Essential Eight ML2 Uplift for Melbourne SMBs: Close the Ransomware Gap Between Maturity Level 1 and Maturity Level 2

You did the Essential Eight ML1 work last year. Multi-factor is on the main accounts, patching mostly happens, daily backups run. Then on a Tuesday morning your file server is encrypted, your line-of-business app will not open, and the attacker’s note tells you that they exfiltrated 40GB before the encryption kicked in. ML1 was enough to keep the opportunistic stuff out. It was not enough to stop a ransomware operator who got a foothold through an unpatched internet-facing service and escalated through a local admin account that nobody had locked down. Essential Eight ML2 Uplift from Cyber by Exegesis is the fixed-scope engagement that takes a Melbourne SMB from ML1 to ML2 across all eight strategies — specifically with ransomware as the threat in scope.

The problem

The ACSC Essential Eight Maturity Model is explicit that ML1 is calibrated against opportunistic adversaries using commodity tooling. ML2 is calibrated against adversaries willing to invest more time and effort in a target — which is exactly the profile of the ransomware crews that hit Australian SMBs. The gap is not theoretical. ML2 tightens patching SLAs (48 hours for internet-facing services, two weeks for everything else), requires application control to be running with a vetted catalogue rather than as a wishlist, restricts administrative privileges with proper separation, and pushes multi-factor onto more touchpoints than ML1’s narrow scope.

Most Melbourne SMBs sitting at ML1 know they are short of ML2 but have not had the project scoped. The ACSC Small Business Cyber Security Guide gives the plain-English version of the controls; the Maturity Model gives the audit-grade definitions. Reconciling the two against your actual environment is the work.

What Essential Eight ML2 Uplift does

Cyber by Exegesis runs a fixed-scope engagement to take an ML1 business to ML2 across all eight mitigation strategies:

• A current-state assessment against the ACSC Essential Eight Maturity Model, strategy by strategy, with evidence captured for each.
• Patching SLA tightening — internet-facing services to 48 hours, operating systems and applications to two weeks, with a documented exception process for the cases that genuinely cannot meet it.
• Administrative privilege handling — separation of privileged and unprivileged accounts, removal of standing local admin on workstations, and a quarterly review process.
• Application control moved from “we have a tool” to a vetted catalogue with an actual deny-by-default posture in user-writable locations.
• Multi-factor extended onto the touchpoints ML2 requires — including privileged actions and access to important data repositories — not just the front door.
• Backup testing — restoration is exercised, not assumed, with a documented restore time for the systems that matter.
• A short written report mapping every change to the ACSC maturity definitions, plus a 90-day review window.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. This engagement is scoped uplift work. We are not your MSP and we are not your incident responder; we take you from ML1 to ML2 against the published model and then step back.

How it works

1. We confirm scope on a short call, verify the existing ML1 evidence, and request read-only access to your identity provider, endpoint management, patching tool, and backup console.
2. We run the current-state assessment against each of the eight strategies and produce a baseline ML1-to-ML2 gap report.
3. We sequence the changes by ransomware-blast-radius — patching SLAs and admin privilege handling first, application control catalogue next, MFA coverage and backup restore testing in parallel.
4. We work through the changes in two to four week tranches with your IT provider or internal admin, applying them in a way that does not disrupt operations.
5. We close out with the written ML2-evidence report, hand over the documented processes (patching exception, privilege review, restore test), and set the 90-day review.

Why this matters in Melbourne

Melbourne’s SMB base is heavily weighted toward manufacturing, logistics, professional services, and healthcare — sectors that ransomware crews target because downtime is expensive and many hold patient or client PII that triggers OAIC Notifiable Data Breaches obligations on top of the operational hit. A Melbourne SMB that genuinely reaches ML2 — not ML1 with ML2 ambitions — has closed the controls that the ACSC explicitly maps to the adversary tradecraft these crews use. It is the difference between a Tuesday incident and a Tuesday non-event.

Sources

• ACSC Essential Eight Maturity Model: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• OAIC Notifiable Data Breaches scheme (in the event a ransomware incident results in an eligible data breach): https://www.oaic.gov.au/privacy/notifiable-data-breaches
• Cyber by Exegesis — Essential Eight ML2 Uplift (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens Essential Eight ML2 Uplift for Melbourne SMBs

We are sequencing engagements by sector and by existing ML1 evidence quality (businesses with a recent ML1 assessment first, businesses self-attesting ML1 second). Join the waitlist with your sector and current ML1 status — we will tell you when we are ready to take a brief from your business.