Australia Cybersecurity Market Size, Share and Forecast Trends - Growth Analysis and Outlook Report (2026-2035)

How is the Australia cybersecurity market structured, and where is it heading?

Quick Answer

The Australia cybersecurity market covers security products, software, managed services, consulting, and technology solutions that protect digital infrastructure for individuals, businesses, critical infrastructure, and government. Sector revenue reached AUD 6.13 billion in 2024 at 9.66 per cent year-on-year growth (Australian Cyber Network's State of the Industry 2024), supporting 137,000 jobs and contributing AUD 9.99 billion in gross value added. Growth is driven by an intensifying threat environment, a landmark legislative reform wave, and a structural workforce shortage channelling spend toward managed services. Total government cyber investment reaches ~AUD 10.49 billion, comprising Project REDSPICE (AUD 9.9 billion) and the 2023-2030 Cyber Security Strategy (AUD 586.9 million). The cybersecurity market is projected to reach AUD 17.38 billion by 2035 at a 10.0 per cent CAGR.

Market Overview

The Australia cybersecurity market sits at the intersection of escalating threats, an aggressive regulatory response, and a workforce shortage the supply side can't close quickly. ASD's Annual Cyber Threat Report 2024-2025, released October 2025, counted 84,700 cybercrime reports to the ACSC in FY 2024-2025: one every six minutes. ASD responded formally to over 1,200 incidents, up 11 per cent year-on-year. Average business cybercrime costs hit AUD 80,850, a 50 per cent rise. Large businesses saw reported losses jump 219 per cent. For critical infrastructure operators, denial-of-service attacks surged 280 per cent, making up nearly a third of all CI incidents.

The regulatory landscape changed more in twelve months than it had in the previous decade. The Cyber Security Act 2024, passed 29 November 2024 with ransomware reporting obligations live from 30 May 2025, is Australia's first standalone whole-of-economy cyber law. It runs alongside the SOCI Act (from April 2024, covering 11 sectors with compulsory cyber-risk management) and the Privacy and Other Legislation Amendment Act 2024, which introduced civil penalties for serious invasions of privacy up to AUD 50 million (effective 10 June 2025). A meaningful portion of the Australia cybersecurity market is now legally mandated, not discretionary.

The workforce shortage is severe enough that organisations can't simply hire their way out. ACS Digital Pulse 2025 estimates 54,000 more cybersecurity professionals will be needed by 2030, with demand growing 14 per cent annually while supply grows at 6 per cent. ABS counts 70,900 ICT Security Specialists currently employed, growing 6.6 per cent above the national average, but that rate won't close a 54,000-person gap. Senior architect salaries in Sydney hit AUD 180,000 in 2025, up 22 per cent from 2023. When you can't hire the people, you buy the services: that's the structural driver behind the cybersecurity market's managed services tailwind.

Key Market Trends and Insights

• Threat costs are escalating sharply: Average business cybercrime reports cost AUD 80,850 (+50 per cent). Small businesses averaged AUD 56,600 (+14 per cent); large businesses saw a 219 per cent jump. The Australian Government estimated average ransomware costs at AUD 9.27 million per incident in 2023.
• Security spending is shifting from discretionary to legally required: The Cyber Security Act 2024 mandatory ransomware reporting, SOCI Act compulsory cyber-risk programmes across 11 sectors, APRA CPS 230 (1 July 2025), and the Privacy Act amendments have, together, created the most comprehensive cyber compliance stack the cybersecurity market has ever faced.
• The workforce gap is reshaping how security gets delivered: ACS Digital Pulse 2025 puts the 2030 gap at 54,000 professionals. The Cyber Security Skills Partnership is targeting 5,000 new practitioners by 2027. When you can't hire, you buy managed services.
• State-sponsored threats are escalating: ASD's 2024-2025 report explicitly identifies APT40 (China) as exploiting public-facing vulnerabilities and APT28 (Russia) as targeting logistics and technology firms. ASD notified entities more than 1,700 times of potentially malicious activity in FY 2024-2025, an 83 per cent increase. Healthcare ransomware doubled, with attackers succeeding in 95 per cent of health sector incidents.
• AI and post-quantum are reshaping the threat timeline: AI is enabling threat actors to scale phishing, impersonation, and data analysis at volumes not previously achievable. Deepfakes, AI spearphishing, and fraudulent identity documentation are current threats. ASD is actively recommending organisations begin migrating to quantum-safe cryptography before 2030.

Australia Cybersecurity Market Size and Forecast

Key Takeaways: Australia Cybersecurity Market

The State of the Industry 2024 Report Provides the First Credible National Benchmark

The Australian Cyber Network's State of the Industry 2024 report, released in April 2025, is a genuinely significant document: not because the findings are surprising, but because this is the first time anyone has properly measured the sector at a national level. Drawing on 30-plus datasets, it put cyber sector revenue at AUD 6.13 billion in 2024, gross value added at AUD 9.99 billion, jobs supported at 137,000, and start-up investment at AUD 348 million (triple the prior year). The sector has 302 cyber companies, 97 per cent Australian-owned. Before this report, figures were being estimated from proxies. Now there's a baseline.

The 2024 Legislative Package Is the Most Consequential Regulatory Event in the Market's History

The Cyber Security Legislative Package passed in November 2024 marked a genuine inflection point. Three bills passed in the final sitting week: the Cyber Security Act 2024, the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024, and the SOCI Enhanced Response and Prevention Act 2024. Collectively, they ended the era when Australia's approach to national cyber resilience was predominantly voluntary. A financial services firm with CI assets and customer health data could now be simultaneously subject to APRA CPS 230, CPS 234, the SOCI Act, the Cyber Security Act, and the Privacy Act. Advisors and vendors serving those firms have a full decade of work ahead.

Healthcare and Critical Infrastructure Face an Escalating Threat

Healthcare has become the sector that ASD's threat reports use as a warning sign. Ransomware incidents against healthcare doubled year-on-year. Malicious actors succeeded in 95 per cent of all health and social assistance incidents ASD formally responded to (compared to 52 per cent across all sectors). The MediSecure incident of July 2024, where ~6.5 TB of data was exfiltrated from an e-prescription service database, made the stakes concrete. Across critical infrastructure more broadly, 13 per cent of all ASD-responded incidents in FY 2024-2025 involved CI assets, and denial-of-service attacks against CI surged 280 per cent.

Key Insight

Australian businesses paid an estimated AUD 9.27 million on average per ransomware attack in 2023, cited by the Cyber Security Minister in the Explanatory Memorandum for the Cyber Security Bill 2024. With 138 ransomware incidents responded to by ASD in FY 2024-2025 alone, and the Australian Institute of Criminology finding only 20 per cent of ransomware victims report attacks, the true economic damage of cybercrime in the Australia cybersecurity market is substantially higher than self-reported figures suggest. The mandatory ransomware reporting regime (30 May 2025) is expected to dramatically increase data visibility over the forecast period.

Key Trends and Recent Developments in the Australia Cybersecurity Market

Four things defined the cybersecurity market in FY 2024-2025: the legislative package was the most consequential regulatory event the market has seen; the threat report was the worst on record by financial cost; the sector's first real benchmark gave industry numbers to plan against; and breach incidents (particularly MediSecure) made cyber risk viscerally real for boards in a way advisory reports often don't.

ASD Annual Cyber Threat Report 2024-2025 Published, October 2025

The ASD's Annual Cyber Threat Report 2024-2025, released 14 October 2025, documented the most financially damaging year of cybercrime on record for Australian businesses. Volume figures held roughly steady at 84,700 cybercrime reports, but formal incident response activity grew. ASD responded to 1,200-plus incidents (+11 per cent). Proactive notifications exceeded 1,700 (+83 per cent). The Cyber Security Partnership Program reached 133,000 partners. Attacks aren't getting more frequent: they're getting more targeted and more expensive. ASD is now actively recommending organisations begin post-quantum cryptography migration as a multi-year programme starting immediately, ahead of the 2030 window.

Cyber Security Legislative Package 2024 Enacted, November 2024

Three bills passed the final sitting week of November 2024: deliberately, because the policy intent was whole-of-economy. The Cyber Security Act 2024 is the cybersecurity market's first standalone cyber security law. It commenced 29 November 2024, with ransomware reporting obligations from 30 May 2025. Reporting entities (businesses with annual turnover above AUD 3 million, plus all CI operators) must report ransomware payments to the Department of Home Affairs within 72 hours. The Act also creates mandatory standards for smart devices (from 29 November 2025), a Cyber Incident Review Board, and a Limited Use obligation protecting reporting entities from having disclosed information used against them. Non-compliance carries civil penalties up to AUD 19,800 per offence.

Australia Cybersecurity Market Segmentation

Market Breakup by Service Type

• Managed Security Services (MSSP / MDR): The fastest-growing cybersecurity market segment, driven by the workforce shortage. Organisations unable to hire in-house SOC capability buy it as a service. MDR is particularly popular among mid-market and regulated firms needing 24x7 coverage.
• Endpoint and Identity Security: EDR, IAM, and MFA. Identity fraud is the top reported cybercrime category for individuals at 30 per cent of all ASD-reported cybercrime in FY 2024-2025. Business email compromise generated ~AUD 84 million in self-reported losses in FY 2023-2024.
• Cloud Security: Multi-cloud penetration among firms with 500+ employees reached 68 per cent in 2025. APRA guidance and Privacy Act amendments require regulated entities to monitor cloud configurations continuously and maintain encryption key control within Australian data centres.
• Consulting, Advisory, and Compliance Services: The Essential Eight maturity requirements, combined with the expanding regulatory stack (Cyber Security Act, SOCI Act, Privacy Act, APRA CPS 230), have created a compliance advisory market that didn't exist at this scale three years ago.

Market Breakup by End-User Sector

• Government (Federal and State): The single largest end-user by budget. Project REDSPICE alone represents AUD 9.9 billion in ASD capability investment. Federal agencies will need 10,000 additional cybersecurity specialists by 2028.
• Financial Services and Banking: Probably the most heavily regulated sector globally for cyber. Simultaneously subject to APRA CPS 234, CPS 230, SOCI Act, Cyber Security Act, and Privacy Act. Identified by ASD as one of the top three sectors for CI incidents.
• Healthcare and Life Sciences: The worst threat environment of any sector in FY 2024-2025. Ransomware doubled; 95 per cent attacker success rate. MediSecure breach demonstrated the cascading harm. Highest-urgency investment sector.
• Critical Infrastructure (Energy, Water, Transport, Telecommunications): The SOCI Act's compulsory cyber-risk programmes cover 11 sectors. OT/IT convergence creates complex challenges: 62 per cent of factories reportedly hadn't patched controller firmware during 2024.
• Small and Medium Enterprises: 98 per cent of Australian businesses and the most underserved segment. Average SME spends less than AUD 10,000 annually despite average cybercrime losses of AUD 56,600 per incident.

Competitive Landscape and Key Players in the Australia Cybersecurity Market

The Australia cybersecurity market has an interesting structural split: global technology vendors dominate enterprise software and hardware categories by revenue share, while 97 per cent of Australia's 302 cyber companies are Australian-owned. AUD 2.4 billion of total Australian cyber spending goes to companies with no core team here, and a further AUD 2.9 billion to local subsidiaries of foreign vendors. The domestic industry is real, but it's competing in a market where underlying platforms mostly originate elsewhere.

Palo Alto Networks

Consistently among the top-revenue cybersecurity vendors in the Australia cybersecurity market, supplying Cortex XDR, cloud security posture management tools, and next-generation firewalls across enterprise and government. Its Unit 42 threat intelligence team has been actively analysing APT40 and APT28 activity.

CrowdStrike

A leading cloud-native EDR provider, with significant federal and state government contract coverage. Its Falcon platform is widely deployed across CI operators and financial institutions. The threat intelligence capability, tracking state-sponsored groups, adds differentiation beyond pure technology.

Microsoft

Security posture runs through the Microsoft Security suite: Defender, Sentinel SIEM, and Azure security services. Both a major cybersecurity vendor and a significant recipient of government cloud security work. Holds substantial market share across federal agencies through Azure for Government.

AUCloud

An Australian-owned sovereign cloud and cybersecurity provider with certification to host government data at PROTECTED classification: a genuinely differentiated credential. Expanded meaningfully in 2024, acquiring PCG Cyber for AUD 15 million plus two other IT service providers, building toward a vertically integrated sovereign offering.

Macquarie Government (Macquarie Data Centres)

Australia's largest certified government data centre and managed security services provider, with 42 per cent of federal agencies as clients and 200+ NV1 security-cleared engineers. The cleared workforce is hard to replicate quickly: that structural advantage is likely to matter more, not less, as data sovereignty requirements tighten.

Big Four Consulting (Deloitte, PwC, KPMG, EY, Accenture)

Collectively hold significant share of the Australia cybersecurity market's advisory, governance, risk, and compliance segment. The Essential Eight mandate, SOCI Act compliance, and APRA CPS 230 are all driving consulting revenue. Multi-regulation advisory is one of the most active service lines in Australian professional services right now.

Other significant participants include Splunk (SIEM), Fortinet (network security), Tenable (vulnerability management), Sophos (SME managed security), Rapid7, Okta (identity), and Vectra AI. On the domestic side: Tesserent (acquired by Thales in 2023), Sekuro, CyberCX, and Triskele Labs. CyberCX in particular has grown through acquisition into one of the larger domestic advisory and managed services businesses.