Cyber 365: Why Year-Round Vulnerability Scanning Is the New Cyber Essentials Baseline

‍​​‌‌​​‌​​​‌​‌​​‌‌‌​​‌​‌‌‌​‌‌‌‌‌‌​‌‌​‌​​‌‌​‌​‌​​‌​‌‌​‌‌​​​​‌​​​​​‍The Danzell assessment platform that came in April 2026 made year-round vulnerability scanning and patching explicit in the Cyber Essentials scheme. Under the previous Marlin platform the strict reading was that scanning at renewal could clear the patch-management control. Under Danzell the scheme requires continuous discipline.

This is what year-round scanning actually covers, why scanning without patching is half a service, and how the Cyber 365 programme handles both.

What changed under Danzell

Cyber Essentials has always required that high-severity and critical vulnerabilities (CVSS 7.0 or higher) are patched within 14 days of vendor release. The 14-day window is in the scheme rules. What changed under Danzell is the visibility the assessor has into whether the window was respected across the full 12 months between certificates, rather than just on assessment day.

Under Marlin, the practical reality across hundreds of certifications was that the scan happened in the assessor's hands, not the client's. Patches were applied in the fortnight before the assessment day and then the cadence drifted again. The certificate was issued, the controls held for the assessment, and the patching cadence moved on. The next renewal year repeated the pattern.

Danzell removed that latitude. Year-round scanning and patching is no longer optional. The scheme platform expects continuous evidence, not point-in-time evidence.

This is the right direction. The vulnerability counts that AV-TEST Institute has tracked across the last decade run into hundreds of thousands of new malware samples per day. The 14-day patching window only protects organisations that are running a continuous discovery process. A scan once a year against a CVE feed that grows daily produces a list with months of accumulated lag. (consistent with the 2023 containment evaluation criteria).

What continuous scanning actually covers

The full attack surface a Cyber Essentials Plus assessor will check on assessment day, run continuously rather than once.

Operating system patch level on every in-scope device. Workstations, laptops, servers, and the mobile devices your staff use to access company data. The OS layer is what most managed service providers cover through their remote monitoring and management tools, so this layer is usually broadly current on a well-managed estate. The other layers are not.

Application-layer vulnerabilities on the software your staff actually use. Browsers and browser plug-ins, productivity tools, accounting and CRM software, the design tools the marketing team installed. Each application is a separate patching cadence. Each plug-in is a separate one again. The plug-in vendor moving bank-feed data into your accounting package has the same access depth as the accounting package itself, often with a one-page website and no published patch cadence.

Firmware on the perimeter device. The firewall and the network gear sit between your estate and the internet. Firmware patches are released less frequently than OS patches, but the impact when they lag is significantly higher because the device is the perimeter.

Third-party tools the IT team did not procure. SaaS marketing automation, file-sync tools, project management tools, browser extensions for receipts and expense tracking. Most of these arrive through individual employees rather than central procurement, which means they sit outside the asset register the IT team maintains and outside the patch cadence the MSP covers.

Identity-layer drift. Multi-factor authentication enrolment that was complete on assessment day but rolled back on a senior account because it broke an integration. Account-management hygiene where leavers were not removed because the offboarding process was manual. Privileged accounts that accumulated.

All of this drifts between assessment days. Continuous scanning catches the drift while it is still inside the 14-day window for new vulnerabilities and while it is still recoverable for the identity-layer items.

Scanning without patching is half a service

A vulnerability scanner that produces a report is half a service. The other half is closing the vulnerabilities the report identifies. Most providers do the first half because it is cheap to deliver: the scanner runs, the report ships, the client is responsible for applying the patches.

The second half is the operational discipline that costs more to deliver. It requires change-management against a real estate, co-ordination with the IT team or MSP, validation that the patch landed, and the documented evidence the assessor will look for next renewal cycle. This is the part Cyber 365 does.

The MSP that is responsible for patching but not for scanning is the most common gap. The MSP applies whatever patches Microsoft pushes through their RMM, so the OS layer is broadly current. The MSP does not scan for application-layer vulnerabilities, browser plug-ins, third-party tools, or firmware on the perimeter device. The client thinks they are covered because the MSP is contracted for patching. The first scan reveals the difference between "patches applied to what we manage" and "patches applied to what an assessor will sample".

The Cyber 365 programme covers both. Continuous scanning runs against the full surface. The patching workflow that closes each finding inside the 14-day window runs alongside it. The output is the same shape on every renewal: a clean assessment with no surprises.

How Cyber 365 fits with the rest

Cyber 365 is the year-round operational service. The assessment engagement is separate. CE+ Assured Programme wraps the two together as a monthly subscription so the certification is handled annually on a rolling basis, with the year-round scanning and patching included. The naming reflects the bundling: Cyber 365 alone is the operational discipline, CE+ Assured is the operational discipline plus the annual certification.

For organisations that already hold a current Cyber Essentials Plus certificate and want the year-round discipline added without changing their assessor relationship, Cyber 365 sits alongside whatever certification arrangement is in place. The scanning and patching work is the same regardless of who runs the assessment.

For organisations on the Hands-Off Cyber Essentials path or going through the 5-day NHS-supplier engagement, Cyber 365 is the natural follow-on after the certificate issues. The first engagement is the firefight to land the certificate. Cyber 365 is the discipline that holds the controls in place between then and the next renewal.

What it costs

Cyber 365 is priced from £8 per device per month. Endpoint detection and response (EDR) is available as a +£12 per device per month bolt-on for the behaviour-based detection layer that complements the patching cadence. The scoping call confirms the per-device count and the EDR decision. The cost calculator gives a back-of-envelope figure before the call.

CE+ Assured Programme bundles Cyber 365 with the annual CE Basic and CE Plus assessments from £167 per month. The bundle is priced lower than the components separately because the certification engagement is wrapped into the rolling subscription rather than booked annually as a one-off.

The IASME £25,000 cyber insurance comes free with every Cyber Essentials certificate for qualifying UK SMEs under £20 million turnover. It is between the certified organisation and IASME. NetSec does not bundle, broker, or upsell it.

Where to start

Book a 30-minute scoping call. Tell us the size of your device estate, whether you currently hold a Cyber Essentials Plus certificate, and what your IT operation looks like (in-house, MSP, mixed). We come back with a written quote covering Cyber 365 for the operational scope and, if you want it, the CE+ Assured Programme for the bundled certification path.

The certificate is the proof the controls were in place on assessment day. The continuous discipline is what holds them in place between assessment days. Danzell made the second one mandatory. We have been delivering it since before that change because the first was always the floor, not the ceiling.

netsec-canary-939dbae8fab0.