ACSC advisories land in inboxes regularly, and most Australian IT teams skim them, add a task to a backlog, and move on. That gap between reading and acting is where organisations get hurt. The Australian Signals Directorate's operational cyber arm publishes these alerts because it has observed active exploitation in the wild, not because a vulnerability exists in theory. By the time an advisory is public, attackers already have working exploits in circulation. The window to remediate is measured in hours to days, not weeks.
Understanding what different advisory types mean and how to build a repeatable response process is one of the highest-leverage improvements an Australian IT team can make to its security posture. This guide breaks down what each advisory type signals, how to triage them, and where most organisations fall short.
What the ACSC actually publishes and why it matters
The Australian Cyber Security Centre publishes several categories of guidance, and not all of them carry the same urgency. Understanding the difference is the first step to responding well.
- Critical advisories: These flag vulnerabilities being actively exploited in Australian networks or against targets comparable to Australian organisations. They require immediate triage, not scheduled review.
- High-priority alerts: These cover vulnerabilities likely to be exploited in the near term. Remediation should begin within 48 hours of the advisory being issued.
- General advisories and alerts: These cover emerging threats, threat actor activity, and broader campaign warnings. They inform risk decisions and patch prioritisation but don't always require immediate action.
- Essential Eight guidance updates: Changes to the maturity model framework, which should be incorporated into quarterly control reviews.
The ACSC also co-publishes joint advisories with the Five Eyes partner agencies, including CISA in the United States, the NCSC in the United Kingdom, and CCCS in Canada. These carry additional weight because they reflect coordinated intelligence from multiple national signals-intelligence agencies observing the same campaigns.
How to triage an advisory the moment it arrives
Speed matters more than process perfection during the first 24 hours. A triage workflow that can be executed immediately, without a meeting, is worth more than an elaborate governance process that requires sign-off. Here is a practical four-step approach.
Step 1: identify affected assets within two hours
Every advisory references specific software, versions, hardware, or configurations. The first question is not "should we patch?" but "do we have this in our environment?" That answer needs to come from an accurate asset register, not from memory. If your asset inventory is incomplete or stale, the advisory has already exposed a gap bigger than the vulnerability itself. Cross-reference the Common Vulnerability Exposures (CVE) identifier from the advisory against your vulnerability management platform immediately.
Step 2: check for active exploitation indicators
Critical and high-priority advisories often include indicators of compromise (IoCs): file hashes, IP ranges, domain names, and command-and-control infrastructure signatures. Feed these into your SIEM or endpoint detection platform before patching begins. If you are already compromised, patching without first containing the intrusion will not stop the breach. Detection comes before remediation.
Step 3: assess compensating controls
Not every vulnerability can be patched immediately. Legacy systems, vendor-managed environments, operational technology, and critical business applications often have change windows that cannot be bypassed. In those cases, document your compensating controls: network segmentation, disabling affected features, increased monitoring, or access restriction. The ACSC advisory will sometimes suggest compensating controls explicitly. When it does, treat that as the minimum acceptable interim posture, not a permanent fix.
Step 4: patch and verify
Apply the vendor patch, validate that it has deployed successfully across all affected assets, and re-run a vulnerability scan to confirm closure. Many organisations skip the verification step and discover weeks later that a patch failed silently on a subset of machines. Log the remediation with timestamps. If you face a regulatory inquiry or a notifiable data breach scenario, that audit trail is essential. Our coverage of patch management challenges in Australia goes deeper on why verification is where teams most often cut corners.
Common failure modes Australian IT teams repeat
After reviewing how organisations across the public and private sector respond to ACSC advisories, several failure patterns repeat consistently.
- Treating the advisory as a reading task: Advisories are not newsletters. If they hit a shared email alias and no one owns the response, the advisory effectively disappears. Assign a named owner within 30 minutes of receipt.
- Waiting for the vendor patch before acting: If the advisory is flagging active exploitation, waiting is not a neutral choice. Implement network-level controls, disable the vulnerable service, or isolate affected systems while you wait for the vendor to ship a fix.
- Incomplete asset visibility: You cannot patch what you do not know you have. Shadow IT, recently acquired subsidiaries, and unmanaged cloud workloads are common blind spots. Every ACSC advisory is also an implicit prompt to ask: "are we confident we know everything in scope?"
- No post-remediation review: A patching event is also intelligence. If a critical advisory affected ten of your systems, ask why those systems existed in that configuration. Was the patch cycle too slow? Was the software past its supported life? Build that feedback into your next control review cycle.
Integrating ACSC advisories into your ongoing security program
Responding to advisories reactively is necessary but not sufficient. The organisations that handle them best treat advisory response as a standing process, not an emergency drill. That means subscribing to ACSC alerts directly through the cyber.gov.au portal, routing them to a dedicated channel in your incident management platform, and mapping incoming CVEs against your asset inventory in near real-time.
The Essential Eight maturity model provides a useful frame here. Organisations at Maturity Level 2 and above are expected to have automated patch application for internet-facing services within 48 hours of a critical patch being available. If your advisory response process takes longer than that, it is also a signal that your Essential Eight posture needs work. Our practical guide to the Essential Eight maturity model covers how to benchmark and lift that posture in a structured way.
For larger organisations, consider integrating the ACSC's feed into your threat intelligence platform alongside commercial feeds. ACSC advisories reflect threat actor activity specifically targeting Australian and allied-nation organisations, which makes them more contextually relevant than generic global feeds for the majority of Australian enterprise environments.
A note on regulatory obligation
For organisations in critical infrastructure sectors, ACSC advisory response is not optional. The Security of Critical Infrastructure Act 2018 and its subsequent amendments impose positive security obligations on entities in sectors including energy, water, transport, communications, financial services, and health. Failing to respond to an ACSC critical advisory and subsequently suffering a breach creates significant legal exposure, both under SOCI and under the Privacy Act's Notifiable Data Breaches scheme. Your response to each advisory, including timestamps, asset scope, patch verification, and compensating controls, should be documented as though it may be reviewed by the regulator. Because eventually, it might be.
Acting on ACSC advisories well is ultimately about having the basics in place before the advisory arrives: a current asset inventory, a patch management process with defined SLAs, a SIEM that can ingest IoCs quickly, and a named person responsible for each step. The advisory itself is almost never the hard part. The hard part is the infrastructure that makes response automatic rather than improvised.