Essential Eight ML3 Uplift for Brisbane SMBs: Get to Maturity Level 3 Before Ransomware Tests You

You already passed an ML2 assessment. Your application control is in place, your patches are inside the windows, your admins use separate accounts. Then a client — a defence prime, a health network, a bank — asks for evidence you operate at Essential Eight Maturity Level 3. Or your board reads the morning’s ransomware headline about a Brisbane services firm and asks why your maturity ceiling stops at ML2. Essential Eight ML3 Uplift from Cyber by Exegesis is the fixed-scope engagement that closes the ML2-to-ML3 gap against the adversary the ACSC actually describes at that level: a well-resourced actor capable of running a ransomware campaign end-to-end against your tenant.

The problem

The ACSC Essential Eight Maturity Model is explicit that ML3 is calibrated against adversaries who are adaptive, less reliant on public tooling, and willing to invest in evading the controls at ML2. The ransomware crews that now target Australian SMBs in regulated sectors — defence supply chain, allied health, financial services — operate at that level. They harvest credentials before they encrypt. They disable logging before they move laterally. They exfiltrate before they detonate, so that even a clean restore leaves you facing an OAIC notification under the Notifiable Data Breaches scheme.

ML2 will stop a lot of that. ML3 is what stops the rest. The gaps are specific: application control extended to all locations (not just user profiles), centralised event logging with protected log integrity, multi-factor authentication using phishing-resistant methods, just-in-time admin, and patching windows tightened to the ACSC’s ML3 thresholds. None of these are exotic. All of them require disciplined project work that an SMB with thin internal IT cannot run alone.

What Essential Eight ML3 Uplift does

Cyber by Exegesis runs a fixed-scope project to lift a verified-ML2 business to ACSC Essential Eight Maturity Level 3 across all eight mitigation strategies:

• A current-state ML2 verification against the ACSC Essential Eight Maturity Model — we do not start the uplift until we agree the baseline.
• A gap register mapped strategy-by-strategy to the ML3 requirements, with each item scoped, owned, and sequenced.
• Application control extended beyond user profile paths to all locations, with rule-set hygiene and a documented exception process.
• Centralised, protected event logging — Windows, server, network, and cloud tenant logs aggregated with integrity controls and retention aligned to ML3.
• Phishing-resistant MFA for all privileged users and for remote access, with conditional access rebuilt where required.
• Privileged access tightened to just-in-time elevation, with separation of privileged environments from day-to-day workstations.
• Patching windows brought inside ML3 thresholds for operating systems, applications, drivers, and firmware.
• A written ML3 attestation pack — control evidence, residual risk, and the operational runbook your team uses to hold the maturity level after we leave.

Cyber by Exegesis is the cyber consultancy line of Exegesis, the same parent company that runs DRMO and other agentic AI services. This engagement is project work, not managed service. We lift you to ML3, document the evidence, and hand it back to your IT team or your MSP to hold.

How it works

1. We confirm the engagement scope and the ML2 baseline on a short call, and request read-only access to your Microsoft 365 or Google Workspace tenant, your endpoint management console, your logging stack, and your DNS.
2. We run the ML2 verification and produce the gap register against the ACSC Essential Eight Maturity Model — strategy by strategy, with the ML3 requirement and the delta written plainly.
3. We sequence the uplift across a 10–14 week project window, working with your IT lead or MSP on the change windows that minimise operational disruption.
4. We execute the application control, logging, MFA, privileged access, and patching changes, validating each strategy against the ML3 requirement before moving to the next.
5. We deliver the ML3 attestation pack — control evidence per strategy, residual risk register, runbook for ongoing operation, and a 12-week post-implementation review to confirm the maturity level has held.

Why this matters in Brisbane

Brisbane is where Queensland’s defence-industry supply chain, large allied health networks, and resource-sector finance functions concentrate — exactly the SMB profiles that prime contractors and regulators are now asking ML3 evidence of. It is also where ransomware crews have demonstrated they will target a single mid-sized supplier to reach a larger client downstream. A Brisbane SMB operating at verified ML3 is not just better defended against ransomware encryption and exfiltration; it is in a position to answer the contract question and the OAIC question before either is asked.

Sources

• ACSC Essential Eight Maturity Model: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• OAIC Notifiable Data Breaches scheme (in the event a ransomware incident results in an eligible data breach): https://www.oaic.gov.au/privacy/notifiable-data-breaches
• Cyber by Exegesis — Essential Eight ML3 Uplift (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens ML3 Uplift for Brisbane SMBs

We are sequencing ML3 engagements by sector (defence supply chain first, regulated health and finance second) and by tenant type. Join the waitlist with your sector, your current Essential Eight maturity level, and your tenant — we will tell you when we are ready to take a brief.