An Honest Essential Eight Assessment.
Not Your MSP Marking Their Own Homework.

It's mandatory for Commonwealth government entities and increasingly expected for anyone in the defence supply chain (DISP), critical infrastructure, or bidding on government contracts. For private businesses, it's technically voluntary — but cyber insurers and enterprise procurement teams are actively requiring documented evidence of E8 maturity at ML2 as a condition of cover or contract award. If you deal with government or hold a cyber insurance policy, treat it as mandatory in practice.

Your MSP manages your environment, which means they have a conflict of interest in assessing it. We're an independent security firm with no stake in the outcome. We also go beyond interviews and documentation review — we technically test your controls against the ACSC's actual assessment process guide. That's what makes the report defensible to an insurer, auditor, or DISP assessor.

The scoping call and technical assessment phase typically takes 1–3 days depending on environment size. You receive the completed report within 10 business days of assessment completion. Total elapsed time from kickoff to debrief is usually 2–3 weeks.

We can provide advisory support for remediation, but we deliberately separate assessment from implementation. Your existing MSP should execute the technical fixes — that's their job. Our role is to assess independently, give you a verified score, and tell them exactly what to fix. This keeps the independence of the assessment intact.

Most Australian SMBs should target ML2 — it's the ASD-recommended minimum and the level most cyber insurers and government clients expect to see. We'll confirm the right target for your situation on the scoping call.

Yes — in most cases. Our reports are produced by an independent security firm, technically tested against the ACSC assessment process guide, and include a full evidence file with configuration exports and tool outputs. That's the format Australian cyber insurers require when they ask for "independent documentation" of E8 maturity. If your broker has a specific reporting format they want to see, let us know on the scoping call and we'll confirm compatibility before we start.

Both. The majority of Australian SMBs run a hybrid environment — typically Microsoft 365 or Azure in the cloud with some on-premises infrastructure or endpoints. We assess across your full environment, not just one component. The scoping call maps out exactly what's in scope so nothing gets missed and there are no surprises.

Read-only or scoped access to your environment — typically a combination of remote access, configuration exports, and a brief session with your IT lead or MSP. We'll send you a clear pre-assessment checklist after the scoping call so your team knows exactly what to prepare. Most businesses find the access requirements straightforward; if your MSP is cooperative, they can handle the access setup in a few hours.

Yes. Our assessment covers all eight controls against the ACSC assessment process guide — the same framework your DISP assessor references — and includes a technical evidence pack with configuration exports and documented findings. That's what a DISP submission needs. We've scoped the process so most defence SMBs can complete assessment and remediation within a 90-day window, which aligns with most DISP application timelines. If you're actively working toward a DISP submission, mention it on the scoping call so we can tailor the deliverables accordingly.

Start by filling in the enquiry form below — it takes two minutes and helps us understand your environment and what's driving the need. We'll come back to you within one business day with a quote scoped to your situation. If you're not sure what maturity level to target or whether you're ready, the scoping call is the right place to work that out. There's no commitment required at that stage — it's just a conversation.