Assess your maturity. Close the gaps. Demonstrate genuine capability. Built for Australian businesses by a team that's spent 18 years in Australian regulation.
The Essential Eight is a set of baseline mitigation strategies developed by the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC). Originally published in 2017 and updated regularly, these eight strategies are prioritised based on their effectiveness at mitigating cyber security incidents. They are not aspirational guidelines - they are the minimum an Australian organisation should implement.
While Essential Eight is technically "recommended" rather than legally mandated for private sector organisations, the reality is far more demanding:
Non-corporate Commonwealth entities are required to implement Essential Eight at a minimum of Maturity Level 2 under the Protective Security Policy Framework (PSPF). This is not optional.
Organisations contracting with government agencies are increasingly required to demonstrate Essential Eight maturity. Procurement evaluations now routinely include Essential Eight self-assessments.
APRA-regulated financial institutions must demonstrate security controls commensurate with threats under CPS 234. Essential Eight strategies map directly to these expectations. Health, energy, and critical infrastructure sectors face similar pressures.
Enterprise customers, cyber insurers, and boards are adopting Essential Eight as the de facto benchmark for cyber security maturity in Australia. Without demonstrable alignment, you face commercial disadvantage.
The eight strategies are organised around three objectives that reflect the primary attack lifecycle:
Application control, patch applications, configure Microsoft Office macro settings, and user application hardening. These four strategies aim to stop malicious code from reaching and running on your systems in the first place.
Restrict administrative privileges and patch operating systems. These strategies limit the damage an adversary can do once they've gained initial access, by reducing the privileges available and the vulnerabilities exploitable.
Multi-factor authentication and regular backups. MFA prevents credential theft from escalating, and backups ensure you can recover when other defences fail.
Together they form the most effective baseline for cyber resilience in Australia. CyberHeed assesses, tracks, and validates each one across all maturity levels.
Prevent execution of unapproved or malicious programs. Only approved applications are allowed to run on workstations and servers. This blocks malware, ransomware, and unauthorised software from executing - even if it reaches your environment.
ML1: Application control on workstations, applied to user profiles and temporary folders, restricting executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an approved set. ML2: Extended to internet-facing servers; applied to all locations not just user profiles and temporary folders. ML3: Extended to non-internet-facing servers as well.
Patch applications with known security vulnerabilities within defined timeframes. Unpatched applications are the primary entry point for targeted attacks. At Maturity Level 1, critical vulnerabilities or those with working exploits in online services must be patched within 48 hours of release. Office productivity suites, web browsers, email clients, and PDF software must be patched within 2 weeks. Other applications must be patched within 1 month at Maturity Level 2 and above. Internet-facing services, office productivity suites, web browsers, and email clients require priority attention.
ML1: Online services patched within 48 hours for critical/working-exploit vulnerabilities; office productivity suites, browsers, email clients, PDF software patched within 2 weeks. No unsupported software. ML2: Same timeframes plus other applications patched within 1 month. ML3: Same as ML1 timeframes applied consistently with no exceptions; unsupported software removed.
Block macros from the internet, only allow vetted macros in trusted locations, and use macro signing. Office macros remain one of the most common delivery mechanisms for malware in Australian organisations.
ML1: Macros disabled for users without a demonstrated business requirement; macros in files from the internet are blocked; macro antivirus scanning enabled; macro security settings cannot be changed by users. ML2: Adds blocking of macros from making Win32 API calls. ML3: Only macros running from a sandboxed environment, a Trusted Location, or digitally signed by a trusted publisher are allowed to execute; macros are checked to be free of malicious code before signing or placing in Trusted Locations.
Configure web browsers and applications to block ads, Java, and Flash. Disable unneeded features in office applications. Reduce the attack surface by removing functionality that adversaries exploit for initial access.
ML1: Internet Explorer 11 disabled or removed; browsers do not process Java or web advertisements from the internet; browser security settings cannot be changed by users. ML2: Adds ASD and vendor hardening guidance applied to browsers; Microsoft Office blocked from creating child processes, creating executable content, and injecting code into other processes. ML3: Adds hardening of other internet-facing applications using ASD and vendor guidance; Microsoft Office blocked from activating OLE packages; further restrictions on script execution environments.
Limit admin access to those who need it for their role. Use separate accounts for privileged and unprivileged work. Validate the need regularly. Compromised admin accounts give adversaries full control - restricting privileges limits the blast radius.
ML1: Requests for privileged access validated when first requested; dedicated privileged accounts used solely for privileged duties; privileged accounts prevented from accessing internet, email and web services; separate privileged and unprivileged operating environments. ML2: Adds automatic disabling of privileged access after 12 months unless revalidated, and after 45 days of inactivity; privileged environments not virtualised within unprivileged environments. ML3: Adds Secure Admin Workstations for all administrative activities; just-enough access principle applied to limit privileges to only what is required.
Patch operating systems with known security vulnerabilities within defined timeframes. Replace end-of-life operating systems that no longer receive vendor support. Unpatched operating systems on workstations and servers are high-value targets.
ML1: Internet-facing OS patched within 48 hours for critical/working-exploit vulnerabilities; within 2 weeks for non-critical. Workstations and non-internet-facing systems patched within 1 month. No unsupported OS. ML2: Same timeframes as ML1. ML3: Workstations and non-internet-facing systems also patched within 48 hours for critical/working-exploit vulnerabilities; within 1 month for non-critical.
Require MFA for all users when accessing internet-facing services, third-party providers, and important data. Phishing-resistant MFA where possible. Stolen credentials are the most common initial access technique - MFA blocks the majority of credential-based attacks.
ML1: MFA used to authenticate users to online services that process, store or communicate the organisation's sensitive data; also to third-party online services processing sensitive data; MFA uses something users have combined with something they know or are. ML2: Extends to authenticate users to customer-facing online services processing sensitive customer data; MFA also used to authenticate customers to those services; MFA used for privileged users of systems. ML3: MFA used to authenticate all users of systems and data repositories; MFA must be phishing-resistant.
Perform backups of important data, software, and configuration settings. Store backups offline or disconnected. Test restoration regularly. When everything else fails - when ransomware encrypts your systems - backups are the last line of defence.
ML1: Backups of data, applications and settings performed and retained per business continuity requirements; synchronised to enable restoration to a common point in time; retained securely; restoration tested as part of disaster recovery exercises; unprivileged accounts cannot access other users' backups or modify/delete backups. ML2: Adds that privileged accounts (excluding backup administrators) also cannot access or modify/delete backups belonging to other users. ML3: Extends backup access restrictions so privileged accounts cannot access their own backups either; privileged accounts (excluding backup administrators) are prevented from modifying and deleting their own backups.
The Essential Eight Maturity Model defines four levels for each strategy. Most organisations target Maturity Level 1 initially, with regulated entities and government agencies expected to achieve Level 2 or 3.
Weaknesses exist that could be exploited. The mitigation strategy is not implemented, or is implemented so poorly that it provides negligible protection. This is not a target - it's a baseline finding.
Partly aligned with the intent of the mitigation strategy. Provides some protection against adversaries who are content to use widely available tradecraft. The entry point for most organisations.
Mostly aligned with the intent. Provides protection against adversaries who invest more effort in their targeting. Expected for organisations handling sensitive data or serving government.
Fully aligned. Provides protection against adversaries who are more adaptive and less reliant on public tools. The target for critical infrastructure and high-value targets.
CyberHeed assesses your current maturity level for each of the eight strategies, identifies exactly what's needed to reach your target level, and tracks remediation progress over time. Not a snapshot - a trajectory.
What started as recommended guidance is rapidly becoming a requirement - contractual, regulatory, and commercial.
Australian government agencies increasingly require Essential Eight alignment - often Maturity Level 2 or above - from suppliers and contractors. Without it, you're excluded from procurement processes before the conversation starts.
Large enterprises are embedding Essential Eight requirements in vendor assessments. When your prospective customer asks about your security posture, Essential Eight maturity is the language they speak in Australia.
Australian cyber insurers are tightening underwriting requirements. Essential Eight alignment is increasingly factored into premium calculations and coverage eligibility. Demonstrable maturity means better terms.
Australian boards are asking their CISOs for measurable security baselines. Essential Eight maturity levels provide a clear, comparable metric that boards can understand and track over time. If you can't report on it, you can't govern it.
CyberHeed manages your Essential Eight compliance through the same Prepare-Comply-Manage cycle used across every framework.
SmartPrep guides your team through a structured assessment of each mitigation strategy. AI adapts as the conversation unfolds, follows up on gaps, and captures your current implementation across all eight strategies and all maturity levels.
For each strategy, CyberHeed identifies exactly where you fall short of your target maturity level. Specific, actionable gaps - not vague recommendations. You know precisely what needs to change and why.
Each gap becomes a tracked action item with owners, deadlines, and evidence requirements. As your team implements changes, evidence is uploaded and validated. Your maturity score updates in real time.
Upload evidence of your implementations. AI validates whether your evidence genuinely demonstrates the capability required at your target maturity level. No rubber-stamping - honest assessment of what you've built.
Essential Eight isn't a one-time assessment. Patches fall behind, access reviews lapse, backups go untested. CyberHeed monitors your posture and flags when controls drift below your target maturity level.
Structured assessment. Clear gap analysis. Remediation tracked to completion. Built for Australian businesses.
Book a Demo