Essential Eight Cybersecurity & DISP Services for Defence SMEs

What We Do Differently

• We sell outcomes, not tools: measurable Essential Eight (essential 8) cyber security outcomes at Maturity Level 2 — not aspirational targets.
• We make security visible: Dashboards, controls, and evidence are always on and always accessible.
• We design for sustainability: Drift is detected, reviewed, and corrected over time.
• We design for Defence reality: Evidence and governance are first-class requirements, not afterthoughts.
• Sovereign by design: All Calexi-operated service data, including security telemetry and evidence, is stored and processed within Australia under Calexi’s operational control.
• We control cost by design: Enterprise licences are used only where they add measurable value.
• Designed for Defence SMEs and small businesses: practical cybersecurity uplift that supports DISP Membership and audit-ready evidence without enterprise complexity.

Essential Eight ML2 (essential 8) becomes your steady state for sustainable cybersecurity and DISP Membership readiness.

What’s Included

• Identity & access hardening: MFA enforcement and privileged access boundaries
• Endpoint baselines and enforcement: Standardised device baselines + drift detection + patching approach
• Centralised logging & monitoring (ML2-aligned): Log sources, retention, monitoring approach (business hours, best-effort)
• Continuous configuration uplift: Controls are implemented, monitored, and improved; drift is detected and reviewed
• Auditor-ready evidence pack: Produced from live systems/configurations and reflects current service state
• DISP-aligned documentation support: Evidence pack and templates to support DISP discussions (this service does not provide “certification”)

This service supports organisations participating in, or preparing for, DISP Membership and Essential Eight (essential 8) cyber security maturity outcomes aligned to the ASD and ACSC framework. → Learn more about DISP requirements

DISP Essential Eight Evidence Pack (sample contents)

Your assessors want proof. This service generates it continuously.

Typical pack contents include:

• Recovery readiness: Backup architecture, isolation and recovery tenant design, restore testing evidence (where applicable).
• Governance & accountability: Responsibility statements, vCISO summary, policy set, and risk treatment approach.
• Identity & access: MFA enforcement, privileged access separation, credential management, and access lifecycle controls.
• Endpoint & server security: Baseline configuration summaries, drift detection, patching approach, and endpoint protection evidence.
• Logging & monitoring: Log sources, retention settings, SIEM scope, and alert handling approach.

All evidence is aligned to Essential Eight Maturity Level 2 and reflects the current operational state of the service.

What This Is Not

• Not a 24/7 Security Operations Centre (SOC)
• Not incident response on demand (incident response execution is a separate engagement)
• Not bespoke, per-client “snowflake” builds

Assurance boundaries

We assure that:

• Essential Eight controls within scope are implemented, monitored, and continuously improved
• Configuration drift is detected and reviewed
• Logging is centrally available and aligned to Essential Eight Maturity Level 2 expectations
• Recovery capability is maintained where applicable
• Evidence is available to support DISP discussions

We do not assure:

• Client governance decisions or risk acceptance
• The absence of security incidents
• Guaranteed detection or response timeframes
• Audit outcomes outside the defined service scope

This service is designed to deliver Essential Eight ML2 outcomes — not to replace a SOC or in-house risk ownership.

Client SaaS platforms (such as Microsoft 365) remain under the client’s tenancy and control; Calexi configures, monitors, and extracts evidence from these platforms in line with Essential Eight requirements.

Predictable, SME-Appropriate Pricing

Pricing is per-user, per-month.
No ingestion fees. No surprise uplift costs.
Designed to scale from 1 to 20 staff cleanly.

Most Essential Eight Defence SMEs operate in the Assured (ML2) tier.

One-off onboarding costs may apply for assured and advanced tiers.

Eligibility

Who this is for

• Australian-owned Defence industry and regulated SMEs and small businesses, or organisations operating under Australian legal jurisdiction
• Organisations seeking Essential Eight (essential 8) cyber security outcomes and DISP Membership readiness without building enterprise security capability in-house
• Organisations willing to operate under a shared responsibility model, where:
  • You retain ownership of ICT risk and compliance decisions
  • Calexi implements, operates, and evidences the controls

Eligibility basics

To be eligible for this service, organisations must:

• Participate in onboarding and governance discussions required to establish scope, responsibilities, and evidence expectations
• Adopt a standardised Calexi service architecture and control baseline
• Accept continuous evidence generation aligned to Essential Eight Maturity Level 2
• Retain ownership of ICT risk, DISP submissions, and assessor engagement

Platform integrity and client protection

This service is delivered on a shared, Defence-aligned platform. To protect all clients:

• Bespoke or out-of-pattern builds are not supported
• Design exceptions are limited, risk-assessed, and formally approved
• Clients whose environments introduce unacceptable risk to the platform or other customers may be deemed ineligible or required to remediate before continuing

This service is intentionally selective to ensure platform integrity and Defence obligations are maintained.

Proven Capability in the Field

We’ve helped Defence SMEs stabilise corporate ICT, uplift Essential Eight maturity, and generate evidence that supports assessor discussions — within real-world budgets and timeframes.