Built to the real model

All eight mitigation strategies with every Maturity Level 1, 2 and 3 control, mapped to the ACSC's current published guidance — not a generic checklist.

See what's capping your level

Because your overall maturity is only as high as your weakest strategy, the tool surfaces the exact strategy holding you back — and what it takes to lift it.

Defensible, not self-graded

Self-assessment, independent reviewer override, and evidence-confidence ratings sit side by side, with a full audit trail — the evidence an auditor or regulator expects.

Yours, and private

Runs in your browser — no SaaS, no account, air-gap compatible. Optional AI connects only when you choose, using your own API key, and never sends data to CyberAssure.

Why it matters now

The Essential Eight has become the baseline everyone expects

The Essential Eight is already mandatory for federal non-corporate Commonwealth entities, and it has quietly become the de facto baseline that everyone else is measured against. Cyber insurers ask about it before they quote, government and enterprise contracts increasingly require it, and SOCI Act and APRA CPS 234 programs lean on it as a control baseline. When something goes wrong, “what was your Essential Eight maturity?” is one of the first questions asked — and a defensible, evidence-backed answer beats a spreadsheet guess.

Read: The Essential Eight explained — what Australian businesses need to implement →

How it works — in three steps

No installs, no accounts, no data leaving your environment.

1

Get the tool

Request access and we provide the assessment — a self-contained file that opens in your browser. Nothing to install, no account to create.

2

Assess locally

Score each strategy against your Maturity Level target and attach evidence — all on your own device. Optional AI assistance runs on your own Anthropic API key; data never leaves your environment.

3

Export your reports

Generate board-ready Word and Excel reports, the gap register, the strategy maturity dashboard and the evidence pack — in one click, ready for the board or the auditor.

What You Get

Comprehensive Essential Eight outputs — every deliverable drawn from the same underlying data, so one assessment becomes every artefact you need.

AI-Enhanced Word Report

Board-ready narrative deliverable — overall maturity level, strategy-by-strategy attainment, gap register, evidence register, and a prioritised remediation plan. When AI is enabled, includes an AI-generated executive summary and per-strategy narratives.

Multi-Worksheet Excel Workbook

The same data in tabular form across multiple sheets — gap register, remediation plan, evidence register, full results matrix and N/A exclusions. Drops into JIRA, Asana or Smartsheet without re-keying.

Maturity Visualisations

A strategy-by-strategy dashboard showing current Maturity Level attainment and gap profile across all eight strategies — suitable for management review and regulatory reporting at a glance.

Strategy × Maturity-Level Matrix

Every strategy mapped against Maturity Levels 1, 2 and 3, colour-coded by attainment — showing exactly where you sit and which strategy is capping your overall level.

Prioritised Remediation Roadmap

Actionable recommendations ranked by risk severity and Maturity Level uplift, designed to support structured uplift planning and investment prioritisation. The gap register becomes a plan.

Evidence Package (ZIP)

Every attached evidence file organised by strategy, with an Excel register cataloguing each file with metadata. Ships in one click when an auditor or assessor asks for substantiation.

Year-over-Year Comparison

Strategy-by-strategy change reports between any two periods — improvements, regressions, evidence added or removed, reviewer-decision changes, and maturity-level movement. AI-narrated when enabled.

Reviewer Override Audit Trail

An independent reviewer can override self-assessed and AI-suggested Maturity Levels with full justification — original answer, AI suggestion, and reviewer conclusion all preserved in the audit log.

Audit Log & Version History

Chronological record of every answer, note, evidence change and reviewer override — viewable in-app with full version history, exportable as JSON for long-term retention.

Shared Folder Collaboration

Team workspace via OneDrive, SharePoint, Microsoft Teams, Google Drive or Dropbox — with file locking, identity stamping, live change polling, sync conflict detection, and 30-day soft delete with restore.

Consultant vs spreadsheet vs CyberAssure

The defensibility of a consultant engagement, the control of doing it yourself — without the cost of either failing you.

Big-4 consultant Internal spreadsheet CyberAssure
CostHigh, per engagementLow, but hiddenA fraction of consultant cost
Model-accurate (all 8 strategies, ML1–ML3 controls)
Repeatable, same method every quarter~
Strategy-level ML breakdown & visuals~
Independent reviewer & evidence audit trail
Data stays on your device
Board-ready reports in hours, not weeks~
Expertise stays in-house

Pricing

Licensed per organisation, per year. No per-seat fees and no usage metering — and because it runs on your own device, there are no hosting or data-residency surprises. Get in touch and we'll size a quote to your organisation.

Book a demo Contact for pricing

Common questions

How is our overall maturity level calculated?

Each of the eight strategies is scored individually against the ACSC's Maturity Level 1, 2 and 3 controls. Because the Essential Eight is meant to be implemented as a package, your overall level is the lowest level achieved across all eight strategies — one weak strategy caps the result. The tool shows your level per strategy and the single strategy holding the whole assessment back, so you know exactly where to invest first.

Will this hold up if a regulator or auditor challenges it after an incident?

Yes — that's what it's built for. Every control pairs a self-assessment with an independent reviewer conclusion and an evidence-confidence rating, and a full audit log records who assessed what, when and why. The result is the structured, evidence-backed trail an auditor or assessor expects — plus the year-over-year history that shows a credible trajectory of improvement, which is exactly what a regulator examines post-incident. It doesn't replace a formal independent assurance engagement; it produces the evidence that makes one fast and defensible.

If we enable AI, what data is sent — and to whom?

AI is off by default. When you switch it on, requests go directly from your browser to Anthropic using your own API key — never through CyberAssure's servers, and nothing is stored by us. A sensitive-data warning is shown before any evidence is submitted for AI review, and AI can be disabled site-wide in Settings for regulated or air-gapped environments.

Can we run it in an air-gapped or OT environment?

Yes. It's a self-contained file that opens in any modern browser — no SaaS, no account, no install. With AI disabled it makes no outbound connections at all, so it runs fully offline inside a segregated or OT network — suitable for government and data-sovereign contexts.

What happens to our assessments and evidence if we stop — or if CyberAssure disappears?

You own everything outright. Assessments and evidence live in your own files and export to Word, Excel and JSON. There's no cloud database to be locked out of and no vendor hosting your data — your assessment history and evidence are yours, portable, and outlive any subscription.

See the full enterprise FAQ →

See where you stand against Maturity Level 2

Book a 20-minute demo and we'll show you the assessment, the reports, and how it fits your organisation.

Book a demo
Explore every strategy, maturity level and AI capability Expand ▾

What the Essential Eight Asks You to Do — and How the Tool Handles It

The ACSC's Essential Eight is a prioritised set of eight mitigation strategies, each assessed against a four-level maturity model (Maturity Level 0 through Maturity Level 3). The strategies are designed to be implemented as a package: your overall maturity level is the lowest level achieved across all eight strategies, so a single under-implemented control caps the whole result. The tool assesses each strategy against the ACSC's published controls for ML1, ML2 and ML3, then computes your overall level and surfaces the strategy that's holding it back.

Each control integrates the ACSC's guidance and evidence expectations directly, so the question is never “did we score this correctly?” but rather “what does the evidence support?”.

The Eight Mitigation Strategies

All eight strategies, structured across the three Essential Eight objectives, assessed in full across Maturity Levels 1–3:

Prevent Malware Delivery & Execution

  • Application Control
  • Patch Applications
  • Configure MS Office Macro Settings
  • User Application Hardening

Limit the Extent of Incidents

  • Restrict Administrative Privileges
  • Patch Operating Systems
  • Multi-Factor Authentication

Recover Data & System Availability

  • Regular Backups

The Four Maturity Levels

The Essential Eight Maturity Model defines four levels, based on mitigating increasing levels of adversary tradecraft and targeting:

  • Maturity Level 0 — Weaknesses in the organisation's overall cyber security posture; the strategy is not implemented to the ML1 baseline.
  • Maturity Level 1 — Mitigates adversaries using widely available, opportunistic techniques against any viable target.
  • Maturity Level 2 — Mitigates adversaries operating with a modest step-up in capability, willing to invest more time and effort to bypass controls.
  • Maturity Level 3 — Mitigates adaptive adversaries willing to invest significant time and effort, and less reliant on public tooling.

The tool lets you set a target level (commonly ML2), auto-filters the controls in scope, and reports both per-strategy attainment and the overall level — which is only as high as your weakest strategy.

Evidence Workflow & Reviewer Overrides

Each control presents the assessor with a structured answer scale (None, Partial, Strong, plus N/A with justification), an inline guide to what good evidence looks like, and a drag-and-drop area for attaching supporting documents — PDFs, Word, Excel, images, CSV — directly to the control.

An independent reviewer workflow captures observations against the evidence in structured fields. The reviewer can override the self-assessed Maturity Level where the evidence clearly contradicts it, with both the original answer and the reviewer override preserved in the audit trail. When AI is enabled, AI-suggested Maturity Levels (with confidence rating low/medium/high) sit alongside the self-assessment and the reviewer override — three independent signals, all visible side-by-side, all auditable.

Period Tracking, Baselines & Year-over-Year Comparison

Single-point assessments are necessary but insufficient. The tool treats assessment as a continuous activity, with first-class support for the time dimension:

  • Maturity Snapshot & Baseline — Save a point-in-time baseline; capture manual overrides where appropriate; replace, clear or revert baselines as the programme evolves.
  • Period Closure — Formally close an assessment period and archive it, freezing the state for audit and historical comparison.
  • Year-over-Year Comparison — Improvements, regressions, evidence added or removed, reviewer-decision changes and maturity-level movement — all surfaced as a structured change report between any two periods.
  • Multi-Period Trend Comparison — Load three or more historical periods to visualise your maturity trajectory by strategy across time.

This is the evidence trail that demonstrates credible intent — quarter by quarter, not just at year end.

Audit Log, Collaboration & Resilient Storage

Every answer, note, evidence change and reviewer override is captured in a chronological audit log — the complete record of who did what and when, with full version history accessible from the in-app log viewer.

Optional Shared Folder Mode turns the assessment into a team workspace. Multiple assessors work in parallel via OneDrive, SharePoint, Microsoft Teams, Google Drive, or Dropbox. File locking prevents conflicting edits; identity stamping records who changed what; live change polling surfaces edits in seconds; and the sync conflict detector flags “conflicted-copy” files so you can resolve them rather than discovering them at audit time. A 30-day soft delete with one-click restore prevents accidental data loss.

Evidence storage is resilient by design — content-derived filenames (so evidence titles never leak through the folder browser), per-file and per-question caps, browser-storage quota monitoring, optional encryption-at-rest, a crash-recovery mirror, and a read-only Evidence Health Check audit available from Settings.

Who It's For

  • CISOs and security managers assessing or reporting on Essential Eight maturity
  • GRC teams conducting internal compliance reviews against ACSC guidance
  • Commonwealth and state government agencies and their contractors with Essential Eight obligations
  • Organisations using the Essential Eight as a baseline under the SOCI Act or APRA CPS 234
  • Internal audit teams validating cyber security control effectiveness
  • Security advisors conducting structured gap assessments for clients
AI woven through every stage

AI assistance that earns its place.

Optional AI capabilities — entirely opt-in via your own Anthropic API key — accelerate every phase of Essential Eight work, from understanding a control to drafting the board narrative inside the Word report itself. The tool works fully without them; with them, the effort that used to consume weeks of consultant time becomes a quarterly cadence your own team operates.

Phase 1

During the assessment

Phase 2

During review

Phase 3

Before & in the deliverables

Phase 4

Across periods

Phase 1

AI Advisor Chat

Connected Claude assistant that explains any Essential Eight strategy, control or maturity-level criterion in plain English — with conversational follow-up. Your target level, scores and notes are passed as context, so answers are tied to your actual posture, not generic boilerplate.

Phase 1

Draft With AI

Turn bullet-point facts into a structured assessment note — the assessor captures key facts, AI drafts the defensible written rationale that lives with the control answer. The slow, low-energy step that usually gets skipped now takes seconds.

Phase 1

Context-Aware Suggested Prompts

One-tap prompt chips built into the AI Advisor — “Biggest gaps?”, “Uplift plan”, “Evidence to gather”, “Board summary” — each pre-wired to your actual assessment data and target level. The fastest way to get useful AI output without crafting prompts.

Phase 2

AI Evidence Review with ML Suggestion

Attached PDFs, images, Word, Excel and CSV files are read by AI and assessed against the control requirements — with a suggested Maturity Level and a low/medium/high confidence rating. The reviewer keeps the final call; AI does the first pass.

Phase 2

AI Deep Review

A more thorough AI pass for higher-criticality evidence — multi-pass analysis with finer-grained gap identification, traceable back to specific maturity-level criteria. For the controls where “looks about right” isn't good enough.

Phase 2

AI Remediation Drafting

For each identified gap, AI drafts a specific remediation action — what to do, why it matters, how it lifts your Maturity Level. Regenerate if the first draft isn't quite right. The gap register stops being a list of problems and starts being a list of next actions.

Phase 3

Pre-Export Quality Review

Diagnostic AI scan over the entire assessment before export — surfaces empty notes on Strong answers, missing evidence on key controls, reviewer/confidence inconsistencies, and overrides without justification. Diagnostic only; no answers are changed.

Phase 3 · In the Word report

AI Executive Summary

The Word report opens with an AI-generated executive summary written from your actual assessment data — overall maturity level, the strategy capping it, headline gaps, and recommended priorities. The board narrative, pre-drafted.

Phase 3 · In the Word report

AI Strategy Narratives

Board-ready prose inside the Word report — for each of the eight strategies, an AI-written narrative explaining what the strategy covers, your posture, where the gaps sit, and what to do next. Audit-committee language, generated from your data.

Phase 4

AI Period Comparison Narrative

When you load a previous assessment for year-over-year comparison, AI drafts the narrative of what changed — improvements, regressions, where evidence strengthened, and the trajectory story for the board. The “are we on track for ML2?” question, answered in prose.

Phase 4

AI Uplift Plan

AI drafts a sequenced uplift plan to move from your current level toward your target — grouped by strategy and ordered by the controls that unlock the most maturity for the least effort. The leverage points that turn findings into a funded programme.

Bring your own API key · Pay only for what you use

All AI features connect using your own Anthropic Claude API key, stored only in your browser's session memory — never saved to disk, never sent to CyberAssure. Typical usage is a few dollars per full assessment cycle. AI can be disabled site-wide via Settings for regulated environments, and a sensitive-data warning is shown before evidence is submitted for AI review.

Often Used Alongside

Organisations frequently combine the Essential Eight assessment with complementary frameworks to address broader governance and compliance requirements.

Financial Services

APRA CPS 234 Assessment

Information security assessment for APRA-regulated entities, with the Essential Eight as a control baseline.

Learn more
Information Security

ISO 27001 Maturity Assessment

Assess your ISMS against ISO/IEC 27001 — broader governance coverage to complement Essential Eight technical controls.

Learn more