IronSights
All insights

essential eight

Essential Eight Maturity Level 3: who needs it, and what it demands

ML3 is the Essential Eight's highest maturity level, built to resist adaptive, well-resourced adversaries. Most businesses don't need it. Here is how to tell if you do, and what it demands if so.

By IronSights Editorial, Practitioner team7 July 20262 min read
ByIronSights Editorial7 July 20262 min read

3 is the ceiling of the model: controls calibrated against adversaries who are skilled, well resourced, and adaptive: the kind who study your specific environment and adjust their tradecraft when a control blocks them. It exists because some organisations genuinely face those adversaries. Most do not, and for them ML3 is the wrong goal.

Who ML3 is actually for

  • Organisations in Defence and national security supply chains, where contracts or accreditation frameworks specify it.
  • Operators of systems whose compromise has consequences beyond the business itself: critical infrastructure and the vendors deep inside it.
  • Businesses holding data valuable enough to attract targeted, persistent campaigns rather than opportunistic crime: think sensitive government datasets, not customer email lists.

If none of those describe you, a well-evidenced ML2 with real detection and response behind it will serve you better than a paper ML3, and it will cost meaningfully less.

What changes at ML3

The pattern from ML2 to ML3 is consistency and speed under adversarial pressure. Application control tightens to the strictest rule sets with vendor-recommended block lists. Patching expectations compress further, driven by how quickly targeted attackers weaponise new vulnerabilities. Privileged access moves toward just-in-time administration with strong isolation between administrative and everyday environments. becomes the norm rather than the exception. And logging shifts from 'collected centrally' to 'actively monitored for signs of compromise'. ML3 quietly assumes someone is watching, which for most organisations means a , in-house or managed.

The step from ML2 to ML3 is usually less about buying new technology and more about operational discipline: exceptions that were tolerated at ML2 get engineered out, and processes that ran monthly start running continuously.

The honest cost conversation

ML3 is expensive in the ways that don't show up on a quote: administrator convenience, application flexibility, and the ongoing staffing to keep controls at that standard permanently. An assessment that rates you ML3 today means little if the discipline decays by Christmas. Organisations that need ML3 should budget for it as an operating posture, not a project.

Where to start

The same place as every maturity conversation: an evidence-based rating of where you are now, control by control. If a contract or framework is demanding ML3, an assessment tells you the true distance and sequences the work. If nothing is demanding it, the assessment usually redirects the budget somewhere it protects more. Either outcome is worth knowing before you spend. With the Essential Eight scheduled for retirement in favour of Essentials by 2027, that assessment should also flag how your target maturity maps into the incoming framework. The controls carry forward, and so should your investment.

Keep reading

More from the IronSights team.