Sydney-based · Australia-wide

AWS and Linux security engineering for Australian SaaS and lean IT teams

Phylax Technologies helps Australian SaaS companies and lean IT teams harden AWS and Linux environments, improve delivery security, and produce evidence-ready remediation — without hiring a full-time senior cloud security engineer.

Request a discovery call See packages
Most clients start here

AWS Security Review

Structured review of your AWS posture with a prioritised remediation plan. Typically 1–2 weeks.

From A$9,800
Principal-led
Direct senior delivery
Fixed-scope
No hourly surprises
AWS & Linux
Specialist focus
Evidence pack
Every engagement
Australia-wide
Remote-first delivery
Services

What Phylax does

Six core services for AWS and Linux-heavy environments. Each is fixed-scope where practical, principal-led, and ends with usable evidence and handover.

AWS Security Review

A fixed-scope review of AWS security posture for teams that need practical risk reduction, clear priorities, and evidence-ready reporting.

AWS Hardening Sprint

A time-boxed implementation engagement that fixes agreed AWS security gaps rather than only reporting on them.

Linux Host and Web Stack Hardening

Practical baseline uplift for Linux servers and web application hosting environments that need to become safer, cleaner and easier to operate.

DevSecOps and IaC Baseline

Security uplift inside repositories, pipelines and infrastructure-as-code workflows for teams that need safer delivery without slowing engineering down.

Backup, Recovery and Incident Readiness

A compact engagement to make backup, recovery, escalation and technical incident readiness more real.

Fractional Platform and Cloud Security Lead

Ongoing senior AWS, Linux, platform and security input for teams that need steady technical leadership without hiring a full-time specialist.
Core packages

Six services, three buying paths

The services above map to three productised ways to engage: assess, implement, or retain. Fixed scope, fixed fee where practical, and a clean route from review to ongoing operations. All prices ex GST. Minimum paid engagement A$6,500.

Assessment

AWS Security Review

A structured review of AWS posture with a credible, prioritised remediation plan. The clearest way to start.

  • IAM, privilege and identity review
  • Logging, CloudTrail and detective controls
  • Security Hub / GuardDuty / Config posture
  • Public exposure and network controls
  • Backup, restore and resilience basics
  • Secrets handling and account separation
  • Technical findings report + executive summary
  • Working session and roadmap to hardening
from A$9,800 1โ€“2 weeks
Implementation

AWS Hardening Sprint

Time-boxed remediation that fixes agreed issues rather than reporting on them. For teams that already know they need uplift.

  • IAM clean-up and least-privilege roles
  • GuardDuty / Security Hub / Config enablement
  • CloudTrail and log centralisation
  • Backup baseline and restore checks
  • Account guardrails and baseline policies
  • Infrastructure-as-code updates
  • Evidence pack and handover
  • Typically 2โ€“6 weeks
from A$18,000 typical A$24kโ€“A$35k
Recurring

Fractional Platform / Cloud Security Lead

Ongoing access to a senior AWS / Linux / platform / security practitioner at a predictable monthly cadence. Not on-call, not managed support.

  • Adviser โ€” 1 day/week โ€” A$7,000/mo
  • Embedded โ€” 2 days/week โ€” A$13,000/mo
  • Lead โ€” 3 days/week โ€” A$18,500/mo
  • Architecture and security review
  • Hands-on AWS / Linux / DevSecOps support
  • Backlog shaping and prioritisation
  • Mentoring and internal uplift
  • 3-month minimum ยท monthly in advance
from A$7,000 /month

Supporting packs

Best fit

Who Phylax is for

Phylax is a specialist practice. The work is best with technically aware businesses that need real uplift, not a long programme of compliance theatre.

Best-fit clients

  • AWS-native SaaS / software vendors — 10–80 staff, account sprawl, weak IAM/logging/backup posture, customer security pressure
  • Lean internal IT teams with Linux-heavy estates, 20–150 staff, needing patching, SSH/sudo, logging and recovery uplift
  • Suppliers into regulated or privacy-sensitive sectors — needing technical evidence for procurement, insurance, CPS 230, privacy or Essential Eight expectations
  • Teams that need implementation and evidence, not just advice
  • Organisations replacing or supplementing a contractor with a packaged outcome

What to expect

  • Direct access to a senior engineer — principal-led delivery
  • Fixed-scope, fixed-fee proposals where practical
  • 30-minute discovery call, then a 2-page SOW within 72 hours
  • Weekly updates, written change control, no hidden hourly billing
  • Evidence pack and recorded handover at the end of every engagement
  • Business-hours delivery, remote-first, occasional Sydney on-site

What Phylax is not

  • A 24×7 managed service or NOC
  • A SOC / MDR / live incident response provider
  • A CREST-certified penetration testing firm
  • A Microsoft 365 / Entra / Intune-first consultancy
  • A pure governance, policy or audit shop
  • End-user, helpdesk or desktop support
  • Suited to micro-businesses on commodity budgets or large APRA enterprises with long procurement cycles
Process

How an engagement runs

A simple, predictable buying experience. Most engagements move from discovery call to written proposal in under a week.

1

Discovery call

30 minutes to confirm fit, urgency, environment and likely budget band. No obligation, no slide deck.

2

Proposal

A 2-page proposal or SOW within 72 hours: scope, assumptions, timeline, deliverables and a fixed price.

3

Kickoff

Short kickoff to set up access, agree working method, confirm stakeholder map and reporting cadence.

4

Delivery

Weekly written updates, an open issue and risk register, and no surprise change requests. Fixed scope, fixed fee.

5

Handover

Findings report, remediation notes, evidence pack, and a recorded walkthrough where useful. Optional roadmap to a hardening sprint or retainer.

Security posture

Security through better operations

Phylax treats security as an operational discipline, not a separate product or a compliance checkbox.

Most security problems in small and mid-sized AWS environments are not exotic attacks. They are preventable operational gaps: over-privileged access, missing logs, untested backups, unpatched hosts, and undocumented change.

Phylax closes those gaps through practical engineering. Better access patterns, stronger logging, verified recovery, and documented systems reduce your real risk profile without turning your business into a compliance theatre.

The goal is not to eliminate all risk. It is to make your environment meaningfully harder to compromise, faster to detect problems in, and easier to recover from.

  • Least-privilege IAM and role design
  • MFA and secure administrative access patterns
  • Host hardening and baseline configuration
  • Secrets handling and rotation
  • Centralised logging and audit trails
  • Backup validation and restore testing
  • Patch management cadence
  • Incident runbooks and response readiness
  • Documented change and operational clarity
Compliance overlays

When customers, insurers or boards need evidence

Phylax is a technical practice first. Compliance overlays are offered selectively, layered on top of engineering work — not as a standalone GRC service.

Customer security questionnaire / supplier evidence pack

Questionnaire response support, evidence collation, gap summary, and an action list for unresolved items.

A$2,500 โ€“ A$6,000

Essential Eight / baseline controls mapping

Selective use, best where there is mixed estate or a clear buyer, insurer or board need. Microsoft-heavy remediation referred to a partner.

A$7,500 โ€“ A$15,000

CPS 230 / privacy / supplier-risk evidence support

Best used as an extension of technical uplift, not as standalone legal or compliance advisory.

A$4,500 โ€“ A$10,000

Microsoft-only remediation, full audit programmes and CREST-certified testing are referred to trusted partners.

About

Phylax Technologies

Phylax Technologies is a Sydney-based AWS and Linux security engineering practice helping Australian SaaS and lean IT teams harden cloud environments, improve delivery security, and ship evidence-ready remediation.

The practice is deliberately narrow: AWS-native, Linux-heavy, implementation-led. Clients work directly with a senior engineer rather than being routed through a generic helpdesk or a junior consulting bench.

The focus is practical delivery — safer access, better observability, cleaner infrastructure, stronger recovery posture — with documentation and evidence that survive growth, audits and team changes.

Technical profile

  • Linux systems administration
  • AWS cloud design and operations
  • DevOps and infrastructure automation
  • SRE-style reliability and operational discipline
  • Practical security posture uplift
  • Infrastructure as code
  • Observability and monitoring
  • Graduate-level cybersecurity study
github.com/elpy1
FAQ

Common questions

What is the best way to start?

Request a 30-minute discovery call. If we are a good fit, you will get a 2-page proposal within 72 hours. Most clients begin with an AWS Security Review (from A$9,800) which produces a prioritised remediation plan you can act on with or without us.

What is the minimum engagement size?

Around A$6,500 for fixed-scope project work. Phylax is a principal-led specialist practice, not a contractor body shop, and engagements are sized to deliver a real outcome with a written handover.

Do you only work with AWS?

Yes. Phylax is focused on AWS environments running Linux workloads. That is what keeps the practice deep rather than wide. If your primary platform is Azure or GCP, Phylax is probably not the right fit, but referrals to trusted partners are available.

Can you help with Essential Eight, CPS 230 or customer security questionnaires?

Yes, as overlays on the technical work. Phylax produces evidence packs and can support questionnaire responses, supplier due diligence, Essential Eight mapping in mixed estates, and CPS 230 supplier evidence. Compliance is not the primary identity of the business, so pure GRC or audit-only work is referred to a partner.

What about Microsoft, M365 or desktop support?

Phylax does not provide Microsoft 365 / Entra / Intune administration, desktop support, printer management, or end-user helpdesk services. Microsoft-heavy remediation programmes are referred to a trusted partner.

Can you work alongside our internal team?

Yes. Phylax is designed to complement internal teams, not replace them. The Fractional Platform / Cloud Security Lead retainer specifically supports lean teams that need senior input, implementation help and prioritisation without a full-time hire.

Do you offer 24/7 support, on-call or live incident response?

No. Phylax operates business hours with agreed response targets. Phylax does not provide a SOC, MDR, NOC, on-call rotation, or live DFIR. Those are referred to specialist partners.

How is delivery structured commercially?

Fixed-fee where practical, with 14-day payment terms. Projects under A$15k are typically 50% on commencement and 50% on delivery. Larger projects use a 40/40/20 schedule. Retainers are monthly in advance with a 3-month minimum.

Where are you based and do you travel?

Sydney-based, remote-first across Australia. Occasional on-site work in Sydney is included where it helps; broader travel is scoped per engagement.

Get started

Request a discovery call

Tell us what is driving the security conversation, where the environment is today, and what kind of outcome would be useful. If we are a good fit, expect a short proposal within 72 hours.

Email
hello@phylax.com.au
Location
Sydney-based, Australia-wide

We will only use these details to respond to your enquiry. See the privacy notice. Prefer email? hello@phylax.com.au