Essential Eight ML3 Uplift for Perth SMBs: Lift From Maturity Level 2 to Level 3 Before Ransomware Reaches Your Crown Jewels

You already run a tight shop. You implemented the Essential Eight a couple of years ago, you sit comfortably at Maturity Level 2, and your auditor or your prime contractor has now told you ML2 is not enough. You handle defence supply-chain data, or you sit inside a healthcare network, or you process payments for a tier-one financial — and the threat model is no longer commodity ransomware crews. It is targeted, hands-on-keyboard intrusion by adversaries who will sit in your network for weeks and exfiltrate before they encrypt. Essential Eight ML3 Uplift from Cyber by Exegesis is the fixed-scope engagement that takes your existing ML2 controls and closes the specific gaps that separate them from ML3.

The problem

The ACSC Essential Eight Maturity Model is explicit that the three maturity levels map to different adversary classes. ML1 addresses opportunistic actors. ML2 addresses actors investing more time and effort against a target. ML3 is the level the ACSC writes for adversaries who are adaptive, less reliant on public tools, and capable of exploiting weaknesses in the target’s specific implementation — the profile of a serious ransomware affiliate working with an initial-access broker, or a state-aligned crew using ransomware as cover.

The gap between ML2 and ML3 is not theoretical. It is concrete: application control enforced from a vendor-curated or organisation-vetted list rather than reactive blocklists; centralised event logging with protected log integrity; multi-factor authentication that is phishing-resistant rather than just present; privileged-access workstations or equivalent separation; and patching windows measured in 48 hours for internet-facing services with active exploits. Most Perth SMBs operating at ML2 have three or four of these. ML3 requires all of them, evidenced, and operating.

Ransomware is what makes the gap matter. The ACSC Small Business Cyber Security Guide and ongoing OAIC Notifiable Data Breaches reporting both reflect what defenders already know — ransomware is consistently the highest-impact incident class for Australian SMBs, and the modern variant is a data-theft event followed by encryption, which means an eligible data breach under the NDB scheme even if you restore from backup cleanly.

What Essential Eight ML3 Uplift does

Cyber by Exegesis runs a scoped uplift project, not an open-ended retainer:

• A control-by-control gap assessment against the eight mitigations at ML3, evidenced from your current tenant and endpoint configuration, not from a questionnaire.
• An application-control uplift plan — moving you from ML2’s blocklist posture to ML3’s executable, library, script, installer, and driver control across user profiles and temporary folders.
• A logging uplift — centralised, time-synchronised event logging with protected log integrity, scoped to internet-facing services, privileged user activity, and security events.
• A credential-management uplift — phishing-resistant MFA on privileged accounts, separation of privileged and unprivileged accounts, and a documented break-glass process.
• A 48-hour patching cadence design for internet-facing services with publicly known exploits, including the change-management adjustments to make that cadence sustainable.
• A written ML3 evidence pack you can hand to an auditor, prime contractor, or insurer.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. ML3 Uplift is a project, not a managed service. We set the controls, document the evidence, and hand over.

How it works

1. We confirm scope on an initial call — which mitigations are in scope, which systems are in scope, and what your current ML2 evidence looks like.
2. We run the gap assessment against your live environment over one to two weeks, with read-only access to your endpoint management, identity tenant, and logging stack.
3. We deliver the gap report and a sequenced uplift plan, prioritising application control and logging because those are the controls that most often degrade ML2 evidence on inspection.
4. We work alongside your IT provider or internal team to implement the changes in a staged rollout — pilot group, expanded group, full estate — with rollback documented at each stage.
5. We produce the ML3 evidence pack and a 90-day review window to catch drift before your next audit.

Why this matters in Perth

Perth’s SMB base is disproportionately weighted toward resources, defence-industry supply chain, and specialised engineering services for the energy sector. Those are exactly the sectors where prime contractors, Defence, and major operators are pushing ML3 down the supply chain as a contractual requirement. A Perth SMB that holds an ML2 posture today is increasingly being told by its largest customer that ML3 is the new floor — and the ransomware crews targeting Australian resources and defence-adjacent businesses have already moved past the ML2 threat model. Lifting now, on a fixed-scope engagement, is materially cheaper than discovering the gap during incident response or during a contract renewal.

Sources

• ACSC Essential Eight Maturity Model: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• OAIC Notifiable Data Breaches scheme (relevant where a ransomware incident involves data exfiltration): https://www.oaic.gov.au/privacy/notifiable-data-breaches
• Cyber by Exegesis — Essential Eight ML3 Uplift (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens ML3 Uplift for Perth SMBs

We are sequencing ML3 engagements by sector — defence supply chain first, healthcare and finance second. Join the waitlist with your sector, your current maturity evidence, and the contractual driver pushing you to ML3, and we will tell you when we are ready to take a brief.