Why We Are Building cirmp AI

Every year a Group CISO inside an Australian critical infrastructure entity signs the same attestation. Every year the evidence behind it is built by hand. Spreadsheets, SharePoint folders, vendor exports, a consultancy on retainer. The same scramble, cycle after cycle, to produce a four-hazard pack the board attests to and the regulator can review. The regime is sound. The execution is broken. That is the problem we kept seeing. That is the problem we decided to fix.

This lands at 9T5 because we have spent years on security-heavy work in regulated environments. We delivered a CISA-aligned and OWASP-aligned audit for Infomo across Australia, Singapore and India, with a board-level risk register and remediation roadmap as the output. We have been building the Germonizer secure cloud platform in Singapore since early 2025, with encrypted workflows, tokenised access and audit trails for a defence-adjacent life sciences deployment. From inside those engagements we saw the same pattern that hits every responsible entity under SOCI. The evidence exists. Pulling it together is the part that costs six figures and a quarter of the CISO's year. It sits inside the broader Australian cyber landscape we have written about before.

cirmp AI is what we built in response. It is an AU-hosted, AU-owned compliance engine that drafts the s.30AC CIRMP pack across all four hazard domains: cyber and information security, personnel, supply chain, physical and natural. It sits above the OT and IT tooling a regulated entity already runs (Sentinel, CrowdStrike, Dragos, Claroty, ServiceNow, Workday) and reads the artefacts those tools already export. It does not detect. It does not replace a SIEM or a GRC platform. It encodes the CIRMP Rules 2023, the four CISC principles and the s.30AG attestation structure as native logic, and assembles the evidence pack against them.

Every year you sign the attestation. Every year the evidence is built by hand. cirmp AI writes the same pack every quarter. Every claim is cited back to the source. Drafted by cirmp AI, reviewed by your CISO, signed by the board. Out comes a single signed PDF, a hash-chained reasoning trail and an audit-defensible export the regulator can verify offline.

It is built for one buyer. The Group CISO named under section 30AC of the SOCI Act 2018 inside a Tier 1 or Tier 2 responsible entity. They carry the program personally. They sign the page CISC reads. If you want the regulatory primer in plain language, the regime explained from a learner's seat is the read.

What is live today is real. Two scenarios run end to end at cirmpai.au: a Defence-aligned responsible entity and a Tier 2 data centre operator. Walk the dashboard, the four hazard pages, the all-risks register, the controls and evidence map, the incidents clock and the audit log. Export the branded ten-section CIRMP PDF. Verify the hash chain. The whole flow takes about fifteen minutes. If you want to see it, the demo is invite-only. Email us and we will send the username and password. If you want to walk it together, book a 20-minute walkthrough.

Consultancy retainers for the annual CIRMP cycle sit comfortably in the six-figure range for a Tier 2 or Tier 3 responsible entity. That is the layer cirmp AI takes off the table. Strategic advisory keeps its seat. Detection keeps its seat. The evidence-assembly hours, where the spend concentrates and the CISO loses time they do not have, is what cirmp AI owns.

We built it ourselves because that is what 9T5 does. We saw the same scramble cycle after cycle from inside engagements. We have shipped secure platforms in regulated environments. We had the regulatory reading in-house. So we turned it into a product instead of writing another report about the problem. cirmp AI is live. Australian-built, Australian-hosted, regulator-aligned. The build patterns behind it are documented in how to ship AI into high-trust environments. If you carry a CIRMP, we would rather you saw it than read about it.