The Essential Eight is the Australian Signals Directorate's baseline of eight mitigation strategies. Run a free external scan to see where your public-facing posture sits β then close the gaps.
Scan your site free βThe Essential Eight is a set of eight mitigation strategies published by the Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate (ASD). It's the practical baseline every Australian organisation is measured against, and is mandatory for non-corporate Commonwealth entities.
Progress is measured on a Maturity Model from Level 0 to Level 3. Level 1 targets adversaries using commodity tradecraft; Level 3 targets adversaries who are adaptive and well-resourced. Most organisations should aim for at least Maturity Level 1 across all eight.
Allow only approved applications to execute, blocking malicious and unapproved code.
Patch or mitigate vulnerabilities in internet-facing and productivity applications quickly.
Block macros from the internet and only allow vetted, digitally signed macros.
Disable or restrict risky features β Flash, ads, Java, unneeded browser functionality.
Limit privileged accounts, validate need, and separate admin from daily-use accounts.
Keep operating systems current and retire unsupported versions.
Enforce MFA for remote access, privileged actions, and important data repositories.
Back up important data and configurations, test restoration, and keep backups resilient to ransomware.
Our free scanner assesses the externally observable signals tied to these strategies β TLS configuration, security headers, email authentication (SPF/DKIM/DMARC) and exposed services. The full internal maturity assessment across all eight controls runs via the open-source CLI.
The Essential Eight is mandatory for Australian non-corporate Commonwealth entities and is strongly recommended by the ACSC for all organisations as a cost-effective security baseline.
The ACSC recommends organisations reach a maturity level suited to their risk. Maturity Level 1 is the practical minimum; many regulated or higher-risk organisations target Level 2 or 3.
No single external scan can. Maturity is assessed across internal controls like application control and admin privileges. Our external scan grades the internet-facing signals; the open-source CLI assesses the internal controls.