Cyber Horizon
Back to Blog
Essential EightAustraliaHardening

The Essential Eight Explained: Australia’s Cyber Baseline

14 June 2026·7 min read·Cyber Horizon Team

The Australian Cyber Security Centre’s Essential Eight is a prioritised set of eight mitigation strategies that, together, make it significantly harder for adversaries to compromise systems. Mandatory for many Australian government entities and widely adopted in the private sector, it’s one of the most practical baselines going.

The eight strategies

They fall into three goals: prevent attacks, limit the impact, and ensure recovery.

Application control

Allow only approved executables, scripts and installers to run.

Patch applications

Patch internet-facing apps fast; remove unsupported software.

Configure macro settings

Block untrusted Microsoft Office macros — a classic delivery vector.

User application hardening

Disable risky features like Flash, ads and Java in browsers.

Restrict admin privileges

Limit and regularly revalidate privileged access.

Patch operating systems

Keep OSes current; retire end-of-life systems.

Multi-factor authentication

MFA for remote access, privileged actions and important data.

Regular backups

Backup important data and test restoration; keep backups isolated.

Four maturity levels

You don’t just “do” the Essential Eight — you implement each strategy to a maturity level matched to the threat you face.

LevelTargets
Maturity Level 0Weaknesses present in the organisation’s posture
Maturity Level 1Opportunistic attackers using widely available tradecraft
Maturity Level 2Attackers investing more time and effort, bypassing controls
Maturity Level 3Adaptive adversaries focused on a specific target

How to approach it

  • Set a target maturity level based on your risk and any regulatory mandate.
  • Assess your current maturity for each of the eight strategies.
  • Lift all eight together — uneven implementation leaves exploitable gaps.
  • Automate evidence (patch status, MFA coverage, backup tests) rather than gathering it by hand.
  • Re-assess regularly; maturity erodes as systems and software change.

The bottom line

The Essential Eight is deliberately practical: eight concrete strategies, implemented to a defined maturity. Its real strength is balance — get all eight to your target level and you close the gaps a single strong control would leave open.

Track Essential Eight maturity automatically

Cyber Horizon maps the Essential Eight to live signals from your cloud, identity and endpoint tools — so your maturity level reflects reality, not a spreadsheet.

Book a Demo