Australian Cybersecurity Market
Risk Assessment 2025–2026
Australia's cybersecurity sector is caught between two forces pulling in opposite directions. Demand is rising sharply — ASD handled 1,200+ incidents in FY2024–25, an 11% increase year on year, and average cybercrime costs for large Australian organisations reached $202,700, up 219% from the prior year.
Regulatory pressure is hardening at the same pace: the Cyber Security Act 2024 came into force, mandatory ransomware reporting commenced 30 May 2025, and smart device security standards take effect 4 March 2026. For vendors and managed security service providers, this looks like a growth story. The risk is that it is also a compliance story — and compliance stories produce winners and losers fast.
The structural tension is sovereignty. Australia's cybersecurity capability is roughly 35% domestically sourced, according to AustCyber's 2025 Sovereignty Index. The remaining 65% flows through foreign platforms — primarily US-headquartered cloud and endpoint vendors — at exactly the moment the federal government is committing A$600 million to close that gap by 2027. For local players, this creates a window. For investors, it creates a concentration risk: the companies best positioned to capture government contract flow are also the companies most exposed to geopolitical disruption in their own supply chains.
Three overlapping compliance regimes are creating cost and complexity for every vendor in the market.
The Cyber Security Act 2024, SOCI Act, and APRA's 2025–26 supervisory priorities are not sequential — they are simultaneous, and the deadlines are already passing.
Australia's regulatory environment for cybersecurity shifted from guidance to enforcement between late 2024 and mid-2025. Three frameworks now operate simultaneously, each with different deadlines, different responsible agencies, and different penalties. For vendors and MSSPs, the compliance workload is not additive — it is multiplicative, because clients covered by all three frameworks need support across all three, often from the same contract.
Entities with annual turnover >$3M must report ransomware demands and payments. Commenced 30 May 2025. Applies to all critical infrastructure operators regardless of turnover.
Manufacturers and importers must ship devices with unique passwords, vulnerability reporting channels, and disclosed support periods. Aligned with EN 303 645. Excludes PCs, smartphones, medical devices, vehicles.
CIRMPs were due 18 August 2024 with first reporting in 2024–25. Positive Security Obligations include 12/72-hour incident reporting to ACSC. Enhanced obligations apply to Systems of National Significance.
All APRA-regulated entities must submit a register of material service providers by 1 October 2025. APRA will develop a system-wide view of third-party concentration risk.
The Cyber Security Act 2024 received royal assent on 29 November 2024 and has been rolling out in stages since.[Home Affairs] Mandatory ransomware reporting commenced 30 May 2025 for any entity with annual turnover above $3 million or any critical infrastructure operator. Smart device security standards — unique default passwords, vulnerability disclosure channels, published support periods — take effect 4 March 2026.[Home Affairs] A Cyber Incident Review Board has been established to conduct post-incident reviews, which will produce named findings about vendor and operator conduct. The commercial implication for MSSPs is direct: clients need monitoring tools that can generate compliant ransomware reports automatically, and manufacturers need compliance testing before March 2026.
APRA's 2025–26 corporate plan commits to targeted supervisory engagements on cyber resilience across superannuation trustees, insurers, and smaller banks, with all entities required to submit a register of material service providers by 1 October 2025.[APRA] For cybersecurity vendors who are themselves material service providers to financial institutions, this creates a second-order exposure: if a client's regulator determines that a vendor's controls are inadequate, the client relationship is at risk regardless of the vendor's own compliance posture. No named enforcement actions against cybersecurity vendors have been published by ASD or ASIC to date — the regime remains education-led — but ASIC commenced 132 new investigations in the first half of 2025, double the prior year's rate, with cyber and technology risk among the stated priorities.
ASD's Annual Cyber Threat Report for 2024–25 shows a threat environment that is both broader and more expensive than the year before.[ASD] The 1,200+ incidents ASD handled represent an 11% increase on FY2023–24. Cybercrime reports reached 84,700. Ransomware accounted for 11% of all critical infrastructure incidents and 34% of the highest-severity category. For Australian cybersecurity vendors, this is a demand signal. It is also an operational risk: vendors who serve critical infrastructure clients are themselves targets, and a breach of an MSSP's own systems would expose client data and trigger mandatory reporting obligations under both the Cyber Security Act 2024 and the SOCI Act.
The cost escalation is the more alarming signal. Average cybercrime costs for large organisations rose 219% to $202,700 in FY2024–25.[ASD] For small businesses the figure reached $49,600, up 8%. This asymmetry matters: large organisations are both the highest-value clients and the highest-risk ones. An MSSP that carries a large client through a ransomware incident now faces a potential $200,000+ cost-per-event exposure in its client's environment, with reputational and contractual consequences if response is slow. Insurance pricing for cybersecurity vendors serving critical infrastructure is rising accordingly, though no specific premium data is available in public sources.
The geopolitical dimension is hardening. In May 2025, ASD and international partners attributed a Russian state-sponsored campaign to targeting Western logistics entities and technology companies.[ASD] Australia imposed cyber sanctions on ZServers — a bulletproof hosting provider — for its role in infrastructure used in an attack on the Australian health sector. This is the first time Australia has sanctioned a cyber infrastructure entity. For vendors serving health, logistics, and government clients, this signals that nation-state threat actors are actively targeting the client base, not just opportunistically.
Third-party supply chain compromise is the primary attack vector — and Australian firms are demonstrably unprepared.
The Qantas breach exposed six million records through a single compromised supplier. Cloud intrusions rose 136% in H1 2025.
The Qantas breach in 2025 — six million customer records exposed through a compromised third-party supplier — is the clearest recent evidence that supply chain risk in Australia is not theoretical.[ACSC] ACSC data shows a 136% increase in cloud intrusions in H1 2025, largely driven by identity vulnerabilities in SaaS platforms. For cybersecurity vendors, this creates a double exposure: their clients are being attacked through third-party channels, and the vendors themselves are third parties to those clients. An MSSP that suffers a breach becomes the attack vector. The ACSC now recommends that organisations categorise suppliers by criticality, conduct pre-onboarding risk assessments, and enforce multi-factor authentication and network segmentation for all third-party access.
The critical infrastructure sector faces a specific concentration problem. ACSC data shows a 28% rise in publicly reported vulnerabilities in edge devices and legacy IT in FY2024–25.[ACSC] Financial services accounted for 32% of CI incidents and transport for 26% — sectors where OT systems (operational technology, meaning industrial control systems) are interconnected with IT networks managed by third-party vendors. The SOCI Act's supply-chain risk management obligations are a direct response to this: CI operators must now assess their vendors' security posture as part of their own CIRMP. For MSSPs serving CI clients, this means their own security practices are now part of their client's regulatory compliance.
APRA's requirement for all regulated entities to register material service providers by 1 October 2025 creates an additional structural risk for vendors.[APRA] Once a vendor appears on an APRA registry, its controls are visible to the regulator. A vendor that cannot demonstrate adequate cyber hygiene risks being flagged as a systemic concentration point — particularly relevant given APRA's stated intention to develop a system-wide view of third-party reliance. No specific enforcement actions have been taken against cybersecurity vendors under this framework to date, but the registry deadline has passed and assessment activity is underway.
Only 22% of Commonwealth entities reached Essential Eight Maturity Level 2 in 2025 — the compliance gap is widening, not closing.
The government sets the security standard. Its own entities are largely failing to meet it. That undermines the commercial case for compliance-driven security spending.
ASD's Commonwealth Cyber Security Posture Report for 2025 shows that 22% of Commonwealth entities achieved Essential Eight Maturity Level 2 — up from 15% in 2024, but below the 25% recorded in 2023 before the Essential Eight framework was hardened in November 2023.[ASD] The hardening of the standard moved the goalposts, which explains the 2024 dip. But the recovery to only 22% in 2025 — two years after the standard changed — signals that implementation is slow across the government's own estate. The areas with lowest achievement are logging, legacy IT remediation, and supply chain assessments: exactly the categories most relevant to detecting and containing a breach.
For cybersecurity vendors, this creates a paradox. Government contract flow is the most stable revenue stream in the sector — and the Australian government is the largest buyer of cybersecurity services in the country. But a client base that is only 22% compliant with its own mandated baseline is also a client base that is structurally vulnerable. If a major breach occurs in a government agency served by an MSSP, the MSSP faces reputational damage, contract review, and potential liability questions even if the breach exploited the agency's own non-compliance. The risk is asymmetric: vendors carry the reputational downside of client incidents they cannot fully control.
The Essential Eight compliance trajectory also signals something about market depth. If government entities — which have dedicated IT teams, regulatory obligations, and dedicated funding — are struggling to reach Maturity Level 2, the private sector compliance posture is likely worse. This is not a reason to expect demand growth to slow. It is a reason to expect that the easy sales are already made, and that the remaining market requires more complex, more expensive implementations. Vendors with implementation capability and government clearances are better positioned than pure platform vendors in this environment.
Australia needs roughly 11,400 more cybersecurity specialists than it currently has — a shortage that directly limits vendors' ability to grow.
The workforce gap is not a pipeline problem. It is a capacity ceiling on the sector's ability to deliver services, win contracts, and respond to incidents.
The Australian cybersecurity workforce shortage is estimated at approximately 11,400 specialists — roughly 3% of the ICT workforce — based on ASD figures for FY2024–25.[ASD] For vendors, this is a direct capacity constraint. An MSSP cannot win a new government contract it does not have the staff to deliver. A compliance software vendor cannot accelerate implementation timelines when its professional services bench is already fully used. The shortage is concentrated in the highest-demand skills: OT security, cloud security architecture, and — increasingly — AI-enabled threat detection.
The AustCyber Market Intelligence Report 2025 estimated the total Australian cybersecurity workforce at approximately 18,000 professionals, with a 25% shortage in sovereign technology roles.[AustCyber] The sovereign technology gap is particularly significant for vendors holding or pursuing government security clearances: the pool of cleared, qualified staff is small and competitive. The government's A$600 million commitment to building sovereign capability by 2027 will create demand for exactly these skills faster than the training pipeline can produce them. This means wage inflation is a near-certain operating cost risk for any vendor scaling a government-facing practice in 2026–2027.
No specific AustCyber or DISR report data on offshore talent reliance or the financial impact of the skills shortage on named Australian vendors was available in public sources reviewed for this report. The figures cited are drawn from ASD and AustCyber publications. Confidence in the precise scale of the shortage is medium — the direction is clear, the magnitude less so.
Multinational vendors dominate the Australian market — local players compete on relationships and compliance knowledge, not technology.
Roughly 65% of Australian cybersecurity tooling is sourced from foreign platforms. That dependency is a risk when geopolitics shifts procurement rules.
Australia's cybersecurity market is structurally bifurcated. Multinational platform vendors — CrowdStrike, Palo Alto Networks, Microsoft — dominate endpoint, network, and cloud security on the strength of global R&D investment that no Australian company can match. Local players compete by wrapping those platforms with implementation, compliance, and managed services. This is a viable model in a stable regulatory environment. It becomes a concentration risk when the federal government explicitly targets 50% locally sourced cybersecurity capability by 2027, because the definition of 'local' is being written in procurement policy right now.
- Microsoft
- CrowdStrike
- Palo Alto Networks
- Tesserent
- Senetas
- CyberCX (Deloitte)
- Threat Intelligence
The Department of Home Affairs' 2023–2030 Cyber Security Strategy update identifies that approximately 60% of cybersecurity tools used by Australian organisations are imported, and commits A$600 million to closing the sovereign gap to 50% by 2027.[Home Affairs] For investors, this creates two competing risks. First, if procurement policy shifts to preference local vendors, multinational-dependent MSSPs face contract risk on government work. Second, if local vendors cannot scale fast enough to fill the gap — which the workforce shortage makes likely — the policy target will not be met, and the funding will still flow to implementation partners rather than platform builders.
The market data available on named Australian vendors is limited in public sources. Tesserent (ASX: TNT) reported FY25 revenue of A$150.2 million, up 28% year on year, with AI threat response services contributing A$18 million.[Tesserent] CyberCX was acquired by Deloitte in 2023 and does not report separately. Senetas (ASX: SEN) reported FY25 revenue of A$12.4 million with significant reliance on hardware encryption — a segment facing post-quantum disruption risk. ASX-listed cybersecurity stocks remain thinly traded and highly sensitive to government contract announcements. No public data on credit spread movements or valuation multiples for private Australian cybersecurity companies was available for this report.
Post-quantum cryptography is a 2026 procurement problem, not a 2030 theoretical risk.
NIST published post-quantum standards in August 2024. Australia's Parliamentary committee recommended mandates by 2027. Vendors with RSA-dependent products face revenue risk within the current investment cycle.
The quantum threat to encryption is not about a quantum computer breaking encryption today. It is about adversaries collecting encrypted data now, intending to decrypt it once quantum capability matures — a strategy known as 'harvest now, decrypt later.' There have been no confirmed quantum-enabled breaches reported by ACSC to date. But the precautionary action is already mandatory: NIST published its post-quantum cryptography standards in August 2024, and the Australian Signals Directorate has issued guidance urging migration, noting that 40% of critical infrastructure operators have not yet conducted a quantum risk assessment.[ASD]
The Parliamentary Joint Committee on Intelligence and Security completed a Quantum Threats Inquiry in November 2025, recommending PQC mandates by 2027 and identifying Senetas and Tesserent as vendors with significant RSA-dependent product exposure — reportedly 70% of their current product portfolios.[PJCIS] Senetas reported in its February 2026 half-year results that PQC R&D spend reached A$2.1 million (17% of capex) and warned that 25% of current revenue was at risk without successful migration.[Senetas] The DISR Quantum Strategy 2023–28, updated February 2026, estimates that only 10% of ASX technology firms are currently PQC-ready.[DISR]
For investors, the quantum risk creates a specific valuation consideration. Encryption vendors with government contracts priced on current-generation technology face contract renewal risk when those contracts come up for re-tender under a PQC mandate regime. The vendors that have already invested in PQC migration — and can demonstrate readiness ahead of the 2027 mandate — will capture a disproportionate share of the government refresh cycle. Vendors that have not will face a product transition at the same time as their most valuable contracts are at risk. Government contract values in the sector are material: DISR data for Q4 2025 shows CyberCX with A$45 million and Tesserent with A$32 million in government contract exposure.[DISR]
AI-enabled attacks are rising faster than AI-enabled defences — and vendors without AI capability face client churn.
ACSC recorded a 15% year-on-year increase in AI-augmented phishing in H2 2025. AI tools now feature in 12% of business email compromise cases.
AI-augmented attacks are moving from novel to routine at a measurable pace. ACSC's Annual Cyber Threat Report 2024–25 documents AI tools appearing in 12% of business email compromise cases, up from 3% in 2024, and a 15% year-on-year increase in AI-augmented phishing incidents in H2 2025 — 1,247 incidents versus 1,084 in H2 2024.[ASD] CyberCX's 2026 DFIR (Digital Forensics and Incident Response) report projects AI-enabled exploits will comprise 30% of attacks by 2027, citing more than 50 client pilots as the evidence base.[CyberCX] These are not forecasts built on extrapolation — they are observed trajectories in live incident data.
- ASD mandates AI threat detection capability for CI-facing MSSPs
- Major AI-assisted breach at a government agency triggers procurement shift
- Tesserent and CyberCX scale AI practices ahead of multinational adoption in the local market
- Skills shortage limits local AI defence capability build
- Global platforms integrate AI detection faster than local MSSPs can build equivalent services
- Government procurement continues to allow foreign platform-based solutions
- AI-augmented attacks reach 30%+ of all incidents ahead of 2027 projection
- MSSP capacity ceiling — driven by workforce shortage — prevents adequate response
- Multiple simultaneous major incidents expose systemic underinvestment in AI defence
For vendors, the strategic risk is a capability gap that becomes visible during a client incident. An MSSP that cannot distinguish AI-generated spear-phishing from human-crafted attacks, or cannot deploy AI-assisted response to match the speed of AI-assisted intrusion, will lose contracts after the first major incident in a client environment. The ASD Information Security Manual update from November 2025 mandates AI risk assessments for critical infrastructure, and 25% of the 1,200 organisations surveyed reported being unprepared for AI-specific threat vectors.[ASD] This creates immediate procurement pressure: clients will ask vendors to demonstrate AI threat detection capability before renewing managed service contracts.
The market signal is already visible in deal flow. AustCyber's Market Report for Q4 2025 recorded 320 cybersecurity deals worth A$450 million — an 18% increase in deal volume year on year — with AI defence services among the fastest-growing categories.[AustCyber] Tesserent's Q3 FY26 investor update reported that AI threat response services generated A$18 million in revenue (12% of total) with 40% client growth.[Tesserent] The vendors building AI capability now are capturing the growth. The vendors that are not are watching their addressable market narrow.
Six specific indicators that would tell an investor the risk environment is getting worse — not just different.
Generic risk monitoring watches the market. Specific signal monitoring tells you when the market is breaking.
| Signal | Where to find it | Escalation indicator | Why it matters |
|---|---|---|---|
| OAIC breach volumes | OAIC quarterly Notifiable Data Breaches report | Consecutive quarters of rising breach counts in finance or health | Signals vendor controls failing at scale; drives cost inflation and regulatory tightening |
| Essential Eight ML2 compliance | ASD Commonwealth Cyber Security Posture Report (annual) | 2026 achievement falls below 22% or stalls | Removes commercial enforcement driver for compliance-led spending |
| Government tender outcomes | AusTender portal; state portals | Major CI contracts awarded to foreign vendors despite sovereign policy | Signals policy-to-procurement gap; reduces local vendor revenue visibility |
| APRA supervisory outcomes | APRA enforcement actions and CPS 234 breach notifications | First named enforcement action against a cybersecurity vendor as a material service provider | Establishes precedent that vendor controls are directly regulable — increases compliance cost |
| Tesserent and Senetas ASX announcements | ASX company announcements (ASX: TNT, ASX: SEN) | Contract loss, margin deterioration, or AI/PQC capability write-down | Most liquid proxies for local vendor health in the absence of broader sector data |
| PJCIS PQC mandate response | Parliamentary committee reports and government responses | Government accepts 2027 PQC mandate — begins RFP cycle | Triggers forced product migration for RSA-dependent vendors; winners and losers determined within 12 months |
The OAIC Notifiable Data Breaches quarterly reports are the most accessible leading indicator for sector stress. A spike in reported breaches — particularly in financial services, health, or critical infrastructure — signals that existing vendor controls are failing at scale. Average cybercrime costs for large organisations already rose 219% in a single year; a second consecutive year of cost escalation would signal that the current investment in vendor services is not keeping pace with the threat.[ASD]
ASD's Commonwealth Cyber Security Posture Report is published annually and is the most direct measure of whether the government's own compliance trajectory is improving. Essential Eight Maturity Level 2 achievement at 22% in 2025 is already below the 2023 baseline. If the 2026 report shows another decline, it signals that the mandate is not being enforced — which removes the primary commercial driver for compliance-led security spending in the government sector.[ASD]
AusTender outcomes in critical infrastructure and OT/IoT security are the most direct signal of whether the sovereign procurement preference is translating into actual contract awards for local vendors. If major CI contracts continue to flow to multinational platform vendors despite the policy commitment, the A$600 million sovereign investment is not producing the intended market shift. Investors in ASX-listed cybersecurity companies should treat a major government contract loss to a foreign vendor as a leading indicator of sustained margin pressure — not a one-off event.
Key things to remember
About About this report
This report identifies and rates the specific financial, operational, regulatory, and emerging technology risks facing Australian cybersecurity vendors and managed security service providers in 2025–2026.
Investors, board directors, and advisers assessing exposure to the Australian cybersecurity sector.
Ren synthesised research from ASD, ACSC, APRA, the Department of Home Affairs, AustCyber, IBISWorld, and parliamentary committee reports published between 2024 and Q2 2026.
Primary sources date from FY2024–25 and Q1–Q2 2026; where older data is used, the year is stated explicitly.
Sources Sources & Methodology
Research conducted 10 Apr 2026. All statistics carry inline citation markers.
Essential Eight Maturity Level 2 compliance rate — 2023 baseline — ASD Commonwealth Cyber Security Posture 2025 — 25% achieved in 2023 (pre-hardening) vs ASD Commonwealth Cyber Security Posture 2025 — 15% in 2024 (post-hardening of standard in November 2023). Both figures are from the same source and are consistent: the standard was hardened in November 2023, resetting the baseline. Both figures are used in the report with this context stated explicitly.
No public data is available on share price movements, credit spread changes, or valuation multiples for ASX-listed cybersecurity stocks in 2025–2026 in the sources reviewed. Investors should source this directly from ASX announcements and broker research.
Specific named enforcement actions by ASD or ASIC against cybersecurity vendors or MSSPs since 2023 do not appear in public sources. The regime remains education-led to date.
Private company financials for CyberCX, Threat Intelligence Pty Ltd, and other non-ASX cybersecurity firms are not publicly available. Revenue estimates from AustCyber and Deloitte filings are directional only.
No AustCyber or DISR data specifically quantifying the financial impact of the IT skills shortage on individual Australian cybersecurity vendors was available. Workforce gap figures are sector-wide estimates.
Interest rate sensitivity and currency exposure data specific to Australian cybersecurity companies is not available in public sources reviewed. This report does not cover these financial risk dimensions.
No Tier 1 source (Gartner, IDC, McKinsey, Deloitte) has published a dedicated Australian cybersecurity market sizing report that was available for this analysis. IBISWorld (Tier 2) provides the primary market size estimate. Confidence in market sizing is capped at MEDIUM.
This report is produced for informational purposes only. It does not constitute financial, legal, or investment advice. All data is sourced from publicly available information as at the date of research. Renatus Ventures makes no representations as to the completeness or accuracy of third-party data.