If you've spent any time around Australian cyber security, you've heard the phrase Essential Eight thrown around as though it were a product you could buy, switch on, and tick off. It isn't. The Essential Eight is a set of eight mitigation strategies published by the Australian Signals Directorate's Australian Cyber Security Centre (ACSC) — a prioritised baseline designed to make it materially harder for an attacker to compromise your systems. There is no single application that "implements" it. What you actually build is a stack: a handful of tools, layered deliberately, each one carrying one or more of the eight controls.
This post walks through that stack — what each layer does, which tools are worth shortlisting, and the specific combination I'd recommend for most mid-sized Australian organisations trying to reach a defensible maturity level without buying eight separate point products.
A quick refresher on the eight
Before the tools, the controls. The Essential Eight are: application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups. Each is assessed against a maturity scale from Level 0 (not implemented) to Level 3 (fully aligned with the model, hardened against more capable adversaries). Most organisations should be targeting Maturity Level 1 as a floor and Level 2 as a realistic operational goal.
The important thing to understand is that these controls are implementation-agnostic. The ACSC tells you what outcome to achieve, not which vendor to write a cheque to. That's why two organisations can both be "Essential Eight compliant" with completely different toolsets.
The stack, layer by layer
The core platform
In the overwhelming majority of Australian environments, the backbone is the Microsoft ecosystem — and for good reason. A single, well-licensed Microsoft stack touches seven of the eight strategies, which means you can get a long way before you buy anything specialised.
The pieces that matter here are Microsoft Intune for endpoint configuration, patch deployment, macro policy and application hardening; Microsoft Entra ID (formerly Azure AD) for multi-factor authentication and, through Privileged Identity Management, for restricting administrative privileges; Microsoft Defender for Endpoint for attack-surface-reduction rules and exploit protection; and Group Policy or Configuration Manager (SCCM) for organisations that still run on-premises or hybrid. Native to Windows, you also get AppLocker and Windows Defender Application Control (WDAC) for the application-control strategy.
If you take nothing else from this post: before evaluating third-party tools, work out how much of the Essential Eight your existing Microsoft licensing already covers. It's usually more than people expect — and getting your Microsoft 365 tenant configured and secured properly is the highest-leverage first move.
Application control — the layer most people bolt on
Application control is consistently the hardest of the eight to reach maturity on, and native AppLocker/WDAC, while capable, is painful to manage at scale. This is the one control where a dedicated product almost always pays for itself.
The standout in the Australian market is Airlock Digital — an Australian vendor that built its product specifically around the Essential Eight, which is exactly why it shows up so often in local government and enterprise deployments. ThreatLocker is a strong, increasingly popular alternative with a broader ringfencing feature set, and VMware Carbon Black App Control remains a solid enterprise option. Whichever you choose, the goal is the same: a managed allowlist of approved executables, scripts and installers, maintained without drowning your team in exception requests.
Patch and vulnerability management
Strategies two and six — patch applications and patch operating systems — are two sides of the same operational coin. If you're already running Intune or SCCM, you may not need anything else for deployment. Where organisations want deeper automation or heterogeneous coverage (Mac, Linux, third-party apps), tools like Automox, Ivanti, ManageEngine Patch Manager Plus and Tanium fill the gap.
Just as important is proving your patch currency, which is where a vulnerability scanner earns its place. Tenable (Nessus) and Qualys are the two most common choices, and their reports double as evidence when an auditor asks how quickly you're closing known vulnerabilities.
Privileged access
Entra ID's Privileged Identity Management covers a meaningful slice of the "restrict administrative privileges" control, and for many organisations it's enough. Where you need full privileged access management — credential vaulting, session recording, just-in-time elevation across a complex estate — the established players are CyberArk, Delinea (formerly Thycotic) and BeyondTrust.
Identity and MFA
If you're on Microsoft 365, Entra ID's built-in multi-factor authentication is the natural home for this control. Organisations with a broader identity footprint, or those who want a single MFA layer across cloud and legacy apps, commonly reach for Okta or Cisco Duo. The control's maturity increasingly hinges on phishing-resistant MFA, so whichever platform you pick, plan for FIDO2 or certificate-based methods rather than SMS.
Backups
The eighth strategy is regular backups — and the model cares as much about tested restoration and protection from tampering as it does about the backup itself. Veeam is the most widely deployed backup platform in Australia, with Acronis, Rubrik and Cohesity all strong alternatives. The non-negotiable feature across all of them is immutable or offline copies, so that ransomware can't encrypt your backups along with everything else.
Governance, assessment and reporting
This layer sits on top of everything and doesn't enforce a single control — but it's what turns "we think we're compliant" into evidence you can show a board or an auditor. Tools like Huntress, 6clicks, Cynch and broader GRC platforms such as ServiceNow GRC or Vanta measure your maturity level, track drift over time, and generate the reporting that compliance conversations actually run on.
What I'd recommend
For a typical mid-sized Australian organisation already invested in Microsoft 365, here's the stack I'd put forward as a starting point:
Microsoft Intune + Entra ID (P2) + Defender for Endpoint as the core, covering patching, MFA, privileged access, macro settings and application hardening.
Airlock Digital for application control — the one place where native tooling genuinely struggles at scale.
Veeam for backups, configured with immutable copies and a tested restore schedule.
Tenable for vulnerability scanning, to prove patch currency for both applications and operating systems.
A GRC or assessment tool (6clicks or Vanta) to measure maturity and produce audit-ready reporting.
That combination realistically gets an organisation to Maturity Level 1 across all eight, and Level 2 on most, without assembling eight disconnected point products. It leans on licensing you very likely already own, and adds specialised tooling only where the native Microsoft capability falls short.
If budget is tight, the leanest viable path is Microsoft-native everything plus Veeam, accepting that application control at Level 1 will take real effort with AppLocker/WDAC alone. If you're vendor-neutral by principle, you can swap any layer here for a best-of-breed equivalent — the architecture holds either way.
The point worth remembering
The Essential Eight isn't a shopping list, and no vendor can sell you compliance in a box, whatever their marketing says. What you're building is a layered stack where each tool carries one or more of the eight controls, backed by the processes — patching cadence, restore testing, access reviews — that keep those controls at their target maturity over time. Pick the platform that covers the most ground, add specialised tooling only where it's genuinely needed, and put a governance layer on top so you can prove it. Do that, and the Essential Eight stops being a compliance headache and becomes what it was designed to be: a genuinely harder target for the people trying to get in.
How IT Support Perth can help
Choosing the tools is the easy part — wiring them together into a coherent stack, tuning application control so it doesn't bury your team in exceptions, and keeping every layer at its target maturity over time is where the real work lives. That's exactly what we do for Perth businesses as their managed IT and cyber security provider: we start from the Microsoft licensing you already own, add specialised tooling only where it's justified, and put the processes and reporting around it so your maturity holds up to a client, tender or insurer's questions.
If you'd like a clear picture of where your organisation sits against the Essential Eight today — and a practical, staged plan to lift it — book a chat with the Computer Mechanics team. For the plain-English version of the framework itself, start with our Essential Eight explained guide. We've been keeping Perth businesses secure since 1997.
This article is general information, not security or compliance advice. Your specific maturity requirements, licensing and environment should drive final tool selection — and the ACSC's official guidance at cyber.gov.au is always the authoritative source.


