— What we offer
Three pillars: designed, assured, demonstrated. Three tiers of proof. Multi-cloud coverage. Fix work scoped to what we find. Prices from £50 per month.
— Three pillars
Three things we'll do for you. We help you set your security up properly. We keep an eye on it. And when you need to prove it's working, we give you reports your insurer, your auditor or a customer can actually use. And for some, you might just want to know that you are doing your best to protect the business that you love.
We start with how things are set up: your cloud, your accounts, your devices. Get those right and most security problems never happen. We check whichever clouds you use against the Foundry Cyber Benchmark, our own list of practical controls.
We check your setup regularly, not once a year. When something slips, Forge (our AI assistant) writes a plain-English explanation: what changed, why it matters for your business, what your options are. You always know where you stand.
Audit-ready evidence, on demand.
When you need to prove your security is working, we produce the reports your audience actually asks for. Cyber Essentials and NIST CSF on Silver. ISO 27001, NIST SP 800-53 and NCSC CAF on Gold. Use them with your insurer, your auditor, or when a customer sends over a security questionnaire.
— What each tier delivers
Bronze answers operations. Silver answers Cyber Essentials, insurers and customer asks. Gold answers ISO auditors and enterprise customer security questionnaires. Pick the depth of proof your audience expects. The rest of the work runs the same underneath.
FCB only, evaluated by us.
“Foundations”: the standards an SME actually asks about.
Bronze, plus:
“Audit-grade”: heavyweight cross-walks for regulated / B2B customers.
Silver, plus:
— Service tiers
Prices start from £50 per month.
Each tier renders evidence at the depth its audience expects: operations, insurer, auditor, enterprise customer security team. Fix work is scoped separately, based on what we find inside your cloud setup.
Continuous benchmark. FCB-only reports.
For teams who want the security baseline running properly without needing external standards rendered. Same continuous benchmark we run for everyone, reported against the Foundry Cyber Benchmark itself.
Answers operations.
Foundations: the standards an SME actually asks about.
For growing businesses fielding Cyber Essentials questions, customer asks, or first-tier compliance requirements. Same scan as Bronze, plus reports rendered against the standards your customers and insurers actually ask for.
Answers Cyber Essentials, insurers, customer asks.
Audit-grade: regulated industries and B2B customers.
For regulated sectors, public-sector suppliers, and businesses fielding enterprise security questionnaires. Heavyweight cross-walks, named engineer, monthly briefings.
Answers ISO auditors and enterprise security questionnaires.
— At a glance
| Bronze | Silver | Gold | |
|---|---|---|---|
| Scope | Single cloud (M365, Workspace, AWS or GCP) | Multi-cloud | Full cloud estate |
| Standards covered | Foundry Cyber benchmark | + Cyber Essentials, NCSC CSP, NIST CSF | + Cyber Essentials Plus, ISO 27001 family, NCSC CAF, NIST 800-53 |
| Assessment cadence | Monthly | Weekly | Weekly + on-demand |
| Drift detected within | A week | A day | Hours |
| Executive report | Quarterly | Monthly | Monthly + on-demand |
| Business review | Annual | Quarterly | Monthly briefing |
| Remediation queue | Standard | Priority | Dedicated engineer |
| Evidence retention | 12 months | 36 months | 60 months |
Not sure which tier fits?
Contact us— Coverage matrix
Every standard above maps to one of three states: live evidence from a scanner, a cross-walk mapping from FC Benchmark data, or a known gap we're explicit about. We tell you exactly which is which, up front.
| Standard | Tier | Status | Notes |
|---|---|---|---|
| FC Benchmark | Bronze | Live | Native: this is the evidence. |
| Cyber Essentials | Silver | Live | All five CE controls covered: boundary firewalls, secure config, user access, malware, patching. |
| NCSC Cloud Security Principles | Silver | Live | 14 principles, almost entirely Azure / M365 / identity surface. |
| NIST CSF | Silver | Mapped | No new collection: reports rendered from FCB control evidence. |
| Cyber Essentials Plus | Gold | Evidence pack only | Same controls as CE. We render the assessor's evidence pack. IASME body issues the mark. |
| ISO/IEC 27001 Annex A (technical) | Gold | Live | Technical subset (~30–40 of 93 controls). Org/process controls out of scope. |
| ISO/IEC 27002 | Gold | Live | Implementation guidance: same evidence, different render. |
| ISO/IEC 27017 | Gold | Live | Cloud extension of 27002. Same scan data, additional mapping. |
| ISO/IEC 27018 | Gold | Mapped | Cloud-PII privacy controls. Encryption / DLP partial today; full coverage needs Purview hookup. |
| NCSC Cyber Assessment Framework | Gold | Mapped | 4 objectives mapped. Operational-resilience (Objective B) gap: beyond what scanners can see. |
| NIST SP 800-53 | Gold | Mapped | ~10–15% of 1000+ controls have direct cloud / endpoint evidence; rest are organisational. |
— Remediation
Remediation is offered as a separate engagement, not bundled into your tier. When you commission it, our engineers go in and fix what failed benchmark, with Forge (our AI assistant) doing the heavy lifting on analysis and proposed changes. The work is scoped per engagement, based on what your scan actually finds and how big your setup is. A 12-person firm with three drift findings is priced very differently to a 200-person firm with twenty. You don't pay a Gold-tier price for a Bronze-sized fix, and we don't underprice for a customer who needs more.
No DIY "fix this" buttons in the portal. Findings flip to resolved when our engineers, with Forge's help, close them. You see what was wrong, what we did, and why it mattered.
Remediation cost reflects findings, complexity, and tenant size, not your tier. Quoted up front for each engagement, either project-based or as a monthly retainer.
The standard of remediation doesn’t change with your tier. Every customer gets the same engineers, the same care, and the same quality of close-out. No "good enough for the smaller account" work.
A note on cloud coverage: fix work today is delivered on Microsoft 365, Azure and Google Workspace. AWS and GCP are assess-only for now. Remediation in those clouds is on the way.
Onboarding new customers now
Tell us a bit about your business and what you're worried about. We'll come back with a plain-English view of where you stand and what we'd suggest doing first. Real people, real answers.
