisation.
STANCE was built by a practising Cyber Security Practitioner with deep experience in the Australian health and government sector. Every framework, every control, every benchmark reflects the Australian context — not a US or European template adapted for local use.
Free tier available. No credit card, no onboarding call, no sales process.
Join the waitlist →From a description of your system to a professional Security Design Review document — structured, evidence-based, and compliant with Australian frameworks.
Join the waitlist →Describe your system in plain language. STANCE asks clarifying questions to understand your stack, then generates a structured architecture diagram. Vendor names, hosting models, and data flows captured automatically.
Every component and connection analysed against all six STRIDE categories. High and critical findings mapped to MITRE ATT&CK technique IDs for operational handoff. No rule matching — reasoned from your actual architecture.
Each blueprint evaluated against 12 framework-agnostic design principles — defence in depth, least privilege, zero trust, encryption in transit, network segmentation, and more. Rated Aligned, Gap Identified, or Not Assessed with AI rationale.
Branching attack path simulation from your highest-severity findings. ALE (Annual Loss Expectancy) calculated per scenario using Australian breach benchmarks. Gives your review financial weight, not just technical findings.
A nine-section Security Design Review document generated from your blueprint. Covers executive summary, architecture documentation, threat analysis, control assessment, design principles scorecard, findings, compliance alignment, and residual risk. Edit each section before export.
Every finding and control assessment mapped to Essential Eight, APRA CPS 234, Privacy Act, and NSW Cyber Security Policy. Compliance alignment section generated automatically in every SDR.
Free tier includes one blueprint and full access to the Secure Design workflow.
Join the waitlist →All prices in AUD. Join the waitlist — launching soon.
Try the full Secure Design workflow with one blueprint.
For solo consultants and internal security architects.
For boutique consultancies and in-house security teams.
For MSSPs and organisations running multiple concurrent reviews.
| Free | Starter | Growth | Scale | |
|---|---|---|---|---|
| Blueprints | 1 | 3 | 10 | 25+ |
| Analysis credits / month | 3 | 15 | 50 | Unlimited |
| Assessments / month | 5 | 20 | Unlimited | Unlimited |
| SDR exports / month | 2 | 5 | 20 | Unlimited |
| Kill Chain simulation | View only | ✓ Export | ✓ Export | ✓ Export |
| Client-branded SDR | ✗ | ✗ | ✓ | ✓ |
| White-label portal | ✗ | ✗ | ✗ | ✓ |
| API access | ✗ | ✗ | ✓ | ✓ |
| Compliance Vault (standard) | ✓ | ✓ | ✓ | ✓ |
| Custom compliance frameworks | ✗ | ✗ | ✗ | Enterprise |
One credit is consumed by a Full Analysis run (STRIDE + design principles), a Kill Chain simulation, an SDR generation, or a blueprint finalisation. Consult messages, diagram edits, assessments, and all Compliance Vault actions are free at every tier.
Yes. All data is stored in AWS ap-southeast-2 (Sydney). STANCE is built for Australian organisations — data sovereignty is not an afterthought.
Yes — the Free tier is permanent, not a time-limited trial. Create one blueprint and run the full Secure Design workflow including Kill Chain before deciding whether to upgrade.
On Growth and above, exported SDR documents include your client's logo and organisation name on the cover and footer. STANCE branding is replaced by your firm's identity — suitable for consultancies billing clients for design review work.
Annual billing is available with two months free equivalent. Contact us to set up an annual subscription.
Standard tiers include Essential Eight (all 8 strategies, ML1–3), ISO 27001:2022, APRA CPS 234, Privacy Act (all 13 APPs), and NSW Cyber Security Policy (all 31 mandatory requirements). Custom frameworks available on Enterprise.
STANCE exists because producing a credible security design review shouldn't require weeks of manual work or a team of consultants. So we built the platform.
Security design reviews sit at the intersection of architecture, risk, and compliance. The person doing that review — whether they are a security architect, a consultant, a developer leading a project, or an IT manager preparing for an accreditation — needs to produce a document that is credible enough to present, specific enough to act on, and aligned to the frameworks their organisation actually uses.
Existing platforms serve developers writing code and compliance teams chasing certifications. Nobody built a platform for the person doing a design-time security review — assessing whether a proposed system is safe to deploy, whether a vendor integration introduces unacceptable risk, whether a new architecture meets the requirements of APRA CPS 234 or the Essential Eight.
STANCE was built from that gap. It was designed by a Cyber Security Practitioner with deep experience in the Australian health and government sector — contexts where security design reviews have real consequences, where the output goes to project steering committees and accreditation bodies, and where the frameworks that matter are Essential Eight, APRA CPS 234, and the Privacy Act — not SOC 2.
STANCE is a product of DigiSecure, a Sydney-based cybersecurity firm specialising in security architecture and compliance for Australian organisations in healthcare and government.
DigiSecure was founded with a clear view: that security is most effective when it is embedded in the design of systems, not bolted on after the fact. STANCE is the platform expression of that philosophy.
Security decisions made at design time are more effective and less expensive than those made after deployment. The architecture document is the starting point, not an afterthought.
A security review is only as useful as the document it produces. STANCE is built around the deliverable — the SDR that can be presented, challenged, and acted on.
Essential Eight, APRA CPS 234, the Privacy Act. These frameworks are built in, not bolted on. STANCE was designed for the Australian regulatory environment from day one.
Findings are more persuasive when they have a dollar value. ALE calculations, Australian breach benchmarks, and financial risk quantification are core — not optional modules.
Incomplete metrics, half-built features, and misleading labels do not ship. Every number shown is accurate. Every feature released is complete.
STANCE is not a self-serve volume play. It is a platform for practitioners who care about their work. We'd rather have ten organisations getting real value than a thousand accounts gathering dust.
Questions about STANCE, enterprise pricing, or whether it's the right fit for your organisation — send us a message.
STANCE is launching soon. Join the waitlist to be notified the moment the platform goes live.
Join the waitlist →Thanks for reaching out. We'll be in touch within 1–2 business days.
Be the first to know when the platform goes live. No spam — one email when we launch, that's it.
One email when we launch. No marketing, no spam.
STANCE helps organisations assess security. Here is how we secure the platform itself.
The security posture described on this page is based on our own internal assessment conducted in June 2026. We make no claim of independent certification. We publish this to be transparent about what is and is not in place, and we update this page after each significant security sprint.
All customer data is stored in AWS ap-southeast-2 (Sydney, Australia). No data is transferred outside Australia. STANCE is built for Australian organisations — data sovereignty is a design requirement, not a configuration option.
Every database query is filtered by organisation ID using Supabase Row Level Security. It is architecturally impossible for one organisation's data to be returned in another organisation's query — this is enforced at the database layer, not the application layer.
Authentication is powered by Clerk, which holds SOC 2 Type II certification. All session controls are enforced at the platform level.
Phase 1 security assessment completed June 2026. 17 findings across 8 domains identified and assessed. All critical and high severity findings remediated.
STANCE runs on established cloud infrastructure with a clear separation between production and development environments.
If you discover a security vulnerability in STANCE, please report it responsibly. We commit to acknowledging all reports within 24 hours and providing a resolution timeline within 5 business days.
For security enquiries, vulnerability reports, or enterprise security documentation requests.
security@stancesec.com