Essential Eight ML3 Uplift for Adelaide SMBs: Hardening Against Ransomware When You Already Hold Defence, Health, or Finance Data

Your business already cleared Maturity Level 2. You have application control on workstations, MFA across the tenant, patching cycles documented, and a backup regime you have actually tested. Then a prime contractor — or an auditor, or a client running their own supply-chain review — asks whether you are at ML3. Because what you hold (defence-adjacent IP, patient records, client financial data) is exactly what state-level ransomware crews are paid to encrypt. Essential Eight ML3 Uplift from Cyber by Exegesis is the engagement that takes a Adelaide SMB from ML2 to ML3 against the ACSC maturity model, with ransomware resilience as the design goal.

The problem

The ACSC Essential Eight Maturity Model defines ML3 as defence against adversaries who are adaptive, well-resourced, and willing to invest time in your specific environment. That is the threat model behind modern ransomware operators — the ones who exfiltrate before they encrypt, who dwell for weeks reading your email, who know which backup system you run and how to disable it.

ML2 stops opportunistic attackers. ML3 is what you need when the attacker has already decided your business is the target. The gap between the two is not subtle: application control must extend to drivers and scripts, not just executables; logging must be centralised and protected from tampering; privileged access must be just-in-time with hardware-bound credentials; macros and Office attack surface must be locked down beyond the defaults. Most Adelaide SMBs sitting at solid ML2 underestimate how much work the ML3 step actually involves — and discover it only when a ransomware incident exposes exactly the controls ML3 would have hardened.

What Essential Eight ML3 Uplift does

Cyber by Exegesis runs a fixed-scope ML2-to-ML3 uplift project mapped directly against the ACSC Essential Eight Maturity Model:

• A baseline assessment of your current ML2 posture across all eight strategies, with each control scored against the ML3 criteria in the ACSC model.
• Application control uplift — extending allowlisting to drivers, scripts, installers, and HTA/CHM/MSI surfaces, with Microsoft’s recommended block rules applied and logged centrally.
• Privileged access redesign — just-in-time admin, separate privileged workstations where the risk profile demands it, and the removal of standing domain admin.
• Centralised, tamper-resistant logging for command lines, PowerShell, authentication events, and application-control violations, retained per ML3 guidance.
• Macro and Office hardening to ML3 — blocked from the internet, signed-only execution, and antivirus scanning at open.
• A written ML3 attestation report mapping each control to the ACSC criteria, suitable for a prime contractor or sector regulator to review.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. ML3 uplift is the heaviest engagement in our SMB catalogue; it is appropriate only for businesses whose sector or contract obligations actually require it.

How it works

1. We scope on a longer call than usual — typically 60 minutes — to confirm you are genuinely at ML2 today and that ML3 is the right destination for your sector and contracts.
2. We baseline the eight strategies against ML3 criteria using read-only access to your tenant, endpoint management, identity provider, and SIEM (or the absence of one).
3. We deliver a remediation plan sequenced by risk and operational disruption, with each item tagged against the specific ACSC ML3 requirement it satisfies.
4. We implement the changes in agreed waves over six to twelve weeks, with rollback points between waves so your business never loses a day of operations.
5. We deliver the ML3 attestation report and a 12-month review schedule, because ML3 is a posture you maintain, not a certificate you hang on the wall.

Why this matters in Adelaide

Adelaide concentrates Australia’s defence-industry supply chain — shipbuilding, space, sovereign manufacturing — alongside a dense health and finance professional-services base. These are the sectors where ransomware operators invest the most reconnaissance time, because the data they exfiltrate is leverage well beyond the encryption itself. They are also the sectors where prime contractors and regulators are now asking SMB suppliers explicit questions about Essential Eight maturity. An Adelaide SMB sitting at ML2 with a defence or health contract on the books has a clear next step; an Adelaide SMB that suffers a ransomware-driven data breach also has a clear obligation under the OAIC Notifiable Data Breaches scheme, and meeting it from a position of ML3 hardening is materially easier than meeting it from ML2.

Sources

• ACSC Essential Eight Maturity Model: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• Cyber by Exegesis — Essential Eight ML3 Uplift (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens ML3 Uplift for Adelaide SMBs

ML3 engagements are sequenced carefully — we take a small number at a time, prioritising defence-industry, health, and finance SMBs that already hold a credible ML2 baseline. Join the waitlist with your sector and a one-line description of your current ML2 evidence, and we will tell you when we are ready to take a brief.