
Bronze gets you on the map. Gold is where the serious security controls kick in.
More of your clients are going to ask about SMB1001 Gold this year, and the ones who are serious want Level 3, not a Bronze tick. It's the tier they can point to when an insurer, a supply-chain partner, or a prospective enterprise customer asks them to demonstrate they've actually done the security work rather than ticked a box. (An SMB1001 certificate can support a cyber insurance application. It's not a guarantee of cover or price, but it's independent proof the controls exist.) SMB1001 is a voluntary certification standard maintained by Dynamic Standards International, and the current version is SMB1001:2025. It runs across five tiers, from Bronze at Level 1 up to Diamond at Level 5. Gold sits at Level 3. That's the point where self-attestation still applies but the control list gets noticeably harder.
A note on who this is written for. This one is aimed at the MSP standing behind the certification, not the business owner signing it. If you're an IT manager or exec wondering whether to raise SMB1001 Gold with your provider, the CRS SMB1001 guide is the better starting point.
For a managed service provider, that jump from Silver to Gold isn't a paperwork exercise. It's a delivery obligation. You can't attest to controls you haven't actually put in place, and one of the Gold controls in particular tends to be where things stall.
What SMB1001 Gold actually requires
Gold (Level 3) is still certified through CyberCert by self-attestation from a business owner or director, the same as Bronze and Silver. The difference is what you're attesting to. At Level 3 the business needs:
- Endpoint Detection and Response (EDR) running on devices
- Email authentication configured with DMARC, SPF and DKIM
- Continuous system monitoring
- A documented incident response plan
- Access control and privilege management
Together these are a genuine security posture, not a starter checklist, and each one carries a delivery cost for the MSP standing behind it. If you want the full tier-by-tier breakdown, the CRS SMB1001 guide maps every level against what the framework asks for.
Worth clearing up one common mix-up while we're here. People sometimes compare SMB1001 to the Essential Eight, but they aren't the same kind of thing. The Essential Eight is a set of mitigation strategies published by the Australian Government, not a certification you can hold. SMB1001, through CyberCert, is certifiable. ISO 27001 is also a certification, but it needs an accredited auditor and usually runs into tens of thousands of dollars. SMB1001 sits in the gap between a framework you self-assess against and a full audited standard, which is exactly why it's landing well with smaller Australian businesses.
Why EDR is the one that stalls things
Here's the control that catches MSPs out. Plenty of clients already have antivirus deployed, and antivirus is fine for the lower tiers. EDR is a different animal.
Traditional AV matches known signatures and blocks what it recognises. EDR watches behaviour. It flags the process that starts encrypting files at 2am, keeps a forensic timeline of what happened, and gives you something to respond to rather than a single "threat blocked" pop-up. When Gold asks for EDR, managed AV on its own doesn't satisfy it.
A lot of MSPs discover this the hard way. They've rolled AV across every tenant, they assume the endpoint box is ticked, and then the Gold control list makes it clear it isn't. Closing that gap usually means either bolting a separate EDR product onto the stack or finding a platform where EDR is already part of the deal.
One platform that covers most of it
This is where Guardz is worth a look. CRS is the authorised Guardz distributor for Australia and the Pacific Islands, so partner onboarding, deal registration, AUD billing and pre-sales engineering all run through us locally.
Guardz is a multi-tenant security platform built for MSPs, and several of its modules line up cleanly with the Gold controls:
- Identity monitoring for Microsoft Entra ID and Google Workspace watches for compromised accounts, unusual sign-in patterns and privilege escalation. It covers the identity and access control side. Guardz calls this capability ITDR (Identity Threat Detection and Response).
- SentinelOne Complete EDR, included in the Guardz Ultimate plan, satisfies the EDR requirement. It's part of the per-seat price, so there's no separate SentinelOne licence to buy or manage. (The Pro plan includes managed antivirus rather than EDR, so Ultimate is the tier that maps to Gold on this control.)
- Email protection through Check Point Harmony connects to your email environment via API without rerouting your mail flow through a new gateway. That sits alongside your email authentication layer as a meaningful deployment simplification.
- 24/7 AI and human-led MDR backs the continuous monitoring control. One honest note here: continuous monitoring under SMB1001 also covers system and log monitoring across the environment, not only endpoint telemetry. Make sure the full scope of the control is addressed, not just the MDR layer.
- Security awareness training and phishing simulations cover the human factor, reducing the risk that a well-configured environment gets undermined by a credential phish.
One honest caveat, because it matters for attestation. Guardz monitors and alerts on your email security posture, but the DMARC, SPF and DKIM DNS records still have to be configured at the domain. That's a separate step you do per tenant. Guardz doesn't set those records for you, so don't attest to email authentication until they're actually published and enforced.
On pricing: Guardz is priced per seat per month in AUD through CRS, so contact us for a per-tenant estimate based on your client's seat count. You can also map the modules against your own client base on the trial before committing anything.
Guardz has picked up some recognition recently too. It raised US$56M in a Series B early in 2025, was named MSP Today's 2025 Product of the Year, and its MDR service won the 2025 Global Infosec Awards for Trailblazing MDR Service Provider. For an MSP betting a compliance workflow on a vendor, knowing the company is well funded and growing is a fair thing to weigh.
The pricing reality of the modular stack
The other reason a consolidated platform is worth considering is the operational tax of doing it the piecemeal way. Stand up EDR here, an email security tool there, a separate awareness training product, an ITDR module, monitoring somewhere else, and you're running half a dozen consoles per tenant, each with its own licence, its own renewal date and its own login. Twenty clients across six tools is 120 separate renewal events a year, before you count the onboarding and offboarding overhead. In both dollars and admin hours, it adds up fast.
Guardz folds those modules into one per-seat price with a single multi-tenant console. Fewer bills, one place to look, less time spent stitching tools together. You can start on the 14-day free trial with no credit card and see how the modules map to your own client base before committing anything.
Beyond Gold
If a client wants to go further, Platinum (Level 4) adds an independent external audit on top of everything Gold requires. That's a step up in evidence. Instead of self-attesting to your monitoring, you need to show an auditor it's actually running and producing results. For a full tier map, the SMB1001 framework overview covers Bronze through Diamond with the control list at each level.
This is where the Guardz MDR reporting earns its keep. Worth noting for Platinum, though: the director signing the CyberCert attestation needs to understand the monitoring capability, not just point to a tool. Guardz MDR provides the operational coverage, and the Security Business Review outputs give you a structured starting point for the evidence pack. An external auditor will also want the underlying log exports and timeline data, which Guardz retains and can surface on request. Building toward Platinum gets a lot easier when the monitoring and the reporting are already generating that record for you.
The CRS angle
CRS distributes Guardz across Australia and the Pacific Islands, with AUD commercial terms and deal registration. If you're running clients across the Pacific, that in-region coverage matters. So does the pre-sales engineering: book a pre-sales call with CRS and we'll sit with you and work through tenant onboarding rather than handing you a login and wishing you luck. Margin is transparent, and deal reg is there to protect the work you put in. If you want to see how the numbers land before you commit, the Protect & Recover margin calculator gives you a sense of the economics.
Guardz also complements the backup side of your stack rather than replacing it. Endpoint and identity security protects the live environment; a dedicated backup product protects the data itself. Keepit covers SaaS backup for Microsoft 365, Google Workspace and the other platforms your clients live in, and the two sit together well under a broader protect-and-recover approach.
Getting started with SMB1001 Gold this week
Two concrete moves.
First, run the free Guardz cyber risk report on a client domain. It scans the external footprint: open ports, exposed services, SSL configuration and breached credentials on the dark web, with no agents installed and no internal access. It works for existing clients and for prospects. Run it on a domain before your first sales meeting and you walk in with findings rather than a pitch deck.
Second, start a Guardz 14-day trial through the CRS distributor link and map the modules against one client's Gold gap. Then contact CRS for pre-sales engineering and we'll help you work out the shortest path from where that client is now to a defensible Gold attestation.
SMB1001 Gold looks daunting from the outside, mostly because of the EDR control. It's a lot less daunting once EDR and monitoring come bundled into a single platform you can buy locally in AUD. The gap between Silver and Gold is usually shorter than MSPs assume.
Want to see where a client stands before you commit to anything? Run the free Guardz cyber risk report and start the conversation from real findings.
This article is general information from Cloud Ready Solutions, an Australian IT distributor supporting MSPs across Australia and the Pacific Islands. SMB1001 is a voluntary standard. It is not currently mandated by Australian law or government procurement policy. This isn't legal, compliance or attestation advice. Certification requirements, fees and attestation obligations are set by Dynamic Standards International and CyberCert. CRS does not advise on what will satisfy a CyberCert assessor or external auditor, so always confirm current requirements directly with them before advising a client to attest.
