Subscription Plans & Add-On Packs

Compare plans and pricing

Less per month per user than
an individual consultant charges per day.

As a consultant; one day of revenue can pay for each month of usage.

Compare plans using the fields below. Note that the pricing is an estimate as the Azure Marketplace involves currency exchange rates.


Total AUD: 

$200 per month

Total AUD: 

$2,400 per year

Asset Management


AUD per user
(no minimum)

$200 per month


Countermeasures Management Plan


AUD per user
(no minimum)

$0 per month


Everything from the Asset Management Plan plus:

Security Program
Management Plan


AUD per user
(no minimum)

$0 per month


Everything from the Countermeasures Management Plan plus:

Standard Plan


AUD per user
(5 minimum)

$0 per month


Everything from the Security Program Management Plan plus:

Premium Plan


AUD per user
(30 minimum)

$0 per month


Everything from the Standard Plan plus:

Enterprise Plan


AUD per user
(55 minimum)

$0 per month


Everything from the Premium Plan plus:

AI Assistant
Add-On Pack


AUD per user
(no minimum)

$0 per month


Add-On Pack


AUD per user
(no minimum)

$0 per month


If you are outside of our currently supported Azure Marketplace regions, please submit an enquiry via this form and let us know which countries to prioritise.

Role Based Access Controls

Role Definitions

Cybersecurity Office utilises Role Based Access Control to grant and constrain which of your Azure Entra ID users are able to access which parts of the application.

While there are no limitations on how many of the roles can be assigned to a single user, an external Identity Governance & Administration tool may be utilised to define Segregation of Duties rules constraining specific combinations of roles, if required.

Role Description Resources
Tenant Administrator

The Tenant Administrator role is required to setup and maintain the Tenant details and subscriptions. Where required, the Tenant Administrator is also able to create and maintain ACLs that provide fine-grained authorisation rules beyond what can be defined with just roles.

Even if not assigned to an individual, at least one Subscription Plan or Add-On pack containing the Tenant Administrator role must be licensed in order to allow the system to be bootstrapped when first starting out.

Risk Manager The Risk Manager is limited to managing the Risk Framework and the associated Information Asset Classification.
Asset Manager

The Asset Manager can define all entities within the Asset Registry and the asset hierarchy within the assessment, in addition to classifying the Information Assets, from which the classification of all other entities in the asset hierarchy are derived.

If using Cybersecurity Office purely as an asset registry, this will be the primary role required.

Control Catalogue Manager

The Control Catalogue Manager provides write access to the Countermeasures, which includes Control Catalogues, Cybersecurity Frameworks and Maturity Models. Due to the tight relationship between the controls and the threats they mitigate, this role also has the ability to manage the Threats as well.

In addition to managing the controls, this role also provides access to the pre-defined and formatted standards based data available to import at a click without having to define them from scratch. This currently excludes standards that must be licensed, such as ISO 27001.

Threat Catalogue Manager

The Threat Catalogue Manager role is capable of creating and maintaining the Threats forming the basis of the risks to the organisations assets, including the association with the controls that mitigate those risks.


The Auditor Role is able to create and apply and update the Control Assessments of the current state, as well as defining the target state.

In addition, the Auditor is able to create and maintain Reports, however the target state maturity may have dependencies on Tasks and Work Packages that need to be defined by a Security Program Manager or Security Architect.

Security Program Manager

The Security Program Manager role is responsible for creating Tasks, Work Packages and prioritising the Roadmap based activities required to transition from the current state to the target state.

In addition, the Security Program Manager is able to create and maintain Reports, which will have dependencies on capabilities from the Auditor, Control Catalogue Manager and Asset Manager roles.

Security Architect The Security Architect role has the capabilities of all of the other roles, excluding the Cognitive User. When a single user is responsible for the entire end-to-end process, such as when producing a Protective Data Security Plan (PDSP), it may be simpler to assign a single Security Architect role to that user than all of the other roles combined.
  • All Entities
Cognitive User

Many of the capabilities within Cybersecurity Office used by the above roles have AI Assistant driven services that can help streamline otherwise time-consuming activities.

However, each organisation must explicitly authorise each individual user to make use of these AI services by assigning the Cognitive User role for the following reasons:

  • Different organisations may have specific policies about allowing staff usage of AI services and/or sending organisation specific data to those AI services for analysis
  • The back-end Open AI based services utilised for these capabilities are relatively expensive, requiring this capability to be licensed separately.

AI services are charged by 'token', which is roughly analogous to a word (or part of a word). Each licensed Cognitive User has a capped number of tokens available per month, however these are shared across the organisation. This means that more licensed Cognitive Users allows for more usage across all users, as well as more individual users.

The token cap per licensed users is 50 million tokens (50,000,000) per month.

Consumer Provides read-only access to all data within your Cybersecurity office tenant. In most cases, having a role that provides write-access also provides read-access to the same data without having to also have a Consumer role assigned as well.
  • All Entities

Azure AD Role Management

The roles are defined as 'Application Roles' and are managed within your own Azure Entra ID tenant via the Enterprise Applications blade in the Azure Portal.

Managing access within your own Azure Entra ID tenant means that any existing Identity Governance & Administration tools and processes are inherently already integrated with Cybersecurity Office via Azure Entra ID.

Subscriptions are managed via the Azure Portal.

At the time a user accesses a resource that requires a specific role, they will consume a user slot from the associated subscription for a 1 month period, if the following conditions are met:

  • The users already allocated to the subscription is within the licensed quantity for the active subscription
  • The maximum allocated user members has been met, however one or more existing allocations has expired

If all subscription user slots have been allocated and another user requires access to a role from that subscription, one of the following will be required:

  • The user will need to wait until an existing allocation has expired, which will be 1 month after it was first allocated
  • The user quantity in the subscription plan is changed to a higher value that allows more users

Resource Specific Access Control Lists

Users can be assigned Roles specific to individual parts of the resource hierarchy, such that a use may be in Role X for one Security Profile and Role Y for another Security Profile, all within the context of the same organisation.

Membership is still managed within Azure Entra ID, but needs to utilise Azure Entra ID Groups rather than Application Roles, and these groups need to be mapped to the ACLs created within Cybersecurity Office. Currently these ACLs need to be created and maintained via the REST API.

Contact support for specifics on how to implement this.

Security Profiles

A Security Profile in Cybersecurity Office is a representation of an Organisation, Organisational Unit, Subsidiary, Agency or any self-contained entity that may have its own independent Risk Framework, Control Catalogue, Systems, Information Assets, maturity, risks and security program.

For firms providing services to multiple customers using Cybersecurity Office, such as delivering the Protective Data Security Plan (PDSP) for Victorian Public Sector (VPS) organisations, these firms may create separate independent Security Profiles within their single licensed tenant, up to the number their active subscription allows.