by Cody Dumont
July 28, 2025

The ASD Essential 8: Patch Applications dashboard is designed to support organisations in implementing and monitoring the Essential Eight Strategies for mitigating cybersecurity risks. This comprehensive dashboard provides actionable insights into asset discovery, patch management, compliance, and exploitability to ensure a robust security posture across applications.
The Australian Cyber Security Centre (ACSC) under the Australian Signals Directorate (ASD) provides guidance to address targeted cybersecurity intrusions through its Strategies to Mitigate Cyber Security Incidents. Among these, the Essential Eight describes the minimum set of preventative cybersecurity measures organisations should implement. This guidance, complemented by the Information Security Manual (ISM) controls, forms a robust framework to ensure the confidentiality, integrity, and availability of information technology and operational technology systems. This dashboard aligns with these controls to provide critical insights into the implementation of the Essential Eight.
The ISM designates three categories for application, they are: Online Services, Core, and Others. Per the ISM, online service is any service that is directly accessible over the internet, and Core Applications are defined as commonly targeted applications which include office productivity suites, web browsers and their extensions, email clients, PDF software and security products. The Other category is all other software not previously defined within Core Applications. Tenable security engineering working with partners identified CPE strings common for Online Services and Core Application. The ISM's covered by this dashboard are: ISM-0304, ISM-1690, ISM-1691, ISM-1692, ISM-1693, ISM-1698, ISM-1699, ISM-1700, ISM-1704, ISM-1807, ISM-1876, ISM-1901, and ISM-1905.
The ASD's Blueprint for Secure Cloud Patch Applications provides recommendations with respect to how the applications should be scanned and evaluated. The blueprint discusses scanning strategies, maturity levels, and other aspects of a healthy exposure management program. While the recommendations provided by the blueprint do not provide specific guidance, the samples help illustrate a healthy Exposure Management program. The dashboard brings together information that provides evidence of the material impact to the organisations risk exposure.
To maximize relevance, organisations should leverage Asset Tagging. This feature ensures that the dashboard can be filtered to focus on data critical to implementing the Essential Eight. Tagging assets differentiation for stricter service-level agreements (SLAs). For example, critical business systems may require stricter consideration, while other systems may have a longer patching window. Asset tags, composed of Category:Value pairs (e.g., Applications:Online Services), can be applied manually or automatically using filtering rules such as public IP ranges, open ports (e.g., 80, 443), or cloud metadata. This categorisation simplifies monitoring and prioritisation for Essential Eight compliance, ensuring that organisations address vulnerabilities in their most critical assets. Tagging by application risk level (e.g., High Risk, Low Risk) or system role further enhances visibility. For more details, refer to Tenable's Tagging Documentation.
The Tenable One Platform combines a suite of sensors to facilitate efficient vulnerability scanning, regardless of network complexity. By leveraging Tenable's capabilities, organisations can effectively discover, assess, and understand their attack surface, gaining comprehensive insights into exposure points. This is coupled with Exposure Response features that prioritise remediation efforts based on contextual risk. The dashboard includes critical features to highlight asset discovery, identify unsupported systems, monitor patch management timelines, track compliance rates, and classify exploitable vulnerabilities, ensuring comprehensive coverage of the Essential Eight. By combining Tenable's comprehensive vulnerability scanning, exposure insights, and asset prioritisation with the ASD's Essential Eight Strategies. By using the dashboard in conjunction with ISM controls and asset tagging, organisations can enhance their cybersecurity maturity, address vulnerabilities more effectively, and ensure compliance with Australia's cybersecurity standards.
Widgets
- Application Vulnerability Prioritisation - This widget offers an analysis of application vulnerabilities categorized by severity levels (Low, Medium, High, and Critical) and their exploitability ease. Using the CVSSv3 Attack Complexity metric, vulnerabilities are classified as 'Hard to Exploit' for high complexity and 'Easy to Exploit' for lower complexity. Additionally, vulnerabilities deemed 'Not Exploitable' are highlighted. In addition to the CVSSv3 metrics, the widget also leverages Vulnerability Priority Rating (VPR), thus bringing to the surface the most impactful vulnerabilities detected. This widget helps organisations assess the risk landscape of applications and allocate resources effectively to address vulnerabilities that are easier for attackers to exploit, especially those with critical severity.
- Asset Discovery by Source - This widget helps track new assets in the environment. The columns display a count of assets that are licensed, and the discovery method. The rows indicate the total discovery count, followed by the First Seen date, meaning the date when a scan first found the vulnerability on an asset. The bottom two rows provide a discovery count less than 14 days, and greater than 14 days. Licensed assets are included in the asset count for Tenable Vulnerability Management which means they are being scanned and managed. The information in this widget assists organisations in achieving compliance with Australia Signal Directive (ASD) Information Security Manual 1807 (ISM-1807). The ISM applies to Maturity Levels 1 - 3 and requires continuous asset discovery to ensure an up-to-date inventory, which is essential for effective security management, vulnerability assessment, and patch prioritisation.
- ASD Essential 8: Unsupported or Security End of Life Application Findings - This table displays top 200 unsupported applications by plugin name, sorted by count. Displayed is the plugin name, plugin family, severity and the total findings. This widget identifies unsupported applications by the 'unsupported_by_vendor' definition and wildcard 'cpe:/a' CPE field. Unsupported software is any application, or operating system that is no longer maintained by the vendor. Unsupported software will typically no longer receive any updates, and will lack support. Organizations with unsupported software may be exposing themselves to security, operational, and compliance risks. The information in this table assists organisations in achieving compliance with Australia Signal Directive (ASD) Information Security Manual 1905 (ISM-1905), ISM-1704 and ISM-0304. ISM-1905 and ISM-1704 apply to Maturity Levels 1 - 3 and require software products that are no longer supported by vendors for Online Services and Core applications are removed. ISM -0304 focuses on all other applications applied to Maturity Level 3 only.
- ASD Essential 8: Adobe Flash Player / Internet Explorer Presence Indicator - This table provides the count of assets that have been identified to have Adobe Flash Player or Internet Explorer installed. The information in this table assists organisations in achieving compliance with Australia Signal Directive (ASD) Information Security Manual 1704 (ISM-1704). The ISM applies to Maturity Levels 1 - 3 and requires the software products that are no longer supported by vendors are removed. Adobe Flash Player or Internet Explorer are explicitly referenced in the ISM. The widget uses plugin name and CPE filters to identify the findings. The number displayed is the grouped by asset count, which will be different from the finding count displayed after clicking on the cell.
- ASD Essential 8: Scanning Frequency for Online Services - This widget provides a comparison using findings data and asset data. In assets the “Installed Software” property is a list of Common Platform Enumeration (CPE) values that represent applications identified on an asset from a scan and is collected using plugin 45590. In the findings row, the search is using the CPE string for all plugins that are in a non-fixed state. This comparison will help to show differences in analysis, especially if non-credentialed scans are common in the environment. The columns provide a deeper analysis by adding credentialed scans, and timeframe for the last scan. This widget monitors automated vulnerability scanning to ensure that online services are scanned daily, meeting the requirement set out in ISM-1698. Regular daily scans enable prompt detection of vulnerabilities, supporting an organisation’s ability to respond quickly and maintain a robust security posture in line with Essential Eight maturity standards.
- ASD Essential 8: Online Services Findings Ratio by Patch Release - This tracks the timely publication and deployment of security patches for online services based on their criticality and exploitability. The sections of this chart provide a ratio view of the findings within the organisation. The leadership teams are able to use this view to understand the relative work needed to address the different patch categories. The information in this widget assists organisations in achieving compliance with Australia Signal Directive (ASD) Information Security Manual 1876 (ISM-1876) and ISM-1690. The ISM applies to Maturity Levels 1 - 3 and requires patches for critical or exploitable online services must be applied within 48 hours of release, while patches for non-critical or non-exploitable services should be deployed within 2 weeks.
- ASD Essential 8: Online Services Findings Count by Patch Release - This tracks the timely publication and deployment of security patches for online services based on their criticality and exploitability. The values in each cell provides a count of findings that have not been mitigated after a patch has been released from the vendor. The first cell provides a count of findings that are present without a vendor released patch or mitigation strategy. The information in this widget assists organisations in achieving compliance with Australia Signal Directive (ASD) Information Security Manual 1876 (ISM-1876) and ISM-1690. The ISM applies to Maturity Levels 1 - 3 and requires patches for critical or exploitable online services must be applied within 48 hours of release, while patches for non-critical or non-exploitable services should be deployed within 2 weeks.
- ASD Essential 8: Core Application Findings Count by Patch Release - This tracks the timely publication and deployment of security patches for core applications based on their criticality and exploitability. The first cell provides a count of findings that are present without a vendor released patch or mitigation strategy. The remaining values in each cell provide a count of findings that have not been mitigated after a patch has been released from the vendor. The information in this widget assists organisations in achieving compliance with Australia Signal Directive (ASD) Information Security Manual 1691 (ISM-1691), ISM-1692 and ISM-1901. ISM-1691 applies to Maturity Level 1 and 2, and requires that vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks. While Maturity Level 3 is spread access to requirements ISM-1692 and ISM-1901. ISM-1692 requires aforementioned software vulnerabilities to be patched within 48 hours for critical vulnerabilities, and ISM-1901 allows for patching non-critical or exploitable issues should be addressed within two weeks.
- ASD Essential 8: Scanning Frequency for Core Applications - This widget provides a comparison using findings data and asset data. In assets the “Installed Software” property is a list of Common Platform Enumeration (CPE) values that represent applications identified on an asset from a scan and is collected using plugin 45590. In the findings row, the search is using the CPE string for all plugins that are in a non-fixed state. This comparison will help to show differences in analysis, especially if non-credentialed scans are common in the environment. The columns provide a deeper analysis by adding credentialed scans, and timeframe for the last scan. This widget ensures that core applications are scanned for vulnerabilities at least once per week, as required by ISM-1699. Regular scanning enables timely identification and remediation of security weaknesses within critical software components, supporting adherence to the Essential Eight maturity framework and reducing organisational risk.
- ASD Essential 8: Core Application Findings Ratio by Patch Release - This tracks the timely publication and deployment of security patches for core applications based on their criticality and exploitability. The first cell provides a count of findings that are present without a vendor released patch or mitigation strategy. The remaining values in each cell provide a count of findings that have not been mitigated after a patch has been released from the vendor. The information in this widget assists organisations in achieving compliance with Australia Signal Directive (ASD) Information Security Manual 1691 (ISM-1691), ISM-1692 and ISM-1901. ISM-1691 applies to Maturity Level 1 and 2, and requires that vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks. While Maturity Level 3 is spread access to requirements ISM-1692 and ISM-1901. ISM-1692 requires aforementioned software vulnerabilities to be patched within 48 hours for critical vulnerabilities, and ISM-1901 allows for patching non-critical or exploitable issues should be addressed within two weeks.
- ASD Essential 8: Other Application Findings Ratio by Patch Release ML2 to ML3 - This tracks the timely publication and deployment of security patches for other applications based on their criticality and exploitability. The sections of this chart provide a ratio view of the findings within the organisation. The leadership teams are able to use this view to understand the relative work needed to address the different patch categories. The information in this widget assists organisations in achieving compliance with Australia Signal Directive (ASD) Information Security Manual 1693 (ISM-1693). The ISM applies to Maturity Levels 2 & 3 and requires patches to be deployed within 1 month or 30 days. The filters applied are set using 30 days the patch was released.
- ASD Essential 8: Other Application Findings Count by Patch Release ML2 to ML3 - This tracks the timely publication and deployment of security patches for other applications based on their criticality and exploitability. The first cell provides a count of findings that are present without a vendor released patch or mitigation strategy. The values in the other cell provide a count of findings that have not been mitigated after a patch has been released from the vendor. The information in this widget assists organisations in achieving compliance with Australia Signal Directive (ASD) Information Security Manual 1693 (ISM-1693). The ISM applies to Maturity Levels 2 & 3 and requires patches to be deployed within 1 month or 30 days. The filters applied are set using 30 days the patch was released.
- ASD Essential 8: Scanning Frequency for Other Applications ML2 to ML3 - This widget provides a comparison using findings data and asset data. In assets the “Installed Software” property is a list of Common Platform Enumeration (CPE) values that represent applications identified on an asset from a scan and is collected using plugin 45590. In the findings row, the search is using the CPE string for all plugins that are in a non-fixed state. This comparison will help to show differences in analysis, especially if non-credentialed scans are common in the environment. The columns provide a deeper analysis by adding credentialed scans, and timeframe for the last scan. This widget monitors vulnerability scanning of other applications, ensuring scans occur at least once per fortnight as required by ISM-1700. Applicable to Maturity Levels 2 and 3, this scanning supports timely detection of vulnerabilities beyond core applications, helping organisations strengthen their security posture and comply with Essential Eight maturity standards.
- ASD Essential 8: Online Services Mitigation Summary - This widget assists organisations in achieving compliance with Australia Signal Directive (ASD) Information Security Manual 1876 (ISM-1876) and ISM-1690. The ISM applies to Maturity Levels 1 - 3 and requires the timely deployment of security patches for online services based on their criticality and exploitability. The ISM defined the Service Level Agreement (SLA) for applying patches for critical or exploitable online services must be applied within 48 hours of release, while patches for non-critical or non-exploitable services should be deployed within 2 weeks. The matrix is broken down into groups of rows, the top two rows are for findings discovered in the last 30 days, and the bottom two rows are findings from 30 to 60 days. This view allows the leadership and auditors the ability to track progress over time. The first 4 columns track the SLA as required by the ISM, the last 3 columns show the unmitigated in the same timeframes and vulnerabilities past the timeframe.
- ASD Essential 8: Core Applications Mitigation Summary - This widget assists organisations in achieving compliance with The information in this widget assists organisations in achieving compliance with Australia Signal Directive (ASD) Information Security Manual 1691 (ISM-1691), ISM-1692 and ISM-1901. ISM-1691 applies to Maturity Level 1 and 2, and requires that vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks (rows 1, 3, 4 & 6). While Maturity Level 3 is spread access to requirements ISM-1692 and ISM-1901. ISM-1692 requires aforementioned software vulnerabilities to be patched within 48 (rows 2 & 5) hours for critical vulnerabilities, and ISM-1901 allows for patching non-critical or exploitable issues should be addressed within two weeks (rows 3 & 6). The first 3 rows show new vulnerabilities discovered in the last 30 days, while the last 3 rows show vulnerabilities from 30 - 60 days.
ASD Essential 8: Other Applications Mitigation Summary ML2 to ML3 - This widget assists organisations in achieving compliance with Australia Signal Directive (ASD) Information Security Manual 1693 (ISM-1693). The ISM applies to Maturity Levels 2 & 3 and requires patches for all vulnerabilities, regardless of criticality, are patched within one month. Monitoring these timelines helps organisations keep software current and minimise risks from unpatched applications. The matrix is broken down into two rows, the top row is for findings discovered in the last 30 days, and the bottom two row is findings from 30 to 60 days. This view allows the leadership and auditors the ability to track progress over time. The first 4 columns track the SLA as required by the ISM, the last 3 columns show the unmitigated in the same timeframes and vulnerabilities past the timeframe.