Government Modernization · Australia
Essential 8.
PSPF. AUKUS Pillar 2.
Australia’s ASD Essential 8 ML2 baseline + ISM + PSPF requirements form the strongest published Five-Eyes cyber framework stack. We deliver readiness from the US side via BuyICT Marketplace and AUKUS Pillar 2 sub-prime relationships. IRAP assessor day rates are the highest published cyber consulting rate in any Five-Eyes market (AUD 3,000-4,500 ≈ USD 1,980-2,970) — we partner the assessment itself and price the readiness work at US-senior parity.
AUD 220-280K (~$145-185K) for Essential 8 ML2 + PSPF readiness · priced near US senior rates, not undercut · IRAP-readiness paired with Australian assessor partner
What we run for Australian government partners
Six components. All ASD-aligned.
ASD Essential 8 ML2 Implementation
Australian Signals Directorate Essential 8 maturity model — patching, application control, MFA, admin privilege restriction, MS Office macro restriction, application hardening, daily backups, user app hardening. ML2 is the Australian government baseline.
ISM Compliance
Information Security Manual — Australian government's cybersecurity manual. Control selection by classification (OFFICIAL, OFFICIAL: Sensitive, PROTECTED, SECRET). Information classification + handling guidance.
PSPF Readiness
Protective Security Policy Framework — non-corporate Commonwealth entities + suppliers. INFOSEC, PERSEC, PHYSEC, GOVSEC requirements. Annual self-attestation alignment.
IRAP-Readiness Coordination
We do not certify as IRAP assessors (residency-gated). We DO prepare environments for IRAP assessment, partner with Australian assessor firms, run the readiness work end-to-end. The pre-assessment work is where the real cost saves.
BuyICT Marketplace + AUKUS Pillar 2
BuyICT panel listing for direct supply, AUKUS Pillar 2 sub-prime opportunities under US prime contractors. Australian DTA + Defence Industry Security Program coordination.
Privacy Act + Notifiable Data Breaches
Australian Privacy Principles, NDB scheme 30-day notification clock, Office of the Australian Information Commissioner coordination on cyber incidents touching personal information.
Who you’ll work with
Quinnlan Varcoe
CEO and Founder · OSCP · GIAC × 10 · 17 credentials across the practice
US-side delivery via BuyICT + AUKUS Pillar 2. Honest about IRAP residency-gating — we partner the assessment, not pretend to it.
Every partnership begins with me. Not a sales rep, not an account executive, not a junior. The first call, the diagnostic, the strategy work — that’s mine.
Australian government supplier?
Schedule a callTrusted by partners across the practice
Reviews
From the senior people
who’ve worked alongside Quinn.
The named companies beside each reviewer are their employers — not Varcoe partnerships. Each quote is a professional reference from someone who’s shipped work alongside Quinn directly.
“The partnership model isn't marketing language with Quinn — it's how she actually works. Senior judgment, single accountable contact, and the rigor to integrate across IT, security, and AI under one roof.”
Aaron Birnbaum
Managing Partner
“Quinnlan brings more than expertise — she brings strategic alignment. The ability to scale operations without sacrificing depth is exactly what serious organizations need from a modernization partner.”
Caroline Lombard
Threat Specialist
“I've worked with Quinnlan on incidents most teams couldn't navigate — Log4j among them. The technical depth and the calm under fire are real, and they're rare.”
Justin Cox
Senior AWS Security Analyst
“One of the most seamless collaborations I've had in this industry. Composure under pressure, technical precision, and the kind of credibility that compounds — exactly the senior bench a modernization partnership needs.”
Soufiane Jihadi
Senior Incident Response Consultant
Original references collected on the legacy Varcoe site · LinkedIn endorsements available on request