The Australian Enterprise & Government Posture Baseline measures the public-facing security posture of the organisations that are supposed to set the standard: ASX-listed enterprises and Australian government bodies at federal, state and local level. Each quarterly edition scans a deterministic sample across the Security, Email and Domain categories of every Red Bridge Cyber scan. These are the well-resourced security teams, enterprise SOCs and government CISOs — the benchmark a small business is implicitly held to every time someone says “enterprise-grade”.
When an article on this site says something like (Red Bridge Cyber Enterprise & Government Posture Baseline, June 2026), this page is what that citation points to.
Current edition — June 2026
The June 2026 edition (the first) scanned a deterministic sample of 75 domains drawn from a validated pool of ASX-listed enterprises and government domains (.gov.au), completing on 12 June 2026. Results below; how every number is produced is on the methodology section.
Executive summary of findings
The June 2026 edition scanned 75 ASX-listed enterprises and Australian government bodies — the organisations implicitly held up as the standard every time someone says "enterprise-grade". The headline is the edition’s most uncomfortable finding: the median enterprise and government website earns an F (26/100) for web security — worse than the education and medium business cohorts.
- More than half the cohort fails outright. 55% of scored sites land in the security F band; only 7% reach grade A.
- 45% do not enforce HTTPS — the worst rate of any cohort measured, small businesses included.
- Email discipline is real here. 97% publish DMARC and 85% enforce it — proof that enforcement at scale is entirely achievable.
- DNS hardening is no better than anywhere else. DNSSEC 7%, CAA 19%, MTA-STS 11% — well-resourced security teams have not reached the domain layer either.
Full results tables below. 75 domains sampled, with every unscorable domain disclosed with its reason.
Email posture — can the domain’s mail be trusted, and can the domain be spoofed? Median grade B (87/100). Share of the cohort passing each check:
| Check | % passing |
|---|---|
| Mail-routed (MX with STARTTLS) | 93% |
| SPF | 88% |
| DMARC | 84% |
| DKIM | 79% |
| MTA-STS | 7% |
| TLS-RPT | 11% |
| DNSSEC | 7% |
| Reverse DNS | 87% |
All 75 sampled domains were scoreable for email.
Domain
Domain (DNS) posture — the records that protect the domain name itself. Median grade E (44/100). Share of the cohort with each control in place:
| Check | % with control |
|---|---|
| SPF record | 99% |
| DMARC published | 97% |
| DMARC enforced (quarantine/reject) | 85% |
| DNSSEC | 7% |
| CAA record | 19% |
| MTA-STS | 11% |
| IPv6 at the apex | 20% |
All 75 sampled domains were scoreable for domain.
Security
Web security posture — TLS configuration, security headers and the basics of a defensible website. Median grade F (26/100), the weakest category measured. Share of scored sites missing each control:
| Check | % missing |
|---|---|
| HTTPS enforcement | 45% |
| HSTS | 59% |
| Content-Security-Policy | 70% |
| X-Content-Type-Options (nosniff) | 55% |
| Referrer-Policy | 77% |
| Permissions-Policy | 84% |
| TLS 1.3 | 33% |
| security.txt | 90% |
69 of 75 sampled domains scored (6 redirect-only — see Commentary).
Commentary
This is the cohort with enterprise SOCs, government CISOs and dedicated security budgets, and it medians an F on the public web surface. The contrast inside its own numbers is the story: where a control is owned by a discipline with a mandate — email anti-spoofing, where 85% enforce DMARC — this cohort leads the country. Where a control belongs to whoever runs the website — security headers, HTTPS enforcement — it performs worse than the medium businesses it out-resources a hundredfold. Large organisations secure what their org chart tells them to secure.
For a small business reading this: the benchmark you are being held to is not actually being met by the big end of town. That is not a reason to relax — it is evidence that public-surface security is a discipline problem rather than a budget problem, and discipline is the one input where an owner-operator competes on level terms.
Six of the 75 sampled domains could not be scored for security because their apex permanently redirects to a different domain — common around rebrands, consolidations and machinery-of-government changes — and they are disclosed above rather than hidden. Exclusion is always decided on objective criteria before any score is read. Every measurement uses the public surface only: DNS lookups, a normal page fetch, and public scanning endpoints.
Methodology
Every cohort baseline is produced by the same methodology: quarterly cadence, a deterministic seeded sample drawn from a validated pool, and scan failures excluded before scoring — never on score. Read the full methodology on the research overview.
Previous editions
This baseline refreshes quarterly, and this page always carries the latest edition. As editions are superseded, their headline tables will be archived here so that any older citation can be checked against the edition it was drawn from.