TL;DR
- Most security consultants sell reports; lilMONSTER builds and ships working tools
- CyberDark (open-source security toolkit), GetReady-Comply (GRC platform), and Spaaaace (privacy-first AI) are tools we use ourselves and deploy for clients
- Builder-consultants find more vulnerabilities because they understand how things break at the code level
- Open-source tools mean no black boxes — you can inspect exactly what's running on your systems
There's a pattern in cybersecurity consulting that almost everyone in the industry recognises but few talk about openly.
A consultant arrives with a clipboard and a methodology. They run their toolset, generate findings, and produce a report. The report is detailed. It has executive summaries and traffic-light RAG ratings. It probably costs between $10,000 and $50,000 depending on the scope.
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
And then they leave.
Six months later, most of the findings are still open. Not because the business doesn't care — they do — but because the report described problems without building solutions. It documented the gap between where you are and where you should be, but handed you no tools to close it.
At lilMONSTER, we operate differently. We don't just find problems. We build the tools to fix them — and we ship those tools to clients.
What Does It Mean for a Consultant to "Build What They Sell"?
At its core, it means that the advice we give is grounded in operational reality. When we tell you that automated configuration drift detection is essential, it's because we've built the scripts to do it and we run them ourselves. When we recommend a particular approach to patch management, it's because we've implemented it across real environments and we know where the edge cases are. This approach mirrors what NIST's Cybersecurity Framework 2.0 calls "continuous improvement" — security as an ongoing practice, not a point-in-time audit [2].
Clipboard consultants — those who rely entirely on third-party tooling and report generation — are limited by their tools' assumptions. They see what
Free Resource
Get the Free Cybersecurity Checklist
A practical, no-jargon security checklist for Australian businesses. Download free — no spam, unsubscribe anytime.
Send Me the Checklist →Builder-consultants think like developers, because they are developers. They understand not just that a vulnerability exists, but how it was introduced, how it would be exploited, and what a real fix looks like at the code level. That's a different quality of security insight.
According to OWASP's research on application security, some of the most critical vulnerabilities — business logic flaws, insecure direct object references, improper session management — are frequently missed by automated scanning tools and only found through manual code review by someone who understands how the application was built [1]. You can't do that with a scanner. You need a builder.
CyberDark: Open-Source Security Toolkit
CyberDark is lilMONSTER's open-source security toolkit. It's a collection of scripts, utilities, and automation tools we have built for our own use and for client engagements.
The open-source model matters here. "Open source" isn't just a licensing choice — it's a transparency commitment. When CyberDark runs on a client's system, there is no black box. Every line of code is available for inspection. The client can see exactly what it does, modify it for their environment, and build on it without depending on us indefinitely.
This contrasts sharply with the "security appliance" model common in the enterprise space: proprietary tools that generate alerts you can't verify, running code you can't inspect, reporting to vendor-controlled cloud infrastructure you can't audit. CISA's guidance on defending against software supply chain attacks specifically highlights third-party security tooling as a high-risk vector when it cannot be inspected or verified [8]. Open-source, auditable code is a more defensible architecture — the security industry has extensive documented examples of proprietary security tools themselves becoming attack surfaces.
CyberDark covers areas including configuration auditing, credential hygiene checking, network visibility, and automated security baseline verification. It's designed around the principle that scripts should do the repetitive work, freeing security engineers for the work that actually requires judgment.
Related: What Is Defense in Depth? Why Your Business Needs More Than One Lock
GetReady-Comply: GRC That Doesn't Make You Want to Quit
GetReady-Comply is lilMONSTER's Governance, Risk, and Compliance platform. It was built because the GRC market has a persistent failure: tools designed by compliance professionals, for compliance professionals, that are unusable by the small business teams who need them most.
The dominant GRC tools in the market are either prohibitively expensive, designed for enterprise-scale compliance teams, or both. The result is that small businesses either spend heavily on tools they barely use, or revert to spreadsheets and hope for the best.
GetReady-Comply is designed for a small team — one or two people responsible for security and compliance alongside their other responsibilities. It automates the documentation and evidence collection that makes compliance programmes labour-intensive, and it maps controls to the standards that matter for Australian SMBs: ISO/IEC 27001 [5], the ASD Essential Eight [3], and ISO/IEC 42001 (AI governance) [6].
The design philosophy is "scripts over complexity" — every part of the compliance process that can be automated should be automated. A compliance programme that requires constant manual intervention is a programme that will be deprioritised the moment the team gets busy, which is exactly when gaps appear.
Related: Compliance Without the Pain — How We Make ISO 27001 Actually Work
ISO 27001 SMB Starter Pack — $97
Everything you need to start your ISO 27001 journey: gap assessment templates, policy frameworks, and implementation roadmap built for Australian SMBs.
Get the Starter Pack →Spaaaace: Privacy-First AI for Businesses That Take Privacy Seriously
Spaaaace is lilMONSTER's privacy-first AI assistant. It's designed around a single principle that most commercial AI products ignore: your data should not have to leave your control for you to get the benefits of AI.
Most AI assistants are cloud-dependent by design. Every query, every document uploaded, every conversation flows through a third-party server. That might be acceptable for personal use. For a business handling sensitive client data, legally privileged communications, financial records, or health information, it's a significant data governance risk.
Spaaaace is built for on-device inference — the AI model runs locally, on hardware you control. No cloud dependency. No third-party data processing. No risk of your client conversations being used to train a vendor's model.
This matters specifically in the context of Australia's Privacy Act 1988 obligations [7]. Sending personal information to a third-party AI platform for processing may constitute a disclosure of personal information, with associated obligations around consent and notification — as the OAIC's AI and Privacy guidance confirms [4]. On-device inference sidesteps this entirely — the data never leaves your control.
Spaaaace also embodies the principle that we build what we sell. We use on-device AI ourselves. When we tell clients that privacy-first AI is operationally viable, we're not theorising — we're demonstrating it in our own workflow.
Related: Why Privacy-First Cybersecurity Isn't Optional Anymore
Why Builder-Consultants Find More Vulnerabilities
The best penetration testers in the world are, without exception, developers. Understanding how to break systems requires understanding how they're built. An attacker who thinks at the code level — who understands race conditions, memory layout, authentication state management, and API design patterns — will consistently find vulnerabilities that a scanner misses.
This principle extends beyond penetration testing. Configuration reviews done by someone who has actually written infrastructure-as-code catch different things than reviews done by someone reading a checklist. Architecture assessments done by someone who has built the kind of system being reviewed surface design-level risks that a surface-level audit misses entirely.
CyberBook, lilMONSTER's public security knowledge base, is built on this same principle: real security knowledge, written by practitioners who build things, for people who need to understand what's actually happening rather than just follow a checklist.
What This Means for Your Business
When you engage lilMONSTER, you're not paying for reports and departures. You're engaging a team that:
- Builds the tools that find your vulnerabilities — and leaves those tools running after the engagement ends
- Implements the controls, not just recommends them — we configure, automate, and verify
- Uses the same stack on our own infrastructure — so when something doesn't work in practice, we already know
- Ships open-source code — because trust requires transparency, and transparency requires readable code
The security consulting model that sells reports and moves on hasn't served small businesses well. The businesses that have the best security outcomes are the ones whose security partner actually builds things.
FAQ
Q: What is CyberDark and how is it different from commercial security tools? A: CyberDark is lilMONSTER's open-source security toolkit — a collection of scripts and utilities for security auditing, configuration checking, and automated baseline verification. Unlike proprietary tools, every line of code is auditable, modifiable, and free from vendor lock-in. It's built by practitioners for use in real engagements, not by a product team optimising for features lists.
Q: Why does open-source matter for security tools? A: Open-source security tools can be inspected, audited, and verified. Proprietary "black box" security tools — particularly those that report back to vendor infrastructure — are increasingly themselves attack surfaces. The security industry has multiple documented examples of commercial security tools being compromised. Auditable, open-source code is a more defensible architecture.
Q: What is Spaaaace and why is on-device AI more private? A: Spaaaace is lilMONSTER's privacy-first AI assistant. It runs inference on-device — the AI model operates on local hardware, meaning queries and data never leave the user's control. Cloud-based AI assistants process every query on vendor servers, creating data governance risks for businesses handling sensitive information. On-device inference eliminates this risk entirely.
Q: Why does it matter if my security consultant can write code? A: Builder-consultants think at the code level — they understand how systems break, not just how they look from the outside. This produces qualitatively different security outcomes: better vulnerability discovery, more actionable findings, and tools that address the root cause rather than the symptom. Scanner-only consultants miss entire vulnerability classes that only become visible through code-level analysis.
Q: What is CyberBook? A: CyberBook is lilMONSTER's public security knowledge base — practical security documentation written by practitioners for people who need to understand the actual mechanisms of security, not just compliance checklists. It's freely available as part of lilMONSTER's commitment to improving the overall security posture of the SMB ecosystem.
References
[1] OWASP, "OWASP Top 10 Web Application Security Risks," OWASP Foundation, 2021. [Online]. Available: https://owasp.org/www-project-top-ten/
[2] National Institute of Standards and Technology, "Cybersecurity Framework 2.0," NIST, Feb. 2024. [Online]. Available: https://www.nist.gov/cyberframework
[3] Australian Signals Directorate, "Essential Eight for Small Business Cyber Security," Australian Cyber Security Centre, 2024. [Online]. Available: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/small-business-cyber-security
[4] Office of the Australian Information Commissioner, "Artificial Intelligence (AI) and Privacy," OAIC, 2024. [Online]. Available: https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations/artificial-intelligence
[5] International Organization for Standardization, "ISO/IEC 27001:2022 — Information Security Management Systems," ISO, Oct. 2022. [Online]. Available: https://www.iso.org/standard/27001
[6] International Organization for Standardization, "ISO/IEC 42001:2023 — Artificial Intelligence Management System," ISO, Dec. 2023. [Online]. Available: https://www.iso.org/standard/81230.html
[7] Australian Government, "Privacy Act 1988 (Cth)," Federal Register of Legislation, as amended 2024. [Online]. Available: https://www.legislation.gov.au/Details/C2024C00027
[8] Cybersecurity and Infrastructure Security Agency, "Defending Against Software Supply Chain Attacks," CISA, Apr. 2021. [Online]. Available: https://www.cisa.gov/resources-tools/resources/defending-against-software-supply-chain-attacks
Ready to level up your security? Talk to lilMONSTER.
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →TL;DR
- Most security consultants find problems and write reports — but don't build anything to fix them
- lilMONSTER builds working tools: CyberDark, GetReady-Comply, and Spaaaace
- Open-source means you can see exactly what the tools do — no surprises
- If your security helper uses their own tools, it means they actually believe in them
Imagine you hired a plumber. They came to your house, had a look around, wrote a detailed report about all the leaky pipes — and then left without fixing anything.
You'd be annoyed, right?
That's how most cybersecurity consulting works. A consultant comes in, finds problems, writes a report, and leaves. The problems are still there. You've just paid a lot of money to have them written down nicely.
At lilMONSTER, we do things differently. We find the problems and build the tools to fix them.
What Do We Mean by "Building Your Own Tools"?
When a plumber builds their own specialised tool to fix an unusual pipe — because no standard tool quite fits — that's a signal they know what they're doing. They understand the problem well enough to invent the solution.
That's the idea behind building security tools. If you understand security deeply enough to write code that finds vulnerabilities and fixes them, you understand it much better than someone who just runs a scanner and reads the output.
lilMONSTER has built three public tools:
CyberDark — An open-source security toolkit. A collection of scripts and tools that we use ourselves and run for clients. It checks for security problems automatically, so you get regular visibility rather than a once-a-year audit.
GetReady-Comply — A GRC (compliance management) platform that takes the paperwork out of security compliance. Instead of maintaining dozens of spreadsheets for ISO 27001 certification, GetReady-Comply tracks everything and collects evidence automatically.
Spaaaace — A privacy-first AI assistant. Unlike most AI tools that send all your data to a cloud server somewhere, Spaaaace runs on your own hardware. Your data stays with you. No outside server ever sees it.
Why Does "Open Source" Matter?
CyberDark is open source — which means anyone can read the code and see exactly what it does.
Think of it like a recipe. A recipe you can read is much more trustworthy than a "secret formula" from a company you've never heard of. With open-source security tools, your IT team (or a trusted adviser) can check: does this actually do what it says? Is it collecting any data it shouldn't be? Does it have any surprises in it?
Proprietary (closed-source) security tools are black boxes. You're trusting that they do what the company says — but you can't verify it. In a world where even security tools have been hacked and turned against their users, that's a real risk.
Why Is On-Device AI More Private?
Most AI assistants — the kind you chat with online — work like this: you type something, it gets sent to a company's server, the AI thinks about it, and the answer comes back. The problem is that everything you type goes through someone else's computer.
For personal use, that might be fine. For a business handling customer information, that's potentially risky. You might accidentally send sensitive data to a company you have no contract with.
Spaaaace is different. It runs the AI on your own device — nothing leaves your computer. It's like having the AI assistant living in your house rather than working in an office somewhere and receiving your letters.
What Makes a Builder-Consultant Better?
The best way to understand how to break something is to know how to build it.
A security consultant who has written code — who has built web applications, set up servers, written scripts — understands why vulnerabilities exist, not just that they exist. They know which corners developers cut when they're under pressure. They know which configurations are tempting but dangerous. They find problems that automated scanners miss entirely.
It's the difference between a locksmith who has made locks (and knows exactly where the weaknesses are) versus someone who has only ever read a book about locks.
What You Should Look for in a Security Partner
- Do they use the tools they recommend? If they're recommending a tool they've never run themselves, that's a red flag.
- Can they show you what they built? Code, tools, scripts — evidence of building, not just advising.
- Is their tooling auditable? Open-source or at minimum inspectable by your team.
- Do they leave you with working solutions, not just reports? The report is only useful if the problems it describes get fixed.
lilMONSTER ticks all four boxes — and we're happy to show you exactly how we work before you commit to anything.
FAQ
Q: What is CyberDark? A: CyberDark is lilMONSTER's open-source security toolkit — a set of scripts and tools for checking security configurations, spotting vulnerabilities, and automating regular security checks. It's free to use and the code is publicly available.
Q: What does "open source" mean? A: Open source means the code (the instructions the program runs on) is publicly available for anyone to read, check, and modify. For security tools, this is important because it means there are no hidden surprises — anyone can verify exactly what the tool does.
Q: What is Spaaaace? A: Spaaaace is lilMONSTER's privacy-first AI assistant. It runs on your own hardware, which means your data never leaves your control — unlike most AI assistants that process your queries on external company servers.
Q: Why does it matter if a security consultant can write code? A: Because understanding how to build systems means understanding how they break. Consultants who can write code find vulnerabilities that automated scanners miss, give more actionable advice, and can build actual fixes rather than just describing problems.
References:
- OWASP Application Security Verification Standard
- ACSC Essential Eight
- Open Source Security Foundation (OpenSSF)
Ready to level up your security? Talk to lilMONSTER.
