November 2025
This article is the fifth in Matrium Technologies’ Essential Eight Blog Series, where we unpack each of the Australian Cyber Security Centre’s (ACSC) eight key mitigation strategies. Our aim is to help business leaders understand what each control means, why it matters, and how to implement it in practical, achievable steps.
In this instalment, we explore Application Control - a powerful way to prevent malicious or unauthorised software from ever running in your environment.
Application Control (sometimes called “allowlisting”) is about managing what software can run on your systems - not just trusting that every program is safe.
Instead of trying to detect bad software after it runs, Application Control flips the approach: it only allows approved applications to execute. Anything else - unknown, unnecessary, or malicious - is automatically blocked.
For business leaders, this means ensuring your organisation’s systems only run trusted, verified tools that serve a legitimate purpose. It’s a proactive defence that stops attacks before they start.
Stops ransomware and malware execution – Even if an attacker gets a foothold, their malicious code won’t run if it’s not on the approved list.
Reduces human error – Staff can’t accidentally install risky or unauthorised software.
Improves compliance and control – You know exactly what’s running across your network, reducing audit and governance risk.
Prevents “shadow IT” – Blocks the use of unapproved tools that bypass security or introduce vulnerabilities.
In essence, Application Control prevents the unknown from becoming the uncontrollable.
While it sounds complex, implementing Application Control can be approached in stages:
Create an inventory of applications – Know every program running in your environment.
Develop an allowlist – Identify which applications are essential and trusted for business operations.
Block unapproved software – Use built-in tools such as Microsoft AppLocker or Windows Defender Application Control (WDAC).
Start small, then expand – Begin with specific departments or servers before applying controls organisation-wide.
Monitor and adjust – Continuously review logs to ensure legitimate applications aren’t unintentionally blocked.
Educate users – Communicate why certain applications are restricted to build understanding and reduce frustration.
The Essential Eight Maturity Model defines clear stages for Application Control maturity:
Maturity Level 1 (Basic Protection): Application control is implemented on servers and critical systems to prevent the execution of known malicious software.
Maturity Level 2 (Improved Protection): Application allowlisting is enforced for both servers and workstations, allowing only trusted executables, scripts, and installers to run.
Maturity Level 3 (Strongest Protection): Application control is dynamically managed using centrally administered tools. All unapproved or unsigned software is blocked by default, and trusted publisher policies are applied across the environment.
This progression takes organisations from basic blocking to a mature, automated allowlist framework - reducing exposure to one of the most common attack vectors.
Modern attacks often rely on tricking users into running malicious software. Application Control removes that opportunity. By allowing only verified, approved programs to execute, businesses can shut down entire classes of threats before they begin.
It’s a proactive, high-value control that doesn’t just protect systems - it enforces operational discipline and visibility across your technology environment.
This is the fifth article in Matrium’s Essential Eight Blog Series. Next, we’ll examine Restricting Microsoft Office Macros - a simple but vital safeguard against email-borne malware and phishing attacks.
Matrium Technologies helps organisations implement and maintain Essential Eight controls, including Application Control, to strengthen cybersecurity posture and achieve compliance with ACSC standards.