Essential Eight Assessment — Australia
Your MSP can't objectively tell you how secure you are.
Aussie Pentest delivers independent Essential 8 (Essential Eight) maturity assessments for Australian businesses — technically rigorous, conflict-free, and delivered in 10 business days. You get an honest score, a clear remediation roadmap, and documented evidence your insurer, board, or government client will actually accept.
ASD assessment process guide methodology
Technical testing, not just interviews
Results in 10 business days
No remediation conflict of interest
Cyber insurance renewal
Your broker is requiring proof of ML2 maturity before renewing — or your premium just jumped significantly. Australian cyber insurers are increasingly requiring independent, documented evidence of Essential Eight compliance as a condition of cover. A self-assessment or MSP-provided report is often not accepted. Our assessment report is produced by an independent security firm and includes the technical evidence file your insurer needs to satisfy their underwriting requirements.
Government tender
You're responding to a Commonwealth or state government contract that requires demonstrated E8 compliance.
Enterprise client due diligence
A customer has sent you a security questionnaire and wants independent verification of your controls.
Board or exec visibility
Leadership wants to know your real security posture — not a reassuring conversation with your IT provider.
DISP membership now requires ML2 compliance.
Defence Industry Security Program (DISP) membership now requires Essential Eight compliance at Maturity Level 2 across your organisation. If you're a defence contractor or supplier preparing for DISP assessment — or maintaining existing membership — you need an independent, technically verified ML2 score backed by documented evidence.
Our assessment is scoped specifically to your environment, covers all eight controls against the ACSC assessment process guide, and produces a report and evidence pack your DISP assessor will accept. We've scoped the process so most defence SMBs can complete assessment and remediation within a 90-day window.
Covers all 8 controls
Tested against the ACSC assessment process guide — the same framework your DISP assessor references.
Technically verified ML2 score
Not interview-based. We validate configurations directly so the score is defensible to your assessor.
Evidence pack included
Configuration exports, tool outputs, and documented findings — everything your DISP submission needs.
90-day remediation window
We scope assessment and advisory so most defence SMBs can reach ML2 within a single quarter.
Most E8 assessments are done by the same firm managing your IT.
That's a conflict of interest. Your MSP has every incentive to tell you your environment is secure — they built it. An independent pentest firm has one job: tell you the truth.
MSP-run “assessment”
Interview-based. They ask your IT team if patching is up to date. You say yes. They write it down. No technical validation.
Aussie Pentest assessment
Technical and evidence-based. We verify actual system configurations, run tooling against your environment, and document what we find — not what you tell us.
Automated scan report
A scanner checks a handful of policies and generates a score. Misses configuration drift, AD misconfigs, and anything a script can't see.
Aussie Pentest assessment
Combines automated tooling with manual review. We catch the gaps between what your policies say and what your environment actually does.
A complete assessment package — not just a PDF.
Maturity score across all eight controls
Scored against the ACSC maturity model (ML0–ML3) for every strategy, not just a single aggregate number.
Technical evidence file
Configuration exports, tool outputs, and documented findings that back your score. Defensible to an insurer or auditor.
Gap analysis with risk ratings
Every finding is categorised by risk severity and mapped to the specific maturity requirement it's failing against.
Prioritised remediation roadmap
A 90-day quick-win plan and 12-month strategic roadmap. Written to be actioned by your IT team or MSP — no ambiguity.
Executive summary (board-ready)
A plain-English summary suitable for presenting to your leadership team, board, or cyber insurance broker.
Live debrief session
A 60-minute walkthrough of findings with your IT lead and a key business stakeholder. We answer your team's questions directly.
From scope to signed report in 5–10 business days.
No back-and-forth. No scope creep. Just a structured, repeatable process.
Scoping call
30 minutes. We map your environment, define scope, and confirm target maturity level.
Technical assessment
Remote access to your environment. We run tooling, review configs, and interview key personnel across all eight control areas.
Report and roadmap
Full written report delivered within 10 business days of assessment completion.
Debrief session
A 60-minute live walkthrough of findings. Your team leaves knowing exactly what to fix and in what order.
One clear offer. No surprise scope.
Essential Eight Maturity Assessment
$4,950
+ GST
Fixed-fee for environments up to 50 seats. Larger environments quoted on scope.
Includes
- ✓ML1 or ML2 target maturity — your choice
- ✓Full technical testing across all 8 controls
- ✓Maturity score + evidence documentation
- ✓Prioritised remediation roadmap
- ✓Board-ready executive summary
- ✓60-minute live debrief included
- ✓Report delivered within 10 business days
$3,500
+ GST
normally $4,950
We're opening a small number of assessments at a reduced rate for businesses willing to provide a written testimonial if they're satisfied with the work. Same full assessment, same deliverables, same 10-day turnaround — we want 3 case studies, you get a verified maturity score and a significant saving.
- ✓Full Essential Eight maturity assessment — all 8 controls
- ✓Same deliverables as the standard engagement
- ✓10 business day turnaround
- ✓Written testimonial required if satisfied with the work
- ✓Saving locked in at point of engagement — not time-limited
Spots close once 3 engagements are confirmed · No obligation to provide testimonial if unsatisfied
What Australian businesses ask us
Is the Essential Eight mandatory for my business?
It's mandatory for Commonwealth government entities and increasingly expected for defence supply chain (DISP), critical infrastructure, and anyone bidding on government contracts. For private businesses, it's technically voluntary — but cyber insurers and enterprise procurement teams are actively requiring documented evidence of E8 maturity at ML2 as a condition of cover or contract.
What's the difference between your assessment and what my MSP offers?
Your MSP manages your environment, which means they have a conflict of interest in assessing it. We're an independent security firm with no stake in the outcome. We also go beyond interviews and documentation review — we technically test your controls against the ACSC's actual assessment process guide. That's what makes the report defensible.
How long does it take?
The scoping call and technical assessment phase typically takes 1–3 days depending on environment size. You receive the completed report within 10 business days of the assessment. Total elapsed time from kickoff to debrief is usually 2–3 weeks.
Will you also do the remediation work?
We can provide advisory support for remediation, but we deliberately separate assessment from implementation. Your existing MSP should execute the technical fixes — that's their job. Our role is to assess independently, give you a verified score, and tell them exactly what to fix. This keeps the independence of the assessment intact.
What maturity level should we target?
Most Australian SMBs should target ML2 — it's the ASD-recommended minimum and the level most cyber insurers and government clients expect to see. We'll confirm the right target for your situation during the scoping call.
Book your Essential Eight assessment
Fill in the form below and we'll confirm availability and send you a fixed-fee quote within one business day. No commitment required.