Pass Cyber Essentials Plus First Time
Under Danzell, there are no second chances. A failed scan triggers double sampling, and most organisations aren't ready.
Our CE+ Pre-Assessment and Cyber 365 services ensure your estate is assessment-ready before the real test begins.
What Changed Under Danzell v3.3
The IASME Danzell update raises the bar significantly for CE+ assessments. These changes take effect 27 April 2026.
Double Sampling
If the first scan finds failures, a second random sample is triggered. Both must pass within one 30-day window. There is no third sample.
14-Day Auto-Fail
Any CVSS 7.0+ vulnerability unpatched beyond 14 days is an automatic failure. No assessor discretion. No exceptions.
Zero Non-Compliances
The standard expects zero non-compliances. The bar is higher than ever. Every device, every application, every patch matters.
The Scanner Problem
Most “scanners” used by IT providers are NOT sufficient for CE+. The NCSC CE+ Test Specification requires scanners that meet the PCI ASV Program Guide benchmark.
Not Sufficient for CE+
- Microsoft Defender / Windows Security vulnerability features
- Sophos built-in scanner
- RMM scanners (ConnectWise, Datto, NinjaOne basic scanning)
- Any antivirus product's built-in "vulnerability scan"
- Tools that don't produce CVE-level output with CVSS scores
These tools check for a limited set of issues and don't produce CVE-level output with CVSS scores, which the standard requires.
Scanners That Do NOT Meet the Standard
- Microsoft Defender / Windows Security vulnerability features
- Sophos built-in scanner
- RMM scanners (ConnectWise, Datto, NinjaOne basic scanning)
- Any antivirus product's built-in "vulnerability scan"
You need a Cyber Essentials authorised vulnerability scanner approved by NCSC.
The standard requires:
- • Credentialed vulnerability scans with CVE numbers
- • CVSS v3 scores for every finding
- • Every application on every device checked, not just the OS
If your IT provider tells you their built-in scanner covers Cyber Essentials, ask them to show you CVE-level output with CVSS scores.If they can't, you need a different scanner.
Two Paths to a First-Time Pass
Whether you want a one-off check or year-round protection, we have you covered.
CE+ Pre-Assessment
We scan your in-scope estate with the same tools and methodology used in the real assessment. No surprises on the day.
- Full credentialed vulnerability scan of in-scope devices
- Detailed remediation report: every CVE, CVSS score, 14-day status
- Remediation guidance (or we help via CE Concierge)
- When the real assessment comes, no surprises
Fixed per-tier pricing from £450 (Micro) to POA (Large). See the full pricing table on the pre-assessment page.
Cyber 365
Continuous vulnerability scanning and automated patching. When CE+ assessment comes, it's a formality.
- Fortnightly vulnerability scanning with enterprise-grade tools
- Automated OS and third-party patching
- Real-time dashboard showing patching status across estate
- Assessment evidence generated automatically every scan cycle
Pre-Assessment vs Cyber 365
| Pre-Assessment | Cyber 365 | |
|---|---|---|
| Type | One-off | Ongoing |
| Scanning | Point-in-time | Continuous (fortnightly) |
| Patching | You handle | Automated |
| Between assessments | No coverage | Year-round monitoring |
| Assessment evidence | Snapshot report | Auto-generated dashboard |
| Best for | Budget-conscious, want to check readiness | Year-round compliance |
| Investment | One-off fee | From £8/device/month |
Ready to Prepare?
Don't leave your CE+ assessment to chance. Get in touch to discuss which preparation path is right for your organisation.
Or email us at [email protected]