The Essential 8 has been part of the Australian cybersecurity landscape for nearly a decade. In that time it has evolved from a recommended baseline to a mandated requirement for many Commonwealth entities, and a de facto standard referenced in APRA CPS 234, government procurement frameworks, and board risk reporting across the private sector.
The framework itself has not stood still. The Australian Signals Directorate updates the Essential 8 Maturity Model periodically, and the 2025–2026 guidance reflects a threat landscape that looks materially different from when the framework was first published.
Patching timelines have tightened. The window between vulnerability disclosure and active exploitation has compressed dramatically. The 2025 guidance reflects this with more demanding patching timelines, particularly for internet-facing systems and critical infrastructure. Maturity Level 2 now requires patching of critical vulnerabilities within 48 hours for internet-facing assets — a requirement that many organisations' patch management processes are not yet built to meet.
Multi-factor authentication requirements have expanded. MFA requirements now explicitly cover third-party services and cloud platforms, not just internal systems. The prevalence of identity-based initial access in major Australian breaches has driven this change. An organisation that has MFA on its Microsoft 365 tenant but not on its AWS console or SaaS platforms has a significant gap.
Application control scope has broadened. The definition of what needs to be controlled has expanded to address living-off-the-land techniques that use legitimate system utilities for malicious purposes. LOLBins — legitimate binaries like PowerShell, WScript, and MSHTA — have been the execution mechanism in a significant proportion of Australian incident response engagements over the past two years.
Office macro controls remain relevant. Despite the shift toward newer attack vectors, macro-based attacks remain common in Australian phishing campaigns. The guidance continues to emphasise blocking macros from the internet while allowing organisationally-signed macros where operationally necessary.
The fundamental structure of the framework remains the same: eight mitigation strategies, four maturity levels (0–3), and an expectation that organisations progress through the levels systematically.
The intent has not changed either. The Essential 8 is designed to mitigate the most common adversary techniques used against Australian organisations. It is not a comprehensive security framework — it is a targeted set of controls calibrated to threat reality. Organisations that treat it as a compliance checkbox rather than a threat mitigation program typically find themselves at higher risk, not lower.
For organisations working toward Essential 8 uplift in 2026, prioritisation matters. Not all eight strategies are equally difficult to implement, and not all carry equal risk weight for every organisation.
Start with MFA. Identity-based attacks are the dominant initial access vector in Australian incidents right now. Getting to Maturity Level 2 on MFA — including for cloud platforms and third-party services — delivers the highest return on investment of any Essential 8 control in the current threat environment.
Audit your patching process, not just your patch compliance. Many organisations have patch management processes that work well under normal conditions and break down under pressure. Understanding your actual time-to-patch for critical vulnerabilities — not the target, the actual — is the prerequisite to closing the gap between current state and the tightened Maturity Level 2 requirements.
Take application control seriously. Application control is consistently the control that organisations find hardest to implement effectively and easiest to implement superficially. A blocklist that stops known-bad executables from running is not application control. Allowlist-based control of what can execute — including PowerShell, scripting engines, and macros — is harder to implement but delivers materially better protection against the most common post-exploitation techniques.
Do not chase Maturity Level 3 at the expense of Maturity Level 2. Organisations that attempt to jump directly to Maturity Level 3 controls without solid Maturity Level 2 foundations frequently end up with fragile implementations. The maturity model is designed as a progression — the controls at each level assume the ones beneath them are working.
An Essential 8 maturity assessment is only as useful as its accuracy. Organisations commonly report higher maturity than they actually have, for two reasons: self-assessment bias, and the gap between policy and implementation.
A policy document that says you patch within 48 hours is not evidence of Maturity Level 2 patching. Evidence of Maturity Level 2 patching is demonstrable, measured patching performance across your actual asset inventory. An effective maturity assessment tests implementation, not documentation.
SALTT Technologies delivers Essential 8 maturity assessments that test actual control effectiveness, not policy existence. If you are planning an assessment ahead of a regulatory submission, board reporting cycle, or internal risk review, speak to our GRC team about what an evidence-based assessment looks like.