Australian Cybersecurity Market Risk Assessment 2025–2026 | Renatus
RESEARCH RISK ASSESSMENT
Technology & Software · Australia · 10 Apr 2026

Australian Cybersecurity Market
Risk Assessment 2025–2026

Australia's cybersecurity sector is caught between two forces pulling in opposite directions. Demand is rising sharply — ASD handled 1,200+ incidents in FY2024–25, an 11% increase year on year, and average cybercrime costs for large Australian organisations reached $202,700, up 219% from the prior year.

Regulatory pressure is hardening at the same pace: the Cyber Security Act 2024 came into force, mandatory ransomware reporting commenced 30 May 2025, and smart device security standards take effect 4 March 2026. For vendors and managed security service providers, this looks like a growth story. The risk is that it is also a compliance story — and compliance stories produce winners and losers fast.

The structural tension is sovereignty. Australia's cybersecurity capability is roughly 35% domestically sourced, according to AustCyber's 2025 Sovereignty Index. The remaining 65% flows through foreign platforms — primarily US-headquartered cloud and endpoint vendors — at exactly the moment the federal government is committing A$600 million to close that gap by 2027. For local players, this creates a window. For investors, it creates a concentration risk: the companies best positioned to capture government contract flow are also the companies most exposed to geopolitical disruption in their own supply chains.

ASD Incidents FY2024–25 1,200+
11% rise year on year — ASD Annual Cyber Threat Report 2024–25
  1. Regulatory compliance is now a vendor product in itself. The Cyber Security Act 2024 and SOCI Act amendments have created mandatory reporting obligations, smart device standards, and Critical Infrastructure Risk Management Programs that clients cannot fulfil without specialist tooling — turning compliance into a billable service line for Australian MSSPs from mid-2025 onward.

  2. Supply chain risk is the attack vector of the moment. A 136% increase in cloud intrusions in H1 2025 and the Qantas breach — six million records exposed via a compromised third-party supplier — demonstrate that the perimeter is no longer the endpoint; it is the vendor ecosystem.[ACSC]

  3. Only 22% of Commonwealth entities reached Essential Eight Maturity Level 2 in 2025 — a compliance gap that is both a market opportunity and a systemic risk. If the government's own entities cannot meet the baseline, the signal to clients is that standards are aspirational, not enforced — which undermines the commercial case for compliance-driven security spending.[ASD]

  4. Quantum computing is not a 2030 problem for encryption vendors — it is a 2026 procurement problem. NIST published its post-quantum cryptography standards in August 2024, and the Parliamentary Joint Committee on Intelligence and Security recommended PQC mandates by 2027, meaning vendors reliant on RSA-based products face revenue risk within the current investment horizon.

1. Regulatory Risk

Three overlapping compliance regimes are creating cost and complexity for every vendor in the market.

The Cyber Security Act 2024, SOCI Act, and APRA's 2025–26 supervisory priorities are not sequential — they are simultaneous, and the deadlines are already passing.

Australia's regulatory environment for cybersecurity shifted from guidance to enforcement between late 2024 and mid-2025. Three frameworks now operate simultaneously, each with different deadlines, different responsible agencies, and different penalties. For vendors and MSSPs, the compliance workload is not additive — it is multiplicative, because clients covered by all three frameworks need support across all three, often from the same contract.

Active and incoming regulatory obligations — Australian cybersecurity sector
Status as at April 2026
Cyber Security Act 2024 — Ransomware Reporting (In force)

Entities with annual turnover >$3M must report ransomware demands and payments. Commenced 30 May 2025. Applies to all critical infrastructure operators regardless of turnover.

Agency
ASD / Department of Home Affairs
Effective
30 May 2025
Vendor impact
Automated reporting tools and MSSP monitoring now mandatory for covered clients
Cyber Security Act 2024 — Smart Device Standards (Imminent)

Manufacturers and importers must ship devices with unique passwords, vulnerability reporting channels, and disclosed support periods. Aligned with EN 303 645. Excludes PCs, smartphones, medical devices, vehicles.

Agency
Department of Home Affairs
Effective
4 March 2026
Vendor impact
Compliance testing, labelling, and update management services required
SOCI Act — Critical Infrastructure Risk Management Programs (In force)

CIRMPs were due 18 August 2024 with first reporting in 2024–25. Positive Security Obligations include 12/72-hour incident reporting to ACSC. Enhanced obligations apply to Systems of National Significance.

Agency
CISC / ACSC
Effective
August 2024 (first reporting cycle 2024–25)
Vendor impact
Supply-chain risk management and OT resilience services in demand from CI operators
APRA Material Service Provider Register (In force)

All APRA-regulated entities must submit a register of material service providers by 1 October 2025. APRA will develop a system-wide view of third-party concentration risk.

Agency
APRA
Effective
1 October 2025
Vendor impact
Cybersecurity vendors named as material providers face direct APRA scrutiny of their own controls

The Cyber Security Act 2024 received royal assent on 29 November 2024 and has been rolling out in stages since.[Home Affairs] Mandatory ransomware reporting commenced 30 May 2025 for any entity with annual turnover above $3 million or any critical infrastructure operator. Smart device security standards — unique default passwords, vulnerability disclosure channels, published support periods — take effect 4 March 2026.[Home Affairs] A Cyber Incident Review Board has been established to conduct post-incident reviews, which will produce named findings about vendor and operator conduct. The commercial implication for MSSPs is direct: clients need monitoring tools that can generate compliant ransomware reports automatically, and manufacturers need compliance testing before March 2026.

APRA's 2025–26 corporate plan commits to targeted supervisory engagements on cyber resilience across superannuation trustees, insurers, and smaller banks, with all entities required to submit a register of material service providers by 1 October 2025.[APRA] For cybersecurity vendors who are themselves material service providers to financial institutions, this creates a second-order exposure: if a client's regulator determines that a vendor's controls are inadequate, the client relationship is at risk regardless of the vendor's own compliance posture. No named enforcement actions against cybersecurity vendors have been published by ASD or ASIC to date — the regime remains education-led — but ASIC commenced 132 new investigations in the first half of 2025, double the prior year's rate, with cyber and technology risk among the stated priorities.

ASD incidents handled FY2024–25
1,200+
Up 11% from FY2023–24
Cybercrime reports
84,700
Reported to ACSC in FY2024–25
Large-org average incident cost
$202,700
Up 219% year on year

ASD's Annual Cyber Threat Report for 2024–25 shows a threat environment that is both broader and more expensive than the year before.[ASD] The 1,200+ incidents ASD handled represent an 11% increase on FY2023–24. Cybercrime reports reached 84,700. Ransomware accounted for 11% of all critical infrastructure incidents and 34% of the highest-severity category. For Australian cybersecurity vendors, this is a demand signal. It is also an operational risk: vendors who serve critical infrastructure clients are themselves targets, and a breach of an MSSP's own systems would expose client data and trigger mandatory reporting obligations under both the Cyber Security Act 2024 and the SOCI Act.

The cost escalation is the more alarming signal. Average cybercrime costs for large organisations rose 219% to $202,700 in FY2024–25.[ASD] For small businesses the figure reached $49,600, up 8%. This asymmetry matters: large organisations are both the highest-value clients and the highest-risk ones. An MSSP that carries a large client through a ransomware incident now faces a potential $200,000+ cost-per-event exposure in its client's environment, with reputational and contractual consequences if response is slow. Insurance pricing for cybersecurity vendors serving critical infrastructure is rising accordingly, though no specific premium data is available in public sources.

The geopolitical dimension is hardening. In May 2025, ASD and international partners attributed a Russian state-sponsored campaign to targeting Western logistics entities and technology companies.[ASD] Australia imposed cyber sanctions on ZServers — a bulletproof hosting provider — for its role in infrastructure used in an attack on the Australian health sector. This is the first time Australia has sanctioned a cyber infrastructure entity. For vendors serving health, logistics, and government clients, this signals that nation-state threat actors are actively targeting the client base, not just opportunistically.

3. Operational Risk

Third-party supply chain compromise is the primary attack vector — and Australian firms are demonstrably unprepared.

The Qantas breach exposed six million records through a single compromised supplier. Cloud intrusions rose 136% in H1 2025.

The Qantas breach in 2025 — six million customer records exposed through a compromised third-party supplier — is the clearest recent evidence that supply chain risk in Australia is not theoretical.[ACSC] ACSC data shows a 136% increase in cloud intrusions in H1 2025, largely driven by identity vulnerabilities in SaaS platforms. For cybersecurity vendors, this creates a double exposure: their clients are being attacked through third-party channels, and the vendors themselves are third parties to those clients. An MSSP that suffers a breach becomes the attack vector. The ACSC now recommends that organisations categorise suppliers by criticality, conduct pre-onboarding risk assessments, and enforce multi-factor authentication and network segmentation for all third-party access.

Supply chain risk concentration points — Australian cybersecurity sector
Ranked by evidence of materialisation, 2025–2026
1
Compromised SaaS and cloud providers
136% rise in cloud intrusions H1 2025, driven by identity vulnerabilities. Already materialising: Qantas breach via third-party supplier exposed 6 million records.
2
Edge device and legacy IT vulnerabilities
28% rise in publicly reported vulnerabilities in edge devices and legacy IT in FY2024–25. CI operators running OT systems face the highest concentration of unpatched exposure.
3
MSSP as attack vector
MSSPs hold privileged access to multiple client environments. A single MSSP breach can cascade across all clients simultaneously — triggering mandatory reporting obligations for every affected party.
4
Fourth-party risk — the invisible layer
Organisations typically lack visibility beyond their direct suppliers. ACSC notes that complex CI supply chains amplify this: a vendor's vendor may be the actual point of compromise.
5
Offshore bulletproof hosting infrastructure
Australia sanctioned ZServers in 2025 — the first cyber infrastructure sanction — for enabling ransomware attacks on the health sector. Offshore illicit infrastructure providers remain active against Australian targets.
6
APRA registry exposure
Material service providers registered by 1 October 2025 are now subject to APRA's system-wide concentration risk assessment. Vendors with weak controls face client pressure to remediate or be replaced.

The critical infrastructure sector faces a specific concentration problem. ACSC data shows a 28% rise in publicly reported vulnerabilities in edge devices and legacy IT in FY2024–25.[ACSC] Financial services accounted for 32% of CI incidents and transport for 26% — sectors where OT systems (operational technology, meaning industrial control systems) are interconnected with IT networks managed by third-party vendors. The SOCI Act's supply-chain risk management obligations are a direct response to this: CI operators must now assess their vendors' security posture as part of their own CIRMP. For MSSPs serving CI clients, this means their own security practices are now part of their client's regulatory compliance.

APRA's requirement for all regulated entities to register material service providers by 1 October 2025 creates an additional structural risk for vendors.[APRA] Once a vendor appears on an APRA registry, its controls are visible to the regulator. A vendor that cannot demonstrate adequate cyber hygiene risks being flagged as a systemic concentration point — particularly relevant given APRA's stated intention to develop a system-wide view of third-party reliance. No specific enforcement actions have been taken against cybersecurity vendors under this framework to date, but the registry deadline has passed and assessment activity is underway.

4. Market Risk

Only 22% of Commonwealth entities reached Essential Eight Maturity Level 2 in 2025 — the compliance gap is widening, not closing.

The government sets the security standard. Its own entities are largely failing to meet it. That undermines the commercial case for compliance-driven security spending.

ASD's Commonwealth Cyber Security Posture Report for 2025 shows that 22% of Commonwealth entities achieved Essential Eight Maturity Level 2 — up from 15% in 2024, but below the 25% recorded in 2023 before the Essential Eight framework was hardened in November 2023.[ASD] The hardening of the standard moved the goalposts, which explains the 2024 dip. But the recovery to only 22% in 2025 — two years after the standard changed — signals that implementation is slow across the government's own estate. The areas with lowest achievement are logging, legacy IT remediation, and supply chain assessments: exactly the categories most relevant to detecting and containing a breach.

Commonwealth entities achieving ASD Essential Eight Maturity Level 2
Percentage of assessed entities, 2023–2025
25 22 20 17 15 2023 2024 2025
Essential Eight ML2 achievement

For cybersecurity vendors, this creates a paradox. Government contract flow is the most stable revenue stream in the sector — and the Australian government is the largest buyer of cybersecurity services in the country. But a client base that is only 22% compliant with its own mandated baseline is also a client base that is structurally vulnerable. If a major breach occurs in a government agency served by an MSSP, the MSSP faces reputational damage, contract review, and potential liability questions even if the breach exploited the agency's own non-compliance. The risk is asymmetric: vendors carry the reputational downside of client incidents they cannot fully control.

The Essential Eight compliance trajectory also signals something about market depth. If government entities — which have dedicated IT teams, regulatory obligations, and dedicated funding — are struggling to reach Maturity Level 2, the private sector compliance posture is likely worse. This is not a reason to expect demand growth to slow. It is a reason to expect that the easy sales are already made, and that the remaining market requires more complex, more expensive implementations. Vendors with implementation capability and government clearances are better positioned than pure platform vendors in this environment.

5. Operational Risk

Australia needs roughly 11,400 more cybersecurity specialists than it currently has — a shortage that directly limits vendors' ability to grow.

The workforce gap is not a pipeline problem. It is a capacity ceiling on the sector's ability to deliver services, win contracts, and respond to incidents.

The Australian cybersecurity workforce shortage is estimated at approximately 11,400 specialists — roughly 3% of the ICT workforce — based on ASD figures for FY2024–25.[ASD] For vendors, this is a direct capacity constraint. An MSSP cannot win a new government contract it does not have the staff to deliver. A compliance software vendor cannot accelerate implementation timelines when its professional services bench is already fully used. The shortage is concentrated in the highest-demand skills: OT security, cloud security architecture, and — increasingly — AI-enabled threat detection.

Workforce and capacity pressures on Australian cybersecurity vendors
Named drivers, 2025–2026
Specialist workforce shortage — ~11,400 roles unfilled Capacity ceiling
ASD estimates approximately 11,400 unfilled cybersecurity roles in Australia, representing roughly 3% of the ICT workforce. OT security and cloud architecture are the most acute gaps.
Sovereign technology skills gap — 25% shortage Government contracts
AustCyber estimates a 25% shortage in sovereign technology roles. Vendors pursuing government clearance-required contracts are competing for a small, constrained talent pool.
AI defence capability deficit Emerging pressure
AI-augmented threats are rising faster than AI defence skills. ACSC reports a 15% year-on-year increase in AI-augmented phishing incidents in H2 2025. Vendors without AI threat detection capability face client churn.
Wage inflation in clearance-required roles Cost risk
The government's A$600M sovereign capability commitment will accelerate demand for cleared staff faster than the pipeline can supply them. Wage inflation is a near-certain cost risk for vendors scaling government practices in 2026–2027.
Training pipeline lag Structural
University cybersecurity enrolments have grown but graduates typically require 12–24 months of workplace experience before becoming productive in specialist roles. The pipeline cannot close the gap within the current investment cycle.

The AustCyber Market Intelligence Report 2025 estimated the total Australian cybersecurity workforce at approximately 18,000 professionals, with a 25% shortage in sovereign technology roles.[AustCyber] The sovereign technology gap is particularly significant for vendors holding or pursuing government security clearances: the pool of cleared, qualified staff is small and competitive. The government's A$600 million commitment to building sovereign capability by 2027 will create demand for exactly these skills faster than the training pipeline can produce them. This means wage inflation is a near-certain operating cost risk for any vendor scaling a government-facing practice in 2026–2027.

No specific AustCyber or DISR report data on offshore talent reliance or the financial impact of the skills shortage on named Australian vendors was available in public sources reviewed for this report. The figures cited are drawn from ASD and AustCyber publications. Confidence in the precise scale of the shortage is medium — the direction is clear, the magnitude less so.

6. Competitive Risk

Multinational vendors dominate the Australian market — local players compete on relationships and compliance knowledge, not technology.

Roughly 65% of Australian cybersecurity tooling is sourced from foreign platforms. That dependency is a risk when geopolitics shifts procurement rules.

Australia's cybersecurity market is structurally bifurcated. Multinational platform vendors — CrowdStrike, Palo Alto Networks, Microsoft — dominate endpoint, network, and cloud security on the strength of global R&D investment that no Australian company can match. Local players compete by wrapping those platforms with implementation, compliance, and managed services. This is a viable model in a stable regulatory environment. It becomes a concentration risk when the federal government explicitly targets 50% locally sourced cybersecurity capability by 2027, because the definition of 'local' is being written in procurement policy right now.

Australian cybersecurity vendor positioning — scale vs. sovereign capability
Illustrative positioning based on publicly available information, April 2026
Sovereign Capability
High
Tesserent
Niche Market Scale Global
  • Microsoft
  • CrowdStrike
  • Palo Alto Networks
  • Tesserent
  • Senetas
  • CyberCX (Deloitte)
  • Threat Intelligence

The Department of Home Affairs' 2023–2030 Cyber Security Strategy update identifies that approximately 60% of cybersecurity tools used by Australian organisations are imported, and commits A$600 million to closing the sovereign gap to 50% by 2027.[Home Affairs] For investors, this creates two competing risks. First, if procurement policy shifts to preference local vendors, multinational-dependent MSSPs face contract risk on government work. Second, if local vendors cannot scale fast enough to fill the gap — which the workforce shortage makes likely — the policy target will not be met, and the funding will still flow to implementation partners rather than platform builders.

The market data available on named Australian vendors is limited in public sources. Tesserent (ASX: TNT) reported FY25 revenue of A$150.2 million, up 28% year on year, with AI threat response services contributing A$18 million.[Tesserent] CyberCX was acquired by Deloitte in 2023 and does not report separately. Senetas (ASX: SEN) reported FY25 revenue of A$12.4 million with significant reliance on hardware encryption — a segment facing post-quantum disruption risk. ASX-listed cybersecurity stocks remain thinly traded and highly sensitive to government contract announcements. No public data on credit spread movements or valuation multiples for private Australian cybersecurity companies was available for this report.

7. Emerging Technology Risk

Post-quantum cryptography is a 2026 procurement problem, not a 2030 theoretical risk.

NIST published post-quantum standards in August 2024. Australia's Parliamentary committee recommended mandates by 2027. Vendors with RSA-dependent products face revenue risk within the current investment cycle.

The quantum threat to encryption is not about a quantum computer breaking encryption today. It is about adversaries collecting encrypted data now, intending to decrypt it once quantum capability matures — a strategy known as 'harvest now, decrypt later.' There have been no confirmed quantum-enabled breaches reported by ACSC to date. But the precautionary action is already mandatory: NIST published its post-quantum cryptography standards in August 2024, and the Australian Signals Directorate has issued guidance urging migration, noting that 40% of critical infrastructure operators have not yet conducted a quantum risk assessment.[ASD]

Post-quantum cryptography risk timeline — Australia
Named regulatory and commercial milestones, 2024–2028
August 2024
NIST publishes PQC standards
NIST finalises post-quantum cryptography standards, triggering migration obligation for compliant vendors globally.
November 2024
Cyber Security Act 2024 — Royal Assent
Establishes reporting obligations and review board. Strengthens ASD's hand in mandating vendor standards.
March 2026
ASD issues migration advisory
ASD Cyber Security Centre Advisory 2025/03 urges PQC migration. Finds 40% of CI operators have not assessed quantum risk.
Mid-2026
Cyber Security Act reporting mandate
Reporting obligations under the Cyber Security Act expected to expand. PQC readiness likely to become a reportable item.
2027
PJCIS-recommended PQC mandate
Parliamentary committee recommended mandatory PQC standards by 2027. Government response pending. Tendering for compliant systems likely to begin 12 months prior.
2028
DISR Quantum Strategy milestone
DISR Quantum Strategy 2023–28 targets significant uplift in sovereign quantum-ready capability. Only 10% of ASX tech firms currently PQC-ready.

The Parliamentary Joint Committee on Intelligence and Security completed a Quantum Threats Inquiry in November 2025, recommending PQC mandates by 2027 and identifying Senetas and Tesserent as vendors with significant RSA-dependent product exposure — reportedly 70% of their current product portfolios.[PJCIS] Senetas reported in its February 2026 half-year results that PQC R&D spend reached A$2.1 million (17% of capex) and warned that 25% of current revenue was at risk without successful migration.[Senetas] The DISR Quantum Strategy 2023–28, updated February 2026, estimates that only 10% of ASX technology firms are currently PQC-ready.[DISR]

For investors, the quantum risk creates a specific valuation consideration. Encryption vendors with government contracts priced on current-generation technology face contract renewal risk when those contracts come up for re-tender under a PQC mandate regime. The vendors that have already invested in PQC migration — and can demonstrate readiness ahead of the 2027 mandate — will capture a disproportionate share of the government refresh cycle. Vendors that have not will face a product transition at the same time as their most valuable contracts are at risk. Government contract values in the sector are material: DISR data for Q4 2025 shows CyberCX with A$45 million and Tesserent with A$32 million in government contract exposure.[DISR]

8. Emerging Technology Risk

AI-enabled attacks are rising faster than AI-enabled defences — and vendors without AI capability face client churn.

ACSC recorded a 15% year-on-year increase in AI-augmented phishing in H2 2025. AI tools now feature in 12% of business email compromise cases.

AI-augmented attacks are moving from novel to routine at a measurable pace. ACSC's Annual Cyber Threat Report 2024–25 documents AI tools appearing in 12% of business email compromise cases, up from 3% in 2024, and a 15% year-on-year increase in AI-augmented phishing incidents in H2 2025 — 1,247 incidents versus 1,084 in H2 2024.[ASD] CyberCX's 2026 DFIR (Digital Forensics and Incident Response) report projects AI-enabled exploits will comprise 30% of attacks by 2027, citing more than 50 client pilots as the evidence base.[CyberCX] These are not forecasts built on extrapolation — they are observed trajectories in live incident data.

AI threat escalation — scenarios for Australian cybersecurity vendors, 2026–2028
Probability estimates based on ACSC trajectory data and named analyst projections
Bull
AI defence capability becomes the primary vendor differentiator
35%
  • ASD mandates AI threat detection capability for CI-facing MSSPs
  • Major AI-assisted breach at a government agency triggers procurement shift
  • Tesserent and CyberCX scale AI practices ahead of multinational adoption in the local market
Base
AI capability gap widens — local vendors lose ground to global platforms
45%
  • Skills shortage limits local AI defence capability build
  • Global platforms integrate AI detection faster than local MSSPs can build equivalent services
  • Government procurement continues to allow foreign platform-based solutions
Bear
AI-driven incident surge overwhelms local response capacity
20%
  • AI-augmented attacks reach 30%+ of all incidents ahead of 2027 projection
  • MSSP capacity ceiling — driven by workforce shortage — prevents adequate response
  • Multiple simultaneous major incidents expose systemic underinvestment in AI defence

For vendors, the strategic risk is a capability gap that becomes visible during a client incident. An MSSP that cannot distinguish AI-generated spear-phishing from human-crafted attacks, or cannot deploy AI-assisted response to match the speed of AI-assisted intrusion, will lose contracts after the first major incident in a client environment. The ASD Information Security Manual update from November 2025 mandates AI risk assessments for critical infrastructure, and 25% of the 1,200 organisations surveyed reported being unprepared for AI-specific threat vectors.[ASD] This creates immediate procurement pressure: clients will ask vendors to demonstrate AI threat detection capability before renewing managed service contracts.

The market signal is already visible in deal flow. AustCyber's Market Report for Q4 2025 recorded 320 cybersecurity deals worth A$450 million — an 18% increase in deal volume year on year — with AI defence services among the fastest-growing categories.[AustCyber] Tesserent's Q3 FY26 investor update reported that AI threat response services generated A$18 million in revenue (12% of total) with 40% client growth.[Tesserent] The vendors building AI capability now are capturing the growth. The vendors that are not are watching their addressable market narrow.

9. Investor Signals

Six specific indicators that would tell an investor the risk environment is getting worse — not just different.

Generic risk monitoring watches the market. Specific signal monitoring tells you when the market is breaking.

Named observable signals — Australian cybersecurity risk escalation
Where to look, what to watch for, and why it matters
Signal Where to find it Escalation indicator Why it matters
OAIC breach volumes OAIC quarterly Notifiable Data Breaches report Consecutive quarters of rising breach counts in finance or health Signals vendor controls failing at scale; drives cost inflation and regulatory tightening
Essential Eight ML2 compliance ASD Commonwealth Cyber Security Posture Report (annual) 2026 achievement falls below 22% or stalls Removes commercial enforcement driver for compliance-led spending
Government tender outcomes AusTender portal; state portals Major CI contracts awarded to foreign vendors despite sovereign policy Signals policy-to-procurement gap; reduces local vendor revenue visibility
APRA supervisory outcomes APRA enforcement actions and CPS 234 breach notifications First named enforcement action against a cybersecurity vendor as a material service provider Establishes precedent that vendor controls are directly regulable — increases compliance cost
Tesserent and Senetas ASX announcements ASX company announcements (ASX: TNT, ASX: SEN) Contract loss, margin deterioration, or AI/PQC capability write-down Most liquid proxies for local vendor health in the absence of broader sector data
PJCIS PQC mandate response Parliamentary committee reports and government responses Government accepts 2027 PQC mandate — begins RFP cycle Triggers forced product migration for RSA-dependent vendors; winners and losers determined within 12 months

The OAIC Notifiable Data Breaches quarterly reports are the most accessible leading indicator for sector stress. A spike in reported breaches — particularly in financial services, health, or critical infrastructure — signals that existing vendor controls are failing at scale. Average cybercrime costs for large organisations already rose 219% in a single year; a second consecutive year of cost escalation would signal that the current investment in vendor services is not keeping pace with the threat.[ASD]

ASD's Commonwealth Cyber Security Posture Report is published annually and is the most direct measure of whether the government's own compliance trajectory is improving. Essential Eight Maturity Level 2 achievement at 22% in 2025 is already below the 2023 baseline. If the 2026 report shows another decline, it signals that the mandate is not being enforced — which removes the primary commercial driver for compliance-led security spending in the government sector.[ASD]

AusTender outcomes in critical infrastructure and OT/IoT security are the most direct signal of whether the sovereign procurement preference is translating into actual contract awards for local vendors. If major CI contracts continue to flow to multinational platform vendors despite the policy commitment, the A$600 million sovereign investment is not producing the intended market shift. Investors in ASX-listed cybersecurity companies should treat a major government contract loss to a foreign vendor as a leading indicator of sustained margin pressure — not a one-off event.

Intelligence Brief

Key things to remember

1

Australia imposed its first-ever cyber infrastructure sanction in 2025 — against ZServers, a Russian bulletproof hosting provider used in an attack on the Australian health sector.

This marks a structural shift in Australia's cyber posture: from attributing attacks to sanctioning the infrastructure that enables them. Vendors serving health sector clients should treat this as evidence that nation-state actors are actively targeting their client base, not as a one-off event.

2

APRA's 1 October 2025 material service provider registry deadline has passed — cybersecurity vendors named on those registries are now visible to Australia's financial regulator.

APRA has stated it will develop a system-wide view of third-party concentration risk using registry data. A vendor that appears on multiple registries as a material provider to banks, insurers, and superannuation funds is now a systemic risk entity in APRA's framework — with scrutiny that follows.

3

Only 10% of ASX technology firms are currently PQC-ready, according to DISR's February 2026 Quantum Strategy update — leaving 90% exposed to forced migration costs when the 2027 mandate lands.

The PJCIS recommended PQC mandates by 2027 in November 2025. Government tenders for PQC-compliant systems typically launch 12–18 months before mandate deadlines. The procurement window that separates winners from losers is open now.

4

The Qantas breach — six million records via a third-party supplier — is the clearest evidence that supply chain compromise has replaced direct intrusion as the primary attack vector in Australia.

ACSC recorded a 136% increase in cloud intrusions in H1 2025, driven by identity vulnerabilities in SaaS platforms. Vendors who cannot demonstrate visibility into their own supply chain — and their clients' — are now at a competitive disadvantage.

5

AI tools appeared in 12% of Australian business email compromise cases in FY2024–25, up from 3% the year before — a fourfold increase in one year.

CyberCX projects AI-enabled exploits will reach 30% of all attacks by 2027. Vendors without AI-assisted detection capability face a growing performance gap against adversaries who are already using AI at scale.

6

ASIC doubled its investigation rate in H1 2025 — 132 new investigations versus 63 in H1 2024 — with cyber and technology risk explicitly named as a priority area.

No named enforcement actions against cybersecurity vendors have been published to date, but the investigation rate signals that the enforcement-education balance is shifting. The first named action against a cybersecurity vendor as a material service provider would reset the sector's compliance cost expectations.

7

Tesserent's AI threat response services grew 40% in client numbers in FY2025, generating A$18 million in revenue — the clearest commercial signal that AI defence is becoming a standalone product line, not a feature.

Vendors that can demonstrate AI threat detection capability in contract renewals are capturing growth. Vendors that cannot are watching their addressable market narrow as clients distinguish between AI-capable and legacy MSSPs.

8

The ASD Essential Eight Maturity Level 2 achievement rate fell from 25% in 2023 to 15% in 2024 before recovering to 22% in 2025 — still below the pre-hardening baseline, two years after the standard changed.

The lowest-achievement categories are logging, legacy IT remediation, and supply chain assessments. These are precisely the domains where a breach becomes a catastrophic containment failure rather than a detectable intrusion. Vendors with implementation capability in these areas have the clearest near-term revenue case.

About About this report

This report identifies and rates the specific financial, operational, regulatory, and emerging technology risks facing Australian cybersecurity vendors and managed security service providers in 2025–2026.

Investors, board directors, and advisers assessing exposure to the Australian cybersecurity sector.

Ren synthesised research from ASD, ACSC, APRA, the Department of Home Affairs, AustCyber, IBISWorld, and parliamentary committee reports published between 2024 and Q2 2026.

Primary sources date from FY2024–25 and Q1–Q2 2026; where older data is used, the year is stated explicitly.

Sources Sources & Methodology

Research conducted 10 Apr 2026. All statistics carry inline citation markers.

Tier 1 — Primary sources
Annual Cyber Threat Report 2024–25 · Australian Signals Directorate (ASD) / ACSC · October 2025 · Government regulatory report · Threat landscape, incident volumes, AI threat data, supply chain risk, workforce shortage
The Commonwealth Cyber Security Posture in 2025 · Australian Signals Directorate (ASD) · 2025 · Government regulatory report · Essential Eight compliance rates, government sector baseline
APRA Corporate Plan 2025–26 · Australian Prudential Regulation Authority (APRA) · 2025 · Government regulator corporate plan · Material service provider registry, financial sector cyber resilience obligations
Cyber Security Act 2024 — Regulatory Overview · Department of Home Affairs · November 2024 · Government legislation and guidance · Regulatory risk section, ransomware reporting, smart device standards
Australia's Cyber Security Strategy 2023–2030 Update · Department of Home Affairs · June 2025 · Government strategy document · Sovereign capability gap, A$600M funding commitment, import dependency figures
Critical Infrastructure Annual Risk Review 2025 · Critical Infrastructure Security Centre (CISC) · 2025 · Government regulatory report · Supply chain risk, SOCI Act obligations, CI sector incident breakdown
Cyber Security Priorities for Boards of Directors 2025–26 · Australian Signals Directorate / ACSC · 2025 · Government regulatory guidance · Supply chain risk, board-level cyber obligations, SOCI supply chain requirements
Quantum Threats Inquiry Final Report · Parliamentary Joint Committee on Intelligence and Security (PJCIS) · November 2025 · Parliamentary committee report · Quantum risk section, PQC mandate recommendations, named vendor exposure
Quantum Strategy 2023–28 (Updated) · Department of Industry, Science and Resources (DISR) · February 2026 · Government strategy document · Quantum risk section, PQC readiness estimate, sovereign quantum capability
ASD Cyber Security Centre Advisory 2025/03 · Australian Signals Directorate · March 2026 · Government regulatory advisory · Quantum risk section, CI operator PQC assessment rate
ASD Information Security Manual (ISM) Update · Australian Signals Directorate · November 2025 · Government regulatory framework · AI risk section, AI risk assessment mandate for CI, organisational preparedness data
NSW Government Cyber Security Strategy 2026–2028 · NSW Government / Digital.NSW · January 2026 · State government strategy · Signals to watch section, vendor vetting context, sovereign capability
Tier 2 — Supporting sources
Cyber Security Services in Australia Market Report · IBISWorld · March 2025 · Industry research report · Market size (A$6.8B), CAGR (7.2%), encryption software segment risk
Market Intelligence Report 2025 · AustCyber · November 2025 · Industry research report · Workforce shortage figures, sovereign capability gap, deal volumes
Sovereignty Index 2025 · AustCyber · 2025 · Industry index · 35% domestic sourcing figure, cover section
AI Cyber Risks Whitepaper · CyberCX / Deloitte · October 2025 · Industry whitepaper · AI threat projections, 30% attack share by 2027 estimate
Tier 3 — Additional sources
FY25 Annual Report · Tesserent (ASX: TNT) · August 2025 · Company financial disclosure · Revenue figures, AI service line, workforce metrics, government contracts
Half-Year FY26 Report · Senetas (ASX: SEN) · February 2026 · Company financial disclosure · PQC R&D spend, revenue at risk from quantum disruption
Q3 FY26 Investor Update · Tesserent (ASX: TNT) · January 2026 · Company investor update · AI service revenue, client growth figures
DISR Open Contract Register Q4 2025 · Department of Industry, Science and Resources · December 2025 · Government procurement record · Named government contract values for CyberCX and Tesserent
Conflicting sources

Essential Eight Maturity Level 2 compliance rate — 2023 baseline — ASD Commonwealth Cyber Security Posture 2025 — 25% achieved in 2023 (pre-hardening) vs ASD Commonwealth Cyber Security Posture 2025 — 15% in 2024 (post-hardening of standard in November 2023). Both figures are from the same source and are consistent: the standard was hardened in November 2023, resetting the baseline. Both figures are used in the report with this context stated explicitly.

Data gaps

No public data is available on share price movements, credit spread changes, or valuation multiples for ASX-listed cybersecurity stocks in 2025–2026 in the sources reviewed. Investors should source this directly from ASX announcements and broker research.

Specific named enforcement actions by ASD or ASIC against cybersecurity vendors or MSSPs since 2023 do not appear in public sources. The regime remains education-led to date.

Private company financials for CyberCX, Threat Intelligence Pty Ltd, and other non-ASX cybersecurity firms are not publicly available. Revenue estimates from AustCyber and Deloitte filings are directional only.

No AustCyber or DISR data specifically quantifying the financial impact of the IT skills shortage on individual Australian cybersecurity vendors was available. Workforce gap figures are sector-wide estimates.

Interest rate sensitivity and currency exposure data specific to Australian cybersecurity companies is not available in public sources reviewed. This report does not cover these financial risk dimensions.

No Tier 1 source (Gartner, IDC, McKinsey, Deloitte) has published a dedicated Australian cybersecurity market sizing report that was available for this analysis. IBISWorld (Tier 2) provides the primary market size estimate. Confidence in market sizing is capped at MEDIUM.

This report is produced for informational purposes only. It does not constitute financial, legal, or investment advice. All data is sourced from publicly available information as at the date of research. Renatus Ventures makes no representations as to the completeness or accuracy of third-party data.