Synced 16 Jun 2026 15:24 UTC Account
← Home
Essential Eight · ASD / ACSC · Maturity Levels 0–3

Patch applications & operating systems for the Essential Eight

Two of the eight strategies — Patch applications and Patch operating systems — require knowing what you run, finding vulnerabilities and patching within set timeframes. IsItPatched delivers that from an SBOM — a software inventory, known and actively-exploited CVEs, the minimum safe version, end-of-life flags (unsupported software must be removed) and exportable evidence.

Scan your SBOM → Monitor your components Export Essential Eight pack →

1046 actively-exploited CVEs across 613 tracked products right now

Built for Australian organisations

Government & agencies

The Essential Eight is mandated across much of the Commonwealth. Evidence the two patching strategies without new tooling.

Suppliers & SMEs

Working toward a target maturity level? Inventory your software and stay ahead of the vulnerabilities that warrant the fastest patching.

Assessors & IT teams

A clean software inventory, the actively-exploited vulnerabilities to patch first, and end-of-life flags.

Essential Eight → what IsItPatched gives you

Know what you run

Scan a CycloneDX/SPDX SBOM for a per-component inventory of your applications and dependencies.

Scan an SBOM →

Patch the urgent ones first

We flag actively-exploited (CISA KEV) and high-severity CVEs — the ones the Essential Eight puts on the tightest patch timeframe.

See actively-exploited CVEs →

The version to patch to

The minimum safe version for each component, so patching is unambiguous.

Open your dashboard →

Remove unsupported software

End-of-life tracking flags software that can no longer be patched and must be removed; export a risk register / VEX as evidence.

End-of-life calendar →

Export your evidence — today, free

  • Per-component vulnerability scan of your CycloneDX / SPDX SBOM (matched against OSV)
  • CycloneDX VEX document (exploitability + remediation per component)
  • Software risk register (CSV / print-to-PDF) citing the exact versions you run
  • A prioritised, known-exploited-first patch queue — your patching-strategy record

Sign in (free, no password) to sync your component stack and generate these from your dashboard.

Build your evidence →

Straight with you: the Essential Eight also covers application control, macro settings, user application hardening, admin privileges, multi-factor authentication and backups. IsItPatched is an informational tool (NVD · CISA KEV · OSV · endoflife.date) that helps with the "Patch applications" and "Patch operating systems" strategies specifically. It is not an assessment and not legal advice. Disclaimer.

Essential Eight — frequently asked

What is the Essential Eight?

The Essential Eight is the Australian Signals Directorate (ACSC) set of eight mitigation strategies, assessed across Maturity Levels 0–3. Two are squarely about software vulnerabilities: "Patch applications" and "Patch operating systems" — which require knowing what you run, scanning for vulnerabilities, and patching within set timeframes (the most exploited, internet-facing vulnerabilities within 48 hours at higher maturity).

How does IsItPatched help with the Essential Eight?

It supports the two patching strategies: scan a CycloneDX/SPDX SBOM to inventory your applications and their components, identify known and actively-exploited (CISA KEV) vulnerabilities, see the minimum safe version to patch to, flag end-of-life software (unsupported software must be removed), and export a register / VEX as evidence toward your target maturity level.

Does IsItPatched make us Essential Eight compliant?

No. The Essential Eight also covers application control, macro settings, user application hardening, admin privileges, multi-factor authentication and backups. IsItPatched helps with the "Patch applications" and "Patch operating systems" strategies specifically. It is informational, built on public data — not an assessment and not legal advice.

Subject to more than one regime? See all our compliance editions →