Start Free Trial

How it works

Why Introspectus Assessor Makes Essential Eight Audits Faster, More Accurate and Less Costly

The compliance challenge facing every organisation

When implemented and maintained correctly, the Essential Eight can mitigate the majority of common cyber attacks.

Organisations must demonstrate that controls are not just configured they must be proven to work, across every device, and at every maturity level. For most organisations, meeting that standard through manual auditing is slow, expensive, and structurally unreliable. Introspectus Assessor was built to change that.

Must demonstrate controls proven to work

Manual auditing is slow

Manual auditing is costly

The problem with manual Essential Eight audits

Traditional Essential Eight assessments follow a familiar and frustrating pattern.

Traditional Essential Eight assessments follow a familiar and frustrating pattern. A specialist assessor is engaged, access is coordinated across business units, a sample of devices is reviewed, policy documents and screenshots are collected as evidence, and a report is produced weeks later. By the time the report lands, the environment has already changed.

Three fundamental problems make manual auditing inadequate for Essential Eight compliance.

The first is coverage. Manual assessors review a fraction of an organisation’s devices typically a small sample chosen for convenience. Gaps hiding in the untested majority go undetected until they become incidents or surface during a formal audit.

The second is evidence quality. The ACSC Assessment Process Guide defines four levels of evidence quality, from weakest to strongest: policy documents, reported observations, direct observation, and live testing. Manual assessments rely heavily on the weakest forms screenshots, self-reported configurations, and settings viewed on a handful of machines. The ACSC‘s own guidance makes clear that the highest-quality evidence comes from actually testing whether a control works.

The third is timeliness. A manual audit is a snapshot. Environments change daily. Patches fail silently. Configurations drift. Exceptions accumulate. An assessment that was accurate on the day it was conducted can become misleading within weeks.

How Assessor Works

Introspectus Assessor deploys a lightweight agent to every Windows endpoint across the organisation.

The agent runs on a configurable schedule by default every twelve hours and uploads results to the Introspectus Portal for real-time analysis and reporting. Every control is tested against the November 2023 Essential Eight Maturity Model rules, and every failure is surfaced with specific, actionable remediation guidance.

Introspectus applies four distinct assessment methods, each matched to the nature of the control being assessed.

A lightweight agent is deployed to every  endpoint across the organisation

Test results are continually uploaded to the Introspectus portal

Every control is tested against the Essential Eight Maturity Model

Every failure is surfaced with specific remediation guidance

Live execution testing

For Application Control, Introspectus uses a patented live execution technique. The agent carries embedded binary files and compiles them into test executables, dynamic link libraries, HTML applications and other controlled file types at the time of testing.

These are then executed in the user context, in the locations that Application Control is required to govern user profiles and temporary folders used by operating systems, web browsers and email clients.

If Application Control is in place and effective, the files are blocked and the test passes. If the controls are misconfigured, incomplete or absent, the files execute and the test fails. There is no interpretation, no reliance on policy declarations, and no assumption that what is configured is what is enforced. This is precisely the testing approach the ACSC defines as its highest evidence quality standard.

Definition-driven comparison

For Restrict Microsoft Office Macros and User Application Hardening, Introspectus uses definition-driven comparison. The agent downloads authoritative definition files specifying how every required setting must be configured across Active Directory, Microsoft Intune, and Group Policy and compares them against what is actually present on the device.

For Restrict Microsoft Office Macros, every required macro control is checked: whether macros are disabled for users without a demonstrated business requirement, whether macros in files originating from the internet are blocked, whether antivirus scanning is enabled, and whether users are prevented from changing these settings.

For User Application Hardening, hardening definitions covering web browsers, Microsoft Office, PDF software and email clients are compared against actual device configuration. Every required setting is checked across the full scope of applications the ACSC requires to be hardened.

For Restrict Administrative Privileges, definition comparison is applied to validate privilege management configuration, with additional structured assessment of how privileged and unprivileged environments are separated and governed. This hybrid approach reflects the nature of the control some requirements are verifiable through configuration inspection, while others require broader assessment of governance and access decisions.

In all cases, if every required setting is present and correctly configured the test passes. If any setting is missing or incorrect the test fails, and the specific gap is identified and reported.

AI-driven intelligence gathering

For Patch Applications and Patch Operating Systems, Introspectus uses automated intelligence gathering to assess patch currency continuously.

For Patch Applications, Introspectus audits every device for the application name, vendor and installed version. This data is consolidated into a master application inventory. For each application identified, Aletheia Introspectus’s AI analysis agent locates the top authoritative sources of patch and release information, retrieves that content into a central repository, and extracts the intelligence that matters: the latest available version, whether a release addresses a security vulnerability, and all information relevant to the Essential Eight Patch Applications requirements. This intelligence is mapped directly to the applicable ISM controls.

For Patch Operating Systems, Introspectus downloads the daily Microsoft patch list, filters it by severity prioritising critical and actively exploited vulnerabilities and distributes the filtered list to every agent across the environment. Each agent compares the list against what is actually installed on its device. Critically, Introspectus tracks when patches were applied, not just whether they are present. This timing data is central to Essential Eight compliance, where the difference between a patch applied on day one and a patch applied on day thirty determines maturity level outcomes.

Structured configuration assessment

For Multi-factor Authentication and Regular Backups, Introspectus provides structured assessment of configuration and intent validating that the right decisions have been made and implemented, and producing clear, audit-ready evidence of organisational due diligence across these controls.

Controls assessment method at a glance

The diagram maps each Essential Eight strategy to the Introspectus assessment method applied.

Click image to enlarge

Technical components

Introspectus Assessor is built on two technical components that extend its reach across complex enterprise environments and into the external systems where compliance evidence increasingly lives.

The Introspectus Proxy

In many enterprise environments particularly in government and defence contexts endpoints operate on networks with restricted or no direct internet access. The Introspectus Proxy is designed specifically for these environments.

Rather than requiring each agent to communicate directly with external services, the proxy acts as a central intermediary within the network boundary. Agents communicate with the proxy, which manages all external connectivity on their behalf retrieving daily Microsoft patch lists, downloading application intelligence from vendor sources, collecting definition files for macro and hardening assessments, and uploading results to the Introspectus Portal. From the perspective of the network, only a single controlled point of egress is required.

This architecture means organisations with strict outbound traffic controls, air-gapped segments, or complex perimeter configurations can deploy Introspectus Assessor at full capability without compromising their network security posture. Every agent across the environment participates in continuous assessment regardless of its individual network access constraints.

Third-party connectors

Currently in development, the Introspectus third-party connector framework extends the platform’s assessment capability to controls that depend on evidence held in external systems rather than on the endpoint itself.

The initial release of third-party connectors will target three Essential Eight strategies that are particularly difficult to assess through agent-based endpoint inspection alone: Multi-factor Authentication, Restrict Administrative Privileges, and Regular Backups. For each of these strategies, the authoritative source of truth typically lives in identity platforms, privileged access management systems, or backup infrastructure not on individual devices.

By connecting directly to these external sources, Introspectus will be able to retrieve structured evidence of configuration and effectiveness, validate it against Essential Eight requirements, and incorporate it into the same continuous compliance posture reported across all other controls. The result is a single, unified view of Essential Eight compliance covering both endpoint-level and infrastructure-level evidence without requiring manual evidence collection from multiple platforms.

The third-party connector framework is designed to be extensible, with additional source integrations planned beyond the initial release.

The diagram below shows how these two components fit within the broader Introspectus architecture.

Click image to enlarge

The governance case

Essential Eight compliance is not simply an IT obligation. It is a governance responsibility that sits with executives and boards.

The Australian Signals Directorate is explicit that organisations must be able to demonstrate effective implementation not just assert it and that where government directives, regulatory requirements or contractual arrangements require independent assessment, the quality and defensibility of evidence directly affects outcomes.

Introspectus Assessor shifts the compliance burden from periodic, expensive engagement to a continuous, automated capability. When an assessment is required, the evidence is already there. When a gap appears, it is identified immediately rather than at the next audit cycle. When a board asks whether the organisation’s security controls are working, the answer is available in real time not in a report written six months ago.

Traditional Maunal Audit

Coverage
Sample of devices only
Typically 5-10% of end-points reviewed
Evidence quality
Policy and reported evidence
Screenshots, self-reported settings
Assessment cadence
Annual or biannual snapshot
Results expire within weeks
Time to audit-ready
Weeks of preparation time
Scheduling, access, evidence collection

Introspectus Assessor

Coverage
100% of all end-points
Every device assessed on every cycle
Evidence quality
Tested – ACSC highest standard
Live execution, definition comparison, AI
Assessment cadence
Continuous – every 24 hours
Results expire within weeks
Time to audit-ready
Hours – evidence already collected
Scheduling, access, evidence collection

Know your security. Prove your compliance. Improve continuously.

How Introspectus Helps

Each agent compares the current patch list against what is actually installed on its device. Any gap between what has been released and what is deployed is immediately surfaced. Critically, Introspectus pays particular attention to the timing of patch deployment not just whether a patch is present, but when it was applied.

This temporal dimension is central to Essential Eight compliance, where the difference between a patch applied on day two versus day thirty can mean the difference between maturity levels, and between an environment that was protected and one that was exposed.

This combination of daily patch intelligence, severity-based filtering, agent-level validation, and deployment timing analysis gives organisations a real-time, evidence-based view of their operating system patch posture mapped directly to the ISM controls applicable to the Essential Eight patch operating systems strategy.

The Challenge with Patch Operating Systems

The visibility gap here is particularly consequential. A patch may be approved and scheduled, yet never successfully applied due to a failed deployment, a device that was offline during the maintenance window, a reboot that was deferred, or a system that exists outside managed channels entirely.

Organisations that rely solely on deployment tooling to confirm patch status are measuring intent, not reality. The ACSC is explicit on this point: organisations need to confirm patches have been applied successfully, not merely that they were dispatched.

Patch Operating Systems Overview

Within the Essential Eight framework, patching operating systems is a core and non-negotiable control. The ACSC sets clear expectations: patches for internet-facing infrastructure must be applied within 48 hours when identified as critical or where working exploits exist, and within two weeks for standard releases.

Patches for workstations, servers, and network devices must be applied within one month, with tighter timeframes applying in high-threat environments. Critically, the ACSC also mandates that vulnerability scanning occurs at least daily for internet-facing systems and at least fortnightly for workstations and non-internet-facing infrastructure not to replace patching, but to confirm it has actually occurred.

How Introspectus Works

From this inventory, Introspectus performs targeted web intelligence gathering. For each application identified, the platform locates the top five authoritative sources of patch and release information vendor security advisories, release notes, and vulnerability databases and retrieves that content into a central repository.

Aletheia, Introspectus’s AI analysis agent, then reads and analyses this content to extract the intelligence that matters for application patching: the latest available version, whether a release addresses a security vulnerability, the severity of that vulnerability, and all information relevant to the Essential Eight application patching requirements. This structured intelligence is mapped directly to the applicable ISM controls, producing defensible, audit-ready evidence of an organisation’s application patch compliance posture.

The Challenge with Patch Applications

A critical and frequently overlooked problem is the visibility gap. Organisations may believe their applications are current when, in reality, patches have silently failed, devices have missed deployment windows, or software has been installed outside of managed channels entirely.

Without continuous inspection at the endpoint level, these gaps go undetected until an audit or, worse, a breach.

Patch Applications Overview

Within the Essential Eight standard, patching applications is a dedicated and non-negotiable control. The ACSC specifies clear timeframes: critical vulnerabilities in internet-facing services must be addressed within 48 hours, commonly used applications such as office productivity suites, web browsers, email clients and PDF software must be patched within two weeks of release, and all other applications within one month.

For organisations in high-threat environments, the bar is higher still. Meeting these requirements consistently across hundreds of distinct applications deployed across thousands of endpoints is not achievable through manual effort alone.