Crystal Eye Compliance & Cryptographic Capability

Red Piranha Ltd 63 160 631 505

12

9

As part of ensuring Australian Signals Directorate (ASD) programs remain fit for purpose, Red Piranha offers this report to address standards used within the Crystal Eye platform on the ASD Cryptographic Evaluations (ACE) program and Crystal Eye cryptographic standards used within the platform.

Crystal Eye provides backwards compatibility with respect to older encryption standards so locking down your Crystal Eye network to meet security controls will rely on end users understanding the needs and implementing the correct settings.

This report aims to help end users understand some of these requirements, explain the formal position around cryptographic standards, and provide assurance to partners around cryptographic functionality.

Red Piranha contributes to the Information Security and Cybersecurity Industries with its Crystal Eye Platform and numerous other services, both standalone and integrated with the Crystal Eye platform, including, but not limited to:

Integrated Electronic Chief Information Security Officer (eCISO) engagements

At Red Piranha, all customers who have a Crystal Eye platform within their environment automatically communicate and engage with Red Piranha’s Global Security Operations Centres.

Licensed Crystal Eye platforms are continuously monitored and maintained by Red Piranha Limited's Global Security Operations Centre personnel. Each platform is also inclusive of Security Information and Event Management (SIEM) operations and functionality.

The Red Piranha Risk Committee, chaired by Rosemary Milkins (Non-Executive Director, Chairperson), was established in 2022. The Risk Committee regularly advises and reports to the Board on enterprise and cyber risks, including monitoring of Red Piranha’s Risk Management Systems.

Within the domain of operational risk, Red Piranha is certified to ISO/IEC 27001:2022 and focuses on the continuous improvement of its Information Security practices.

Red Piranha is also certified to ISO 9001:2015 for Quality Management, ensuring that its customers get consistent, good-quality products and services.

Red Piranha aligns to IRAP and the Australian ISM and has undergone IRAP assessment. Red Piranha also aligns with the ASD’s Secure by Design principles for secure software development.

Red Piranha subscribes to the Defence Industry Security Program (DISP) and has achieved DISP membership. Projects are in place to achieve full compliance with Essential 8 Maturity Level 2 a per the latest DISP cybersecurity requirements. Additionally, we align to the DISP required areas of the Defence Security Principles Framework (DSPF).

Red Piranha has been granted the Defence Export Permit by the Department of Defence, allowing it to export their technology to foreign governments (Defence Export Permit: DOD/DEP/20829572).

Red Piranha regularly conducts vulnerability testing on its service delivery network. Internal vulnerability scans within the most recent quarter were conducted on 30/04/2025, 03/06/2025 and 27/06/2025. The results of these tests were analysed by the Compliance Team, the SecOps Team, and the CISO on submission, and requests for mitigation activities were made, based on the level of risk each vulnerability posed to Red Piranha at that time. As part of the ongoing process, vulnerabilities are monitored by the Infrastructure and Compliance teams on a weekly basis.

In addition, penetration testing on product change control and on new product releases as per our internal policies are conducted. Penetration tests for Crystal Eye v5.0 were completed on 22/02/2024 and 09/04/2024. Testing on the Red Piranha Orchestrate platform was completed on 22/10/2024. Testing for the Crystal Eye v5.5 Beta was completed on 24/03/2025.

Red Piranha has implemented an incident management system for both internal and client incidents. Measurable processes and metrics have been introduced for change control and vulnerability management. The outputs and mitigations from these processes are reviewed and managed by the Compliance Team in weekly risk meetings. Compliance attends weekly Infrastructure and SecOps management meetings to ensure vulnerabilities, changes and mitigations are tracked and managed in a timely fashion.

Red Piranha maintains membership in CREST ANZ (Council of Registered Ethical Security Testers), providing assurance that testing conducted is of exemplary quality, conforms to industry best practices and meets the highest ethical standards in penetration testing services.

Red Piranha have made a security report submission page available to the public for the reporting of security issues directly to the Internal Compliance Team (Compliance Contact | Red Piranha).

Red Piranha undertakes management for product development in the ISO domain ISO/IEC 15408 and aims to attain Common Criteria (CC) certification.

Red Piranha seeks to be listed on the Australian Government Evaluated Products List (EPL), subscribes to the ACE (ASD Cryptographic Evaluation) program, and aims to address Australian Signals Directorate (ASD) questions consumers may have around standards applied in its products in this report.

Red Piranha Ltd complies with the ASX Risk Management Framework outlined in the ACH Clearing Rules Guidance Note No. 13.

Yes, all proxy and SSL-VPN TLS communications supports PFS.

Crystal Eye does not support SNMP and so there is no requirement to disable SNMPv1 or SNMPv2.

While backwards compatibility is supported, Crystal Eye has support to drop all TLS connections from clients with TLS 1.0, TLS 1.1, and TLS 1.2 allowing customers to force TLS 1.3 Communications.

As AES has replaced DES and 3DES, the WebGUI still supports 3DES for backwards compatibility. Web Proxy and SSL communications has DES and 3DES disabled by default.

Yes, all weak ciphers are disabled.

In Crystal Eye these are not supported and are disabled.

Yes, SSLv3 is disabled.