πŸ‡¦πŸ‡Ί Australia Β· ASD Essential Eight

How mature is your Essential Eight posture?

The Essential Eight is the Australian Signals Directorate's baseline of eight mitigation strategies. Run a free external scan to see where your public-facing posture sits β€” then close the gaps.

Scan your site free β†’
No signup Β· results in ~30 seconds Β· open source

What is the Essential Eight?

The Essential Eight is a set of eight mitigation strategies published by the Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate (ASD). It's the practical baseline every Australian organisation is measured against, and is mandatory for non-corporate Commonwealth entities.

Progress is measured on a Maturity Model from Level 0 to Level 3. Level 1 targets adversaries using commodity tradecraft; Level 3 targets adversaries who are adaptive and well-resourced. Most organisations should aim for at least Maturity Level 1 across all eight.

The eight mitigation strategies

01

Application control

Allow only approved applications to execute, blocking malicious and unapproved code.

02

Patch applications

Patch or mitigate vulnerabilities in internet-facing and productivity applications quickly.

03

Configure Office macros

Block macros from the internet and only allow vetted, digitally signed macros.

04

User application hardening

Disable or restrict risky features β€” Flash, ads, Java, unneeded browser functionality.

05

Restrict admin privileges

Limit privileged accounts, validate need, and separate admin from daily-use accounts.

06

Patch operating systems

Keep operating systems current and retire unsupported versions.

07

Multi-factor authentication

Enforce MFA for remote access, privileged actions, and important data repositories.

08

Regular backups

Back up important data and configurations, test restoration, and keep backups resilient to ransomware.

What the free scan checks

Our free scanner assesses the externally observable signals tied to these strategies β€” TLS configuration, security headers, email authentication (SPF/DKIM/DMARC) and exposed services. The full internal maturity assessment across all eight controls runs via the open-source CLI.

Run your free Essential Eight scan β†’

Frequently asked questions

Is the Essential Eight mandatory?

The Essential Eight is mandatory for Australian non-corporate Commonwealth entities and is strongly recommended by the ACSC for all organisations as a cost-effective security baseline.

What Maturity Level should we target?

The ACSC recommends organisations reach a maturity level suited to their risk. Maturity Level 1 is the practical minimum; many regulated or higher-risk organisations target Level 2 or 3.

Does a website scan give me my Essential Eight maturity?

No single external scan can. Maturity is assessed across internal controls like application control and admin privileges. Our external scan grades the internet-facing signals; the open-source CLI assesses the internal controls.

Other frameworks