The Australian Medium Business Posture Baseline measures the public-facing security posture of substantial Australian businesses above the SMB tier — large private and family-owned companies, partnerships, mutuals, co-operatives and large not-for-profits on .com.au and .au domains, none of them ASX-listed. Each quarterly edition scans a deterministic sample across the Security, Email and Domain categories of every Red Bridge Cyber scan. In the comparison story this is the middle rung — businesses big enough to have IT budgets and often a managed-services provider, but without a listed company’s security team. It is the first test of whether posture actually improves with size.
When an article on this site says something like (Red Bridge Cyber Medium Business Posture Baseline, June 2026), this page is what that citation points to.
Current edition — June 2026
The June 2026 edition (the first) scanned a deterministic sample of 75 domains drawn from a validated pool of Australian medium businesses (.com.au/.au, non-ASX), completing on 12 June 2026. Results below; how every number is produced is on the methodology section.
Executive summary of findings
The June 2026 edition scanned 75 substantial Australian businesses above the SMB tier — none ASX-listed. The first test of whether posture improves with size returns a qualified yes: the median medium business website earns an E (43/100) for web security against the small business F, a B for email posture, and the same E for DNS hardening.
- The visible basics improve with size. Only 6% of scored sites fail to enforce HTTPS — the kind of control a managed-services provider switches on by default.
- The deliberate controls still don’t. 71% publish no Content-Security-Policy, 81% no Permissions-Policy, and 99% no security.txt — one in four scored sites still lands in the security F band.
- The DMARC gap narrows but persists. 93% publish a DMARC record; 68% enforce it — a quarter of the cohort has done the easy half and stopped.
- DNS hardening stays near-absent. DNSSEC 5%, CAA 12%, MTA-STS 1% — bigger IT budgets have not reached the domain layer.
Full results tables below. 75 domains sampled, with every unscorable domain disclosed with its reason.
Email posture — can the domain’s mail be trusted, and can the domain be spoofed? Median grade B (81/100). Share of the cohort passing each check:
| Check | % passing |
|---|---|
| Mail-routed (MX with STARTTLS) | 97% |
| SPF | 91% |
| DMARC | 68% |
| DKIM | 85% |
| MTA-STS | 0% |
| TLS-RPT | 1% |
| DNSSEC | 5% |
| Reverse DNS | 97% |
All 75 sampled domains were scoreable for email.
Domain
Domain (DNS) posture — the records that protect the domain name itself. Median grade E (44/100). Share of the cohort with each control in place:
| Check | % with control |
|---|---|
| SPF record | 97% |
| DMARC published | 93% |
| DMARC enforced (quarantine/reject) | 68% |
| DNSSEC | 5% |
| CAA record | 12% |
| MTA-STS | 1% |
| IPv6 at the apex | 19% |
All 75 sampled domains were scoreable for domain.
Security
Web security posture — TLS configuration, security headers and the basics of a defensible website. Median grade E (43/100), the weakest category measured. Share of scored sites missing each control:
| Check | % missing |
|---|---|
| HTTPS enforcement | 6% |
| HSTS | 39% |
| Content-Security-Policy | 71% |
| X-Content-Type-Options (nosniff) | 40% |
| Referrer-Policy | 65% |
| Permissions-Policy | 81% |
| TLS 1.3 | 10% |
| security.txt | 99% |
72 of 75 sampled domains scored (3 redirect-only — see Commentary).
Commentary
This cohort exists to answer one question for small business owners: does posture get better when a business gets bigger and hires help? The June 2026 answer is — partly. The controls a provider enables by default (HTTPS enforcement, TLS 1.3, reverse DNS) are close to universal here, and the cohort’s median security score roughly doubles the small business figure. But the controls that require someone to decide — security headers, DMARC enforcement, DNS hardening — look strikingly similar to the SMB picture. Size buys defaults, not decisions.
The email story is the clearest illustration. Medium businesses publish DMARC almost universally (93%), yet a quarter of the cohort never moves the policy past monitoring. The enforcement step costs nothing but a decision and a short observation window — which is why we read this as a discipline gap rather than a resourcing one.
Three of the 75 sampled domains could not be scored for security because their apex permanently redirects to a different domain — typical of brand consolidation and migrations — and they are disclosed above rather than hidden. Exclusion is always decided on objective criteria before any score is read. Everything in this edition is measured from the public surface only: DNS lookups, a normal page fetch, and public scanning endpoints — nothing a regular visitor couldn’t see.
Methodology
Every cohort baseline is produced by the same methodology: quarterly cadence, a deterministic seeded sample drawn from a validated pool, and scan failures excluded before scoring — never on score. Read the full methodology on the research overview.
Previous editions
This baseline refreshes quarterly, and this page always carries the latest edition. As editions are superseded, their headline tables will be archived here so that any older citation can be checked against the edition it was drawn from.