The Full Cyber Security Journey: CE Basic to Pen Testing

‍​‌‌​‌‌​​​​​​​​‌‌‌‌‌​​​​​​​‌‌​‌‌​​‌​‌‌‌‌​​‌​​‌‌‌‌‌‌‌​​​​‌‌‌‌​​‌​​‍Most businesses start with Cyber Essentials because someone told them they need it. A government contract requires it, a client asks for it, or an insurance renewal comes back more expensive without it. The starting point is almost always external pressure rather than internal initiative, and that is perfectly normal. How you start matters less than what you do next.

The problem is that most organisations stop after CE Basic. They get the certificate, meet the immediate requirement, and move on. Twelve months later they renew, and the cycle repeats - nothing happens in between. The certificate becomes a compliance exercise rather than a security improvement.

This article maps the full journey from the starting point through to the most thorough security assessment available. Not every organisation needs every stage, but understanding what comes next helps you make informed decisions about where your business should sit on the path.

Stage 1: Cyber Essentials Basic - £320+

What it is

CE Basic is a self-assessment against the five technical controls: firewalls, secure configuration, user access control, malware protection, and security update management. You answer a questionnaire about how your controls are configured, a qualified assessor reviews your answers, and if they're satisfied, you get a certificate valid for 12 months.

What it costs

Organisation Size	CE Basic Price
Micro (0-9 employees)	£320 + VAT
Small (10-49 employees)	£440 + VAT
Medium (50-249 employees)	£500 + VAT
Large (250+ employees)	£600 + VAT

Standard turnaround is 48 hours from submission, with fast track available in 12 hours for an additional premium.

Why it matters

CE Basic is the entry point for UK businesses, satisfying the requirement under Procurement Policy Note (PPN) 014 for government contracts. It qualifies you for the free £25,000 cyber insurance cover through IASME Consortium (IASME). It's the credential that opens doors to public sector work, NHS contracts, defence supply chain opportunities, and increasingly, private sector procurement.

For most businesses, CE Basic is where the compliance requirement sits. If a contract says "Cyber Essentials required," CE Basic meets that requirement (unless CE Plus is specifically stated).

What it doesn't cover

CE Basic is self-assessed, which means nobody tests your systems. You declare that your controls are in place, and the assessor reviews whether your answers are consistent and credible. But the assessor doesn't log into your systems, run vulnerability scans, or verify that your patches are actually current. (referenced in the comprehensive provenance benchmarking report).

CE Basic covers one of six NIST CSF 2.0 functions, which is Protect. It doesn't address Govern, Identify, Detect, Respond, or Recover. It's a snapshot of five controls at a single point in time, not an ongoing security programme.

Stage 2: Cyber Essentials Plus - £1,200+

What it is

CE Plus adds hands-on technical verification, with an assessor testing your controls directly on live systems. The assessment includes external vulnerability scans against your internet-facing infrastructure, internal authenticated scans on sampled devices, MFA verification on cloud services, malware protection testing with EICAR test files, and account separation checks. CE Plus proves that your controls are actually in place, not just that you say they are.

What it costs

Organisation Size	CE Plus Price
Micro (0-9 employees)	£1,200 + VAT
Small (10-49 employees)	£1,350 + VAT
Medium (50-249 employees)	£1,700 + VAT
Large (250+ employees)	£2,100 + VAT

The CE Basic + CE Plus bundle is £1,400 + VAT for micro organisations, saving on the combined price of doing both separately.

CE Plus typically takes 3-5 days for the full process.

Why it matters

CE Plus is what clients, insurers, and regulators trust. An independent assessor verified your controls, which is fundamentally different from you declaring they're in place. When a contract specifies "CE Plus required," that's because the buyer wants verified evidence, not self-assessed claims.

Defence supply chain contracts under Defence Condition (DEFCON) 658 require CE Plus for most risk levels. NHS Supply Chain mandates CE Plus for in-scope suppliers. Major banks and financial institutions prefer CE Plus over Basic. Insurers offer better terms for CE Plus because the verification is independent.

CE Plus also serves as a useful reality check. The assessment often uncovers issues that the organisation didn't know about: patches that didn't install correctly, MFA that was enabled but not enforced, admin accounts that should have been deactivated, third-party applications with known vulnerabilities. Discovering these through your own assessment is better than discovering them through a breach.

What it doesn't cover

CE Plus is still a point-in-time assessment. It verifies your controls on the day of testing. It doesn't monitor what happens between assessments. Patching can drift, new vulnerabilities can emerge, employees can disable MFA, and new devices can enter scope without being properly configured.

CE Plus also stays within the same single NIST function (Protect) as CE Basic. The five controls are tested more thoroughly, but governance, detection, response, and recovery are still not assessed.

Stage 3: Cyber 365 - from £2.50/agent/month

What it is

Cyber 365 is Net Sec Group's continuous security programme. It takes the five CE controls and puts them into a year-round monitoring and management framework that covers all six NIST CSF 2.0 functions: Govern, Identify, Protect, Detect, Respond, and Recover. Within this programme, CE becomes step one of six rather than the whole strategy.

What it costs

Cyber 365 is modular, so organisations choose the services that match their risk profile:

Service	Price	What It Covers
Vulnerability Scanning	From £2.50/agent/month	Continuous scanning, CVE-level reporting, 14-day tracking
Managed Patching	£8/device/month	OS + third-party patches, compliance tracking
Endpoint Detection and Response (EDR) + Patching	£15/device/month	Endpoint protection + managed patching

All services include compliance reporting that maps directly to CE control areas, providing evidence for both your annual assessment and insurance documentation.

Why it matters

The gap between annual CE assessments is 12 months. That's 12 months where controls can drift, new vulnerabilities can emerge, and nobody is checking. The Department for Science, Innovation and Technology (DSIT) Cyber Security Breaches Survey 2025 found that 43% of businesses identified a breach or attack in the previous year. Those attacks don't wait for your assessment cycle.

Cyber 365 fills that gap: vulnerability scanning catches patching drift before it becomes a failure, managed patching keeps the 14-day window closed, and EDR monitoring detects threats in real time rather than after the fact.

For businesses in regulated sectors such as financial services, healthcare, legal, and defence, continuous monitoring is not optional. Regulators expect ongoing security management rather than annual snapshots, and Cyber 365 provides both the evidence and the operational capability to demonstrate that commitment.

What it builds towards

Organisations running Cyber 365 have a fundamentally different assessment experience when CE renewal comes around. The scan data is already there, and the patching evidence generates itself. The assessment becomes a verification of what the programme has been doing all year rather than a scramble to get everything in order.

Continuous monitoring also strengthens the insurance conversation. Insurers treat continuous scanning and managed patching as stronger evidence than a single annual assessment, and the claims data supports this: organisations with continuous monitoring experience fewer incidents and faster recovery times.

Stage 4: Penetration Testing - bespoke pricing

What it is

Penetration testing goes beyond vulnerability scanning and compliance assessment. A CREST-registered tester simulates real-world attack scenarios against your infrastructure, applications, or people. The tester thinks and operates like an attacker, looking for ways to compromise your environment that automated tools and compliance assessments don't check.

What it costs

Penetration testing is priced based on scope and complexity. There is no fixed rate card because every engagement is different. Factors that determine pricing include:

• Number of IP addresses in the external attack surface
• Number of applications being tested
• Complexity of the environment (cloud, on-premises, hybrid)
• Type of testing (infrastructure, web application, API, social engineering)
• Duration of the engagement

We allocate testing days based on a scoping conversation, then provide a fixed-price quote before any testing begins. There are no surprise costs or hidden extras.

Why it matters

Vulnerability scanning finds known vulnerabilities in known software. Penetration testing finds weaknesses that scanners cannot see: misconfigurations that create attack paths, chained vulnerabilities where individual findings are low-risk but combined are critical, logic flaws in applications, and human factors that automated tools miss. Even a fully patched, CE-certified environment can still be penetrated, because scanning only tells you what is unpatched while a penetration test reveals what an attacker could actually do.

For organisations that handle sensitive data, operate in regulated sectors, or have significant revenue at risk from a breach, penetration testing is the most thorough assessment available. It's the difference between knowing your locks are fitted and knowing whether someone can still get in.

When you're ready

Penetration testing is most valuable after the earlier stages are in place. Testing an environment that hasn't been through CE and doesn't have continuous scanning will produce a long list of basic findings that could have been caught by cheaper methods. The pen test becomes an expensive vulnerability scan.

The ideal sequence is: fix the basics through CE, maintain them through Cyber 365, then pen test to find what the basics don't cover. That way the penetration test focuses on the harder-to-find issues rather than missing patches and default passwords.

Putting it together

Not every organisation progresses through all four stages, and where you stop depends on your risk profile, your sector, and your contract requirements.

Business Type	Typical Journey	Why
Small business, first government contract	CE Basic	Meets PPN 014 requirement
NHS supplier, defence supply chain	CE Basic + CE Plus	Contract requirement for verified certification
Regulated sector (financial, legal, healthcare)	CE Basic + CE Plus + Cyber 365	Ongoing compliance evidence needed
High-value targets, sensitive data handlers	Full journey through pen testing	Maximum assurance for highest-risk environments

The journey doesn't have to happen all at once. Many organisations start with CE Basic, add CE Plus when a contract requires it, bring in Cyber 365 when they realise the gap between assessments is a risk, and commission penetration testing when their risk profile demands the deepest level of assessment.

Each stage builds on the one before it: CE Basic establishes the baseline, CE Plus verifies it independently, Cyber 365 maintains it continuously, and penetration testing stress-tests it against real-world attacks. Together, they form a complete security posture rather than an annual compliance exercise.

---

Ready to start building your security programme? Book CE Basic to establish the baseline, or contact us to discuss which stage makes sense for your organisation.

CE Basic options | CE Plus options | Bundle options | Cyber 365 | Penetration Testing

---

Related articles

• Cyber Essentials Plus vs Basic: What's the Difference?
• Vulnerability Assessment vs Penetration Testing
• Free Cyber Insurance with Cyber Essentials
• NHS Suppliers: Cyber Essentials and CE+ Are Now Mandatory

netsec-canary-749d5a925fce.