SOCI SentinelRequest a briefing

For the group CISO carrying a section 30AC obligation.

Audit-ready CIRMP evidence, in one signed pack.

SOCI Sentinel reads the artefacts your existing OT and IT tooling already exports, and writes the section 30AC evidence pack across all four CIRMP hazard domains (cyber, personnel, supply chain, physical and natural). It is not a SIEM. It is not a generic GRC platform. It is an AU-hosted, AU-owned, ISM-aligned compliance evidence agent that sits above the tools you already run.

Request a briefingSee how it works

The board attests every year. The evidence is still assembled by hand.

Section 30AC of the SOCI Act 2018 obliges every responsible entity to maintain a written Critical Infrastructure Risk Management Program (CIRMP) across four hazard domains. The board signs an annual attestation under section 30AG, ninety days after financial year end. Today that artefact is built by a compliance team and a consultancy retainer, in a quarterly scramble across spreadsheets, SharePoint folders and vendor exports. The seam between OT visibility and IT GRC is where audit defensibility falls apart.

11

critical infrastructure incidents per month against Australian assets in 2024-25, with energy, water and transport the most-targeted.

ASD Annual Cyber Threat Report, 2025

15%

of Commonwealth entities reached Essential Eight Maturity Level 2 in 2024, down from 25% the year before. 71% named legacy technology as the blocker.

ASD Commonwealth Cyber Security Posture, 2024

Four roles, one signed evidence pack, every CIRMP cycle.

The agent reads what your tools already export. A named human approves every artefact. The signed pack carries the reasoning trace into the auditor's hands.

01

Compliance Manager

Exports control evidence from the responsible entity's existing OT and IT toolchain (Dragos, Claroty, ServiceNow IRM, Sentinel, CrowdStrike).

02

SOCI Sentinel

Ingests, classifies and assembles a four-hazard CIRMP draft against the Rules 2023, with every control reference cited and every artefact hashed.

03

Group CISO

Reviews every reasoning step, accepts or overrides the agent's mapping, signs the section 30AC pack and the board attestation pack.

04

Auditor or CISC

Consumes the signed export with a full reasoning trace, runs the offline verification routine, reconstructs every decision end to end.

Request a briefing

What it is. What it is not.

The category is compliance evidence, not telemetry. The buyer is the group CISO carrying section 30AC accountability. The line is the artefact a board will sign and CISC will accept.

What it is

  • An AI evidence agent
  • A CIRMP system of record
  • Four-hazard coverage by default (cyber, personnel, supply chain, physical and natural)
  • An artefact ingestor for your existing OT and IT exports
  • A signed export the auditor and CISC can verify offline
  • Human-in-the-loop on every reasoning step
  • AU-hosted, AU-owned, ISM-aligned
  • Built by 9t5 Pty Ltd in Australia

What it is not

  • A SIEM
  • An EDR
  • A telemetry tap on your OT or IT estate
  • A generic GRC platform
  • A SOC service
  • A consultancy retainer
  • A Tier 1 banking play
  • A vulnerability scanner

Why us, not the named adjacents.

Telemetry vendors sell the layer below. GRC platforms sell the layer beside. Consultancies sell the labour to assemble both. SOCI Sentinel sells the audit-ready CIRMP artefact above all three.

vs Telemetry vendors

Sentinel, Splunk, CrowdStrike, Dragos, Claroty, Nozomi, Armis

They give you logs, alerts and an asset graph. The board does not sign a SIEM dashboard.

SOCI Sentinel

The audit-ready evidence pack above your telemetry. Reads what those tools already export. Writes what the regulator and the board will accept.

vs GRC platforms

ServiceNow IRM, Archer, OneTrust, MetricStream

They give you a generic register and a workflow shell. No SOCI Act native logic. No four-hazard CIRMP encoding.

SOCI Sentinel

Four-hazard CIRMP encoding by default, mapped to the Rules 2023, ISM, Essential Eight and IEC 62443. The depth a generic GRC vendor cannot fake.

vs Consultancies

CyberCX, Sekuro, Tesserent (now Thales), ParaFlare

They sell a slide deck and consulting hours. $80,000 to $150,000 per CIRMP cycle. The cycle resets every year.

SOCI Sentinel

Continuous, signed, repeatable evidence between cycles. The same agent every quarter. The retainer line item replaced by a signed export.

Built for the people accountable for critical infrastructure compliance.

Group CISOs

the primary buyer carrying section 30AC accountability

  • Replace the annual consultancy scramble with a continuously assembled evidence pack you can sign every quarter, not every September.
  • See every control reference, every artefact and every reasoning step on a single screen, ready for board attestation.
  • Carry the four-hazard obligation across both OT and IT estates without two different vendors trying to own it.
  • Sleep through audit week. The signed export is the audit-ready answer.

Compliance Managers

the daily user assembling and reviewing

  • Upload the exports your team already pulls from Dragos, Claroty, ServiceNow IRM, Sentinel and CrowdStrike. The agent maps them to the Rules 2023.
  • Walk each hazard panel, accept or annotate the agent's mapping, attach extra evidence when needed.
  • Drive every draft to ready-for-sign-off without a 40-tab spreadsheet.
  • Keep the cycle moving between board meetings, not just the week before.

Auditors and Boards

the readers of the signed export

  • A read-only view of every signed export, with no risk of touching the working record.
  • Open any control reference, see the full reasoning trace, see the human approval and any override justification.
  • Run the offline verification routine to confirm the signed JSON, the PDF and the audit chain match.
  • An artefact a CISC-fluent reviewer can reconstruct end to end without picking up the phone.

Indigenous Data Custodians

and CARE Principles communities of practice

  • CARE Principles encoded into the evidence taxonomy. Collective Benefit, Authority to Control, Responsibility, Ethics.
  • Critical infrastructure routinely implicates Indigenous data through water assets on country, energy corridors crossing Aboriginal lands and supply chains touching Indigenous-owned enterprises.
  • Any artefact touching Indigenous data holdings is routed to the right custodian before assessment, with the custodial decision captured in the reasoning trace.
  • 9t5 is engaging an Indigenous data governance advisor as a paid Phase 1 engagement so the encoding is real, not decorative.

Policy and investment case.

The regulatory stack is widening. The CIRMP cycle is the forcing function. The buyer's pain is real, recurring and budgeted. Every product claim attaches to a named obligation, a named artefact or a named jobs commitment. The economic story and the product story are the same story.

SOCI Act 2018 plus ERP Act 2024

Section 30AC and the CIRMP Rules 2023 set the obligation. Part 2B sets the incident reporting clock. The ERP Act 2024 added Schedule 1 for data centres, expanded all-hazards direction powers, and gave the regulator a written direction power against a deficient program. The March 2026 CIRMP enhancements consultation tightens the cyber and information security hazard further.

Cyber Security Strategy 2023-2030, Horizon 2

Horizon 2 (2026 to 2028) is the operational scaling phase. Essential Eight Maturity Level 2 as the all-industry baseline and ML3 for systems of national significance. Sovereign cyber capability framed as economic resilience, not Defence acquisition.

Cyber Security Act 2024

Mandatory ransomware payment reporting from 30 May 2025 stacks on top of SOCI Part 2B (12 hours for critical, 72 for significant) and APRA CPS 234. The obligation surface is widening, not narrowing. The agent's reporting modules cover both clocks.

Australian jobs and economic security

An AU-built and AU-owned product. 40 to 45 AU engineering and specialist jobs sustained over the IGP five-year forecast. One regional Australian engineering hire committed for Phase 1. 60 to 70 percent of contract spend with AU SMEs. Every artefact owned by 9t5 Pty Ltd. Aligns to Future Made in Australia.

Built on a published evidence base, not a hunch.

Six numbers that frame the obligation, the gap and the build. Each one is publicly sourced and dated.

11 / 22 / 4

SOCI sectors, named asset classes and CIRMP hazard domains, all attested by the board annually under section 30AG.

CISC CIRMP Guidance, 2024

11 / month

critical infrastructure incidents against Australian assets in 2024-25, with energy, water and transport the most-targeted sectors.

ASD Annual Cyber Threat Report, 2025

15%

of Commonwealth entities reached Essential Eight Maturity Level 2 in 2024, down from 25%. 71% blame legacy technology. Critical infrastructure operators are held to a higher bar.

ASD Commonwealth Cyber Security Posture, 2024

$40k to $150k

per CIRMP cycle for a Tier 2 or Tier 3 responsible entity using an external consultant for the four-hazard evidence pack.

KPMG Australia, 2024 plus industry interviews

40-45 jobs

AU engineering and specialist jobs sustained over the IGP five-year forecast. One regional Australian engineering hire committed for Phase 1.

9t5 build plan, 2026

CARE

Principles encoded into the evidence taxonomy. The only published global standard for Indigenous Data Governance, anchored by GIDA and AIATSIS. Critical infrastructure routinely implicates Indigenous data through water, energy and supply chain.

GIDA, 2019; AIATSIS, 2020

See what an audit-ready CIRMP evidence pack looks like.

Forty-five minutes with the team to walk through the four hazard panels, the reasoning trace and the signed export. Bring the artefacts your tools already produce. We will show you the pack the board will sign.

Request a briefing

Or email us at salam@9t5.com.au or liaqat@9t5.com.au.