Productized Essential Eight uplift · Australian organisations
Essential Eight uplift, packaged. Fixed scope, fixed price, defensible evidence.
Most buyers cannot get a straight answer on what Essential Eight uplift costs or how long it takes. We publish three fixed-price packages with the deliverables on the page, a defined timeline, and an attestation guarantee that holds us, not you, to the result.
- ISO 27001:2022 certified delivery
- ACSC Essential Eight aligned
- AUKUS / ITAR Australian Authorized User
- NSW Health SOA panel
Scoping calls run 30 minutes. We will not pitch you. We will ask which package fits and where you are coming from. Most calls end with a yes or a polite decline.
Three packages. Pick the one that fits.
Each package is a fixed-scope, fixed-price engagement with a defined timeline and a signed evidence pack at the end. No bespoke discovery calls to learn what it costs.
Small
Up to 50 endpoints, single site
AU$18,000
Fixed price. 50% on kick-off, 50% on evidence-pack handover.
Fits: Allied health practices, single-clinic radiology, small legal or accounting firms, NFPs preparing for cyber insurance renewal.
Timeline: 6 weeks
What you get
- Baseline maturity assessment against all eight ACSC mitigation strategies
- Identity hardening: MFA coverage, conditional access, named admin accounts on Entra ID
- Application control deployment on Windows endpoints (NinjaOne)
- Patch baseline: operating systems and Microsoft 365 applications
- Backup scope review with one tested restore (Veeam, Datto, or M365-native)
- Microsoft Office macro hardening + user application hardening defaults
- Audit-ready evidence pack: policy summaries, control screenshots, dated test logs
- Two-hour handover briefing for your internal accountable executive
Out of scope
- Server or appliance replacement
- Custom application allow-listing beyond NinjaOne templates
- On-site work (delivery is remote; on-site billed separately at agreed day rate)
Secure card payment via Stripe. 50% (AU$9,000) is the kick-off invoice; the remaining 50% bills on evidence-pack handover. Your engagement agreement and ABN tax invoice arrive within one business day.
Book scoping callMost common fit
Mid
50 to 250 endpoints, one to five sites
AU$45,000
Fixed price. 40% on kick-off, 40% on remediation completion, 20% on evidence-pack handover.
Fits: Multi-site GP groups, mid-sized imaging practices, regional councils, professional-services firms with sensitive client data, ASX300-adjacent compliance pressure.
Timeline: 10 weeks
What you get
- Everything in the Small package, scaled to your endpoint and site count
- Maturity uplift to a target level you nominate (typically ML1 to ML2 across all eight)
- Conditional access policy build matched to your business application footprint
- Privileged access management baseline (Entra ID PIM or Keeper Security PAM)
- Patch baseline extended to driver and firmware where the platform supports it
- Backup scope review with one tested full restore + one tested partial restore
- Multi-site network segmentation review (Fortinet, Cisco, or Palo Alto firewall config audit)
- User awareness baseline: Huntress Security Awareness Training or equivalent enrolment
- Audit-ready evidence pack with traceability matrix mapping each control to ASD ISM and ACSC E8 Maturity Model references
- One QBR-style review meeting at month three to validate run-state
Out of scope
- Bespoke application allow-listing engineering beyond standard image
- On-site work outside the Sydney metro (billable at agreed day rate plus travel)
- Replacement hardware (workstations, firewalls, switches) where the existing fleet is end-of-life
Enterprise
250+ endpoints or multi-tenant / multi-jurisdiction
AU$95,000
Fixed scope, indicative price. Final price confirmed in writing within five business days of scoping call.
Fits: Hospital and Local Health District corporate IT, ASX-listed organisations, government department contractors, multi-jurisdiction radiology and pathology groups, regulated-industry organisations with existing SIEM and SOC investment.
Timeline: 14 to 18 weeks
What you get
- Everything in the Mid package, scaled across your business units, jurisdictions, and identity boundaries
- Maturity uplift to your target level across nominated mitigation strategies, sequenced against business risk and change-window constraints
- Identity federation review: cross-tenant access, third-party SaaS application inventory, B2B guest hygiene
- Application control engineering: WDAC or AppLocker policy build with allow-listing for line-of-business applications
- Privileged access management deployment with session recording and just-in-time elevation
- Patch governance design including emergency patching SLAs and change-management integration
- Backup architecture review including offsite immutability, retention, and tested recovery against board-stated RPO and RTO
- SIEM tuning for E8 telemetry (Microsoft Sentinel, Splunk, Adlumin, or Falcon LogScale) with named playbooks
- Audit-ready evidence pack with traceability to ASD ISM, ISO 27001:2022 Annex A control IDs, and Essential Eight Maturity Model levels
- Two named senior consultants throughout the engagement: a delivery lead and a quality reviewer who signs the evidence pack
- Quarterly tune-up engagements (six months post-handover) at no additional fee
Out of scope
- Production workload migration or new-platform deployment (scoped separately as a project)
- Penetration testing or red-team engagement (recommended provider list supplied)
- 24/7 SOC operations (covered under Trucell managed security service line, scoped separately)
All prices in Australian dollars, exclusive of GST. Multi-year managed-services contracts may include the uplift package at a discounted rate; discuss in the scoping call.
The Trucell attestation guarantee
If your nominated assessor finds a gap in our delivered scope within six months, we close it. No additional engineering fee.
Every package ships with a written evidence pack and a documented estate boundary at handover. If your nominated assessor flags a control gap inside that delivered scope during their attestation review in the first six months, Trucell remediates the gap at no additional engineering fee. We accept any IRAP-endorsed practitioner, any ISO 27001:2022 lead auditor, your cyber-insurance underwriter’s nominated reviewer, or another qualified third party agreed in writing during the scoping call.
What’s covered: every control we deployed against the estate documented at handover. What is not: net-new endpoints, new sites, new business applications, or third-party platforms introduced after handover. Net-new controls outside the Essential Eight framework (penetration testing, 24x7 SOC operations, red-team exercises) are scoped separately if you need them.
If we do not believe your maturity target is achievable within your budget, timeline, or platform stack, we will tell you in the scoping call and decline the engagement rather than ship a result that fails review. The guarantee exists because we mean it, not because it reads well.
The engagement agreement is the controlling document for the guarantee terms. Standard Trucell terms apply; see /terms-and-agreements/.
How an engagement runs
Same shape across all three tiers. Timeline scales with engagement size; the phases do not change.
-
Week 1
Discovery and baseline
Discovery workshop with your accountable executive and IT lead. We document your current estate (endpoints, identity source, network perimeter, backup posture, application list), run the ACSC Essential Eight Maturity Model assessment, and produce a written baseline report. You sign off on scope before we touch production.
-
Weeks 2 to 6
Remediation and controls deployment
Controls deployed in priority sequence aligned to risk and to the platforms you already run. Identity hardening first (highest leverage), then application control, patching, backup verification, macro and user-application hardening. Daily change records, weekly status update to your executive sponsor, no surprises.
-
Weeks 7 to 10
Evidence pack and handover
We assemble the evidence pack: policy summaries, control screenshots dated against your tenant, restore test logs, traceability matrix mapping each control to ACSC ML levels and (where in scope) ISO 27001:2022 Annex A IDs. Two-hour handover briefing for your accountable executive. Pack ships in PDF and editable format so your auditor can annotate it.
-
Month 6
Attestation review tune-up
Six months after handover, your nominated assessor reviews the evidence pack. If they flag gaps inside our delivered scope, we remediate at no additional fee. If everything passes, we hand the run-state to your in-house IT or to a Trucell managed service if you have engaged one.
Why this is defensible when your auditor opens it
Three things sit behind every Trucell Essential Eight engagement: the framework expertise, the operating evidence, and the governance posture. Buyers checking us against alternatives consistently land on these.
ACSC framework expertise in production
Trucell delivers Essential Eight controls on the same operating stack we run for clients day-to-day (NinjaOne, Microsoft 365, Entra ID, Fortinet, Veeam, Datto, NetApp). The framework expertise is not a slide deck written by a consultant who does not touch production. It is the same engineers who triage your tickets.
ISO 27001:2022 certified delivery (Trucell Pty Ltd certificate 500-27285-IS)
Our own information security management system is audited annually by Citation Certification (JAS-ANZ accredited). The control discipline we apply to your Essential Eight uplift is the same discipline we apply to our own operations. An auditor asking for our governance evidence gets a current copy on request.
Government and panel credentials
NSW Health SOA HSSP_HC22_AME885 panel approved, AUKUS / US ITAR Australian Authorized User status, NVIDIA Partner Network member. The credentials Australian regulated organisations use to filter shortlists are in our cabinet, not in a marketing slide.
Fixed price, fixed scope, signed evidence
Most Essential Eight engagements are quoted bespoke and re-scoped twice during delivery. Buyers find this offer because they were burned by an open-scope engagement that drifted past budget. Our scope is on this page; our price is on this page; our evidence ships as a dated PDF you can hand to your reviewer without translation.
Ready to scope a tier?
Thirty-minute scoping call. We confirm which tier fits your endpoint count, your timeline, and your auditor's framework expectations. You walk away with a fixed-price proposal in five business days.
Questions buyers ask before they book
What if we have started Essential Eight already? Do we get a discount?
No discount, but a credit. If your baseline assessment shows you have already met a control at the maturity level we would deliver, that work is removed from the scope and the engagement runs shorter. You pay the same fixed package price; you receive the same evidence pack; the engagement just lands faster. We are explicit about this in the scoping call.
What if our auditor finds a gap?
If the gap is inside the scope we documented at handover, Trucell remediates at no additional fee, within a six-month window from handover. If the gap is outside that scope (a net-new endpoint, a new SaaS application, an application allow-listing rule the customer changed post-handover), we remediate at standard hourly rates with the work scoped in writing first.
We are mid-tender. Can you turn around a proposal in a week?
Yes. Book the scoping call, share the tender requirements and our standard package fits one of the three tiers more often than not. We will return a fixed-price proposal aligned to the tier within five business days. If the tender requires custom controls we do not include in the standard package, we will scope and price them as line items rather than re-invent the engagement.
Do you operate the controls afterwards, or do we?
Either model. The package as defined hands the run-state to your in-house IT or your existing MSP. If you want Trucell to operate the controls afterwards, we add a Strategic Managed Service engagement (separate contract, separate scope, separate price). Many clients choose the managed path because the same engineers who delivered the uplift are easier to escalate to than the third-party who inherits a control set they did not design.
Why publish a price? Most MSPs do not.
Two reasons. First, buyers respect it: hiding price behind a "let us scope" call costs both parties hours of time when the answer is going to land in one of three tiers anyway. Second, our cost-to-deliver at each tier is well-understood; we have run enough of these engagements that the variability lives in scope (which we publish) rather than in delivery (which we have systematised). If your scenario does not fit one of the published tiers, the scoping call surfaces that quickly.
Can we pay in stages tied to milestones?
Yes, and the package billing structure already reflects this. The Small tier bills 50% on kick-off and 50% on evidence-pack handover. The Mid tier bills 40% / 40% / 20% across kick-off, remediation completion, and handover. The Enterprise tier bills against the milestones defined in the scoping document. Net 30 unless your procurement framework dictates otherwise.
What if we want a level of maturity above what is in the package?
The Mid tier already lifts most environments to ML2 across all eight strategies. ML3 across all eight is rare in practice and is scoped as a separate Enterprise-only engagement with an extended timeline and pricing reflecting the engineering load. We will tell you in the scoping call whether ML3 is realistic for your platform footprint and your risk tolerance.
Book the scoping call
Three packages, on the page. If your environment fits one, you can book delivery without another round of bespoke quoting. If your scenario is unusual, the scoping call surfaces that in 15 minutes.
Trucell Pty Ltd · ABN 93 113 471 873 · ISO 27001:2022 certified (Trucell Pty Ltd, certificate 500-27285-IS, Citation Certification, JAS-ANZ accredited)