On 24 June 2026, the Director-General of Security, Mike Burgess, delivered his seventh Annual Threat Assessment from ASIO headquarters in Canberra.¹ The picture he set out is of a security environment among the most complex and volatile Australia has faced in recent years, in which terrorism, espionage, foreign interference, cyber sabotage and politically motivated violence increasingly overlap rather than sit in separate boxes. For Australian organisations, the practical message is that the threat picture that shaped a security plan two or three years ago is no longer the one they operate in.
This article summarises what the 2026 Annual Threat Assessment said, what it means for business, and what a proportionate response looks like. It is written for risk, facility and security managers, and for boards, who need to translate a national assessment into decisions about their own people, sites and operations.
Key Takeaways
- The Director-General of Security, Mike Burgess, delivered ASIO’s 2026 Annual Threat Assessment on 24 June 2026. He characterised the security environment as among the most complex and volatile in recent years, with threats increasingly converging rather than sitting in separate categories.
- Threats are converging. ASIO’s counter-terrorism and counter-espionage work increasingly cue one another, and a single incident can be criminal, terrorist and foreign-interference-related at once.
- Terrorism has changed. The dominant risk is now the self-radicalised lone actor, often young and previously unknown, moving to violence with little warning. The National Terrorism Threat Level remains at PROBABLE.
- ASIO confirmed that a nation-state actor had compromised an Australian critical infrastructure provider and was positioning for possible sabotage, and that foreign services are actively cultivating insiders, including clearance holders, to reach defence and AUKUS material.
- The response is a whole-of-community one. Businesses, critical infrastructure operators and the wider community are expected to help identify suspicious activity and build resilience. For most organisations that starts with a current, all-hazards security risk assessment.
What did the 2026 Annual Threat Assessment say?
The through-line of the assessment was convergence. Burgess argued that the traditional demarcation between countering terrorism and countering foreign intelligence threats has become less useful, because the same incident can belong to several categories at once. A firebombing of a place of worship, in his framing, can simultaneously be arson, foreign interference, the promotion of communal violence and politically motivated violence.¹ ² The consequence for a security service, and for anyone managing risk, is that threats can no longer be treated as a queue to be worked one at a time.
He also described a permissive environment for violence, in which cross-ideological extremism, social fragility and an information environment built for outrage combine to normalise politically motivated violence.² The National Terrorism Threat Level remains at PROBABLE, and Burgess was explicit that this should not be read as a sign that risk is easing.³ ASPI’s commentary noted that he went further, questioning whether the current threat-level scale still captures the environment accurately, given that the next level up applies only when a specific attack is known.²
How has the terrorism threat changed?
The assessment was delivered roughly six months after the December 2025 Bondi attack, in which 15 people were killed at a Hanukkah gathering, an event now the subject of a Royal Commission that constrains what can be said about it.⁴ Burgess used that context to describe how terrorism in Australia has shifted away from the era dominated by organised groups such as Islamic State and al-Qaeda.³
The contemporary pattern is the self-radicalised individual. Recent investigations increasingly involve young people, lone actors and individuals not previously known to authorities, who adopt blended or personalised ideologies and can move from grievance to violence with little or no warning.³ Antisemitism, Burgess noted, now runs as a common thread across otherwise opposed extremist ideologies. For organisations that manage public-facing sites, places of worship, crowded places or events, the implication is a shift in emphasis from planning against a known, organised threat towards readiness for a low-warning attack by a single person using an easily obtained weapon.
That is squarely the domain of protective and physical security planning: access control, hostile-vehicle and weapon-attack mitigation, crowd and event management, staff awareness, and tested response procedures, scaled to the actual risk of the site rather than to headlines.
Espionage, foreign interference and the insider threat
Beyond terrorism, the assessment described sustained activity by multiple foreign intelligence services. Australia’s defence capabilities and the AUKUS partnership remain priority targets, including for countries Australia regards as friendly.¹ Burgess gave the example of a foreign officer who approached an Australian security clearance holder online while posing as a consultant, paid for seemingly benign reports, and then sought inside information once the target appeared compromised.¹
He also described foreign governments intimidating critics and diaspora communities in Australia, including sustained campaigns to coerce individuals to return overseas, and raised the real prospect of an Australian being killed by a foreign government on Australian soil.¹ ² A significant feature of the 2026 assessment was its focus on Iran, with individuals linked to Iran’s intelligence apparatus and the Islamic Revolutionary Guard Corps allegedly connected to antisemitic attacks and politically motivated violence, and a warning that such activity could escalate beyond intimidation and property damage.³
For business, the operational point is the insider. Cultivation of employees, contractors and clearance holders, whether for espionage or foreign interference, is a personnel security and governance problem before it is a technical one. It is managed through vetting proportionate to role, clear reporting paths, awareness training, and access that is matched to genuine need and reviewed as roles change.
The warning to critical infrastructure
The most concrete disclosure in the assessment concerned critical infrastructure. ASIO found that nation-state hackers had compromised the network of an Australian critical infrastructure provider and were preparing for sabotage. Burgess was careful to distinguish this from opportunistic crime: the actors were not planting destructive code so much as mapping the network and maintaining access so they could disrupt it at a time of their choosing.¹ ⁵ In that case the attackers had acquired the credentials of active users, including members of the IT team defending the network.¹
He identified energy and communications, and infrastructure supporting the military, as top targets, and said the scale of the activity, led by one state in particular, was difficult to overstate.¹ For operators, the practical lesson is that resilience now has to assume a capable adversary may already be inside, which shifts the emphasis towards detecting long-term intrusions, limiting lateral movement, and being able to keep or restore essential services under disruption.⁵
This is the same problem the Enhanced CIRMP Rules now oblige designated operators to address, through network segregation, a defined operational-resilience threshold, personnel vetting and supplier risk management. The threat assessment and the regulation point in the same direction. Organisations working through their obligations under the Security of Critical Infrastructure Act can treat the assessment as the operational rationale behind the compliance requirement.
What should Australian organisations do now?
Burgess was clear that national security is not solely the responsibility of intelligence and law enforcement. Businesses, government organisations, critical infrastructure operators and the wider community all have a role in identifying suspicious activity and building resilience, and by addressing known vulnerabilities and managing known risks, the country becomes a harder target.¹ ³ That is a call for proportionate action, not alarm.
A measured response for most organisations looks like this:
- Revisit the security risk assessment. If it predates the current threat picture, it is the first thing to update, on an all-hazards basis that considers terrorism, foreign interference, insider and supply chain risk together rather than separately.
- Review protective and physical security at public-facing and high-consequence sites, with attention to low-warning, lone-actor scenarios and to places of worship, crowded places and events where relevant.
- Strengthen personnel security and insider-threat management, including role-based vetting, reporting paths and access reviews.
- Assess supply chain and foreign-interference exposure, including ownership, offshore access and dependency on single suppliers.
- Test business continuity and recovery, on the assumption that a critical service may be disrupted, so the organisation can keep operating and recover quickly.
- Make reporting routine. Staff should know to call the police in an emergency, and to report suspicious activity to the National Security Hotline on 1800 123 400.⁶
A useful question for a board is simply whether the organisation’s current security posture was designed for the threat environment it actually operates in today, and if not, what the plan is to close the gap.
How Agilient Can Assist
Agilient is an independent security, risk and resilience consultancy. Its work is translating exactly this kind of national picture into a proportionate, risk-based posture for a specific organisation, without overreacting and without leaving obvious gaps.
For organisations responding to the 2026 Annual Threat Assessment, Agilient provides the independent security risk assessment that should anchor any response, and designs the protective and physical security measures that follow from it, including for crowded places, events and places of worship. The same team advises on personnel security and insider-threat programs, on supply chain and foreign-interference risk, and, for critical infrastructure operators, on the governance and physical security elements of a Critical Infrastructure Risk Management Program. Where the priority is continuity, Agilient’s business continuity and resilience work helps organisations keep essential services running and recover after disruption.
On the technical cyber elements the assessment raised, Agilient works alongside an organisation’s cyber and IT teams within the wider security and governance framework rather than performing the technical assessment itself. The team supports government, critical infrastructure, defence, healthcare and other regulated and public-facing sectors across Sydney, Melbourne, Brisbane, Adelaide and Canberra.
Frequently asked questions
What is the ASIO Annual Threat Assessment?
The Annual Threat Assessment is a public address delivered each year by the Director-General of Security, who heads the Australian Security Intelligence Organisation (ASIO). It sets out ASIO’s assessment of the security threats facing Australia, including terrorism, espionage and foreign interference. The 2026 assessment was delivered by Mike Burgess on 24 June 2026 and was his seventh.
Who delivers it, ASIO’s Director-General or the Inspector-General?
It is delivered by the Director-General of Security, Mike Burgess, who leads ASIO. The Inspector-General of Intelligence and Security is a separate oversight body that reviews the legality and propriety of intelligence agencies, and does not deliver the threat assessment.
What were the main points of the 2026 assessment?
That the security environment is more complex and that threats are converging; that terrorism is now dominated by self-radicalised lone actors moving to violence with little warning; that foreign intelligence services are actively targeting defence and AUKUS material and cultivating insiders; that a nation-state actor had compromised an Australian critical infrastructure network and was positioning for possible sabotage; and that responding is a whole-of-community responsibility.
What does the assessment mean for businesses?
It means the threat picture that shaped many existing security plans has changed. Organisations are encouraged to revisit their security risk assessment on an all-hazards basis, review protective and physical security for low-warning scenarios, strengthen personnel and insider-threat management, assess supply chain and foreign-interference exposure, and test business continuity and recovery.
Is the National Terrorism Threat Level still PROBABLE?
Yes. The National Terrorism Threat Level remained at PROBABLE at the time of the 2026 assessment. The Director-General stressed that this should not be read as a sign that risk is diminishing, and questioned whether the current scale fully captures the environment.
How should an organisation start responding?
The practical starting point for most organisations is a current, independent security risk assessment that considers the range of threats together, followed by proportionate protective security, personnel security and business continuity measures. Suspicious activity should be reported to the National Security Hotline on 1800 123 400, and immediate threats to the police.
References
- Australian Security Intelligence Organisation, Director-General’s Annual Threat Assessment 2026 (Mike Burgess, 24 June 2026), asio.gov.au
- Australian Strategic Policy Institute, The Strategist, “Many, varied audiences for ASIO’s Annual Threat Assessment” (Chris Taylor), aspistrategist.org.au
- Australian Security Magazine, “ASIO warns of more complex security environment in 2026 threat assessment”, australiansecuritymagazine.com.au
- The Japan Times, “Australia’s spy chief warns of rising terror and cyber threats”, japantimes.co.jp
- iTWire, “ASIO warns cyber adversaries are already inside Australia’s critical infrastructure”, itwire.com
- Australian Government, National Security Hotline, nationalsecurity.gov.au
