ASD / ACSC maturity model

Not a pen test. A technical validation of the eight mitigations.

Essential Eight technical assessments

The Essential Eight is a maturity model published by the Australian Signals Directorate and the Australian Cyber Security Centre. It is not a penetration testing framework. Cyber Node tests whether the eight controls you claim actually hold up under an active adversary. Application control, patching, MFA, admin privileges, the lot. Paper validation is not the same as technical validation.

Scope an E8 assessment All frameworks

The eight mitigations

What we test, and how

Each mitigation below is one of the ASD Essential Eight. The short description explains how Cyber Node validates it in practice.

  • 1. Application control

    Test whether unauthorised executables actually fail to run on endpoints and servers. Not whether AppLocker is deployed on paper. Whether the bypass techniques known to work in the wild succeed here.

  • 2. Patch applications

    Scan perimeter and internal services for known CVEs in applications and runtimes. Cross-reference against published patching timelines. Gaps between claim and reality go in the report.

  • 3. Configure Microsoft Office macro settings

    Validate macro execution policy against the ACSC hardening guidance. Attempt delivery of test payloads via common phishing vectors. Measure actual outcome, not GPO setting.

  • 4. User application hardening

    Browser, PDF reader, and Office hardening. Java, Flash, ads. ACSC guidance is specific. We validate against the specifics.

  • 5. Restrict administrative privileges

    Identify privileged accounts, separation from day-to-day accounts, privileged access workstations, tiered admin model. Attempt privilege escalation from a standard user where in scope.

  • 6. Patch operating systems

    OS patch currency against ACSC guidance. End-of-life OS in the environment. Exploitability of known unpatched flaws from the network.

  • 7. Multi-factor authentication

    MFA coverage across email, remote access, privileged admin, and high-risk actions. MFA bypass attempts where safe, including phishable factor identification (SMS, push fatigue).

  • 8. Regular backups

    Not a backup audit. We validate whether backups are reachable from a compromised admin account, whether they can be encrypted or deleted by an attacker, and whether restore tests are actually run.

Maturity levels

ML1, ML2, ML3 and what assessment looks like at each

The ACSC defines three maturity levels reflecting increasing attacker capability. Assessment depth scales accordingly.

Level 1

ML1 — common attacker

Opportunistic attackers using publicly available tradecraft. Baseline expected for most organisations. Assessment validates the mitigations are implemented at the ACSC-stated threshold.

Level 2

ML2 — targeted attacker

Attackers willing to invest more effort against a specific target. Assessment adds bypass attempts, configuration validation, and targeted privilege escalation testing.

Level 3

ML3 — adaptive attacker

Capable, adaptive attackers using tradecraft tailored to the target. Assessment approaches red team depth on the eight mitigations. Typical for entities handling classified or high-sensitivity data.

What we deliver, what we refer

E8 engagement scope, honestly

In scope for Cyber Node

Technical validation of claimed maturity

  • Validation against the claimed maturity level

  • Endpoint, network, identity, and cloud testing

  • Bypass and escalation attempts where in scope

  • Report mapped to the eight mitigations

  • Supplier due diligence reports for procurement

Out of scope, we refer

IRAP, ISM, and policy work

  • IRAP assessment against the ISM

    Requires an IRAP-endorsed assessor. We refer.

  • System certification for PROTECTED and above

    ASD and certification authorities.

  • ACSC Certified Gateway work

    Different accreditation track.

  • E8 policy authoring and programme management

    GRC consultancies and internal security teams.

  • Backup restore audit and BCP

    Specialist business continuity consultancies.

E8 FAQ

Common questions

No. The Essential Eight is a maturity model published by ASD and the ACSC. It defines eight mitigation strategies with three maturity levels. A pen test validates whether claimed controls hold up under active attack, which is a different and complementary activity.

Only for formal ISM assessments and government system certification. For internal Essential Eight maturity validation or supplier due diligence, you do not need an IRAP-endorsed assessor. Cyber Node performs technical validation; we refer IRAP work to endorsed assessors.

ACSC guidance recommends organisations target a maturity level commensurate with the threat environment. Non-sensitive SMBs often target ML1; entities handling classified or sensitive data typically target ML2 or ML3. We scope the assessment to the level you claim, then test whether the claim holds.

An IRAP assessment evaluates a system against the Australian Government Information Security Manual (ISM), performed by an IRAP-endorsed assessor. Essential Eight validation is narrower and focuses specifically on the eight mitigations. You may need one, the other, or both, depending on what your customer or regulator requires.

No. The ISM is far broader than the Essential Eight. Cyber Node validates the Essential Eight specifically. Full ISM alignment sits with IRAP-endorsed assessors.

Essential Eight engagement

Validate the claim, not the documentation

Get a Quote See our methodology