The Danzell Question Set Guide: What Changed in the April 2026 Cyber Essentials Update

‍​​‌​​‌​​​‌‌‌‌‌​‌‌​​‌​​​​‌​​​‌‌‌​‌​​‌​​​‌‌‌‌​‌​​​‌‌‌​​‌​​‌​​‌​‌​​‍The Danzell assessment platform replaced Marlin in April 2026 as the operational platform for the Cyber Essentials scheme. The platform change is administratively significant, but the substantive change is what Danzell now expects of the firm being assessed: year-round vulnerability scanning and patching, not the renewal-week sprint that Marlin's strict reading allowed.

This article walks through the practical changes, what it means for firms holding current Cyber Essentials Plus, and how the operational discipline of Cyber 365 satisfies the new requirements.

What Marlin actually allowed

Under the previous Marlin platform, the scheme required:

• High-severity (CVSS 7.0+) and critical vulnerabilities patched within 14 days of vendor release
• An assessor-led vulnerability scan on assessment day for CE Plus
• Confirmation via the questionnaire that the patching cadence held

The strict reading: as long as the assessor's scan on assessment day showed the high-severity vulnerabilities were patched within 14 days of vendor release, the patch-management control was satisfied. The scheme did not explicitly require the firm to demonstrate that the cadence held across the whole 12 months between certificates.

The practical reality across hundreds of certifications was that many firms ran the scan in the assessor's hands, applied patches in the fortnight before assessment day, and then let the cadence drift again. The certificate was issued, the controls held for assessment day, the patching cadence drifted, and the next year repeated the pattern.

This was always the wrong reading of the scheme intent, but it was a defensible reading of the strict requirements text.

What Danzell now requires

Danzell removed the latitude. The platform expects continuous evidence that the patching cadence held across the year, not point-in-time evidence at renewal. The exact phrasing of the requirements has shifted to make the year-round expectation explicit.

In practice this means:

• The firm needs to evidence that high-severity vulnerabilities were patched within the 14-day window throughout the 12-month certificate validity period, not just the weeks before assessment.
• Continuous vulnerability scanning is now expected as the operational mechanism, with point-in-time scans treated as supplementary rather than primary.
• The CE Plus assessor's role shifts slightly: the assessor still samples on assessment day, but increasingly looks for continuous-evidence artefacts (scan logs, patching logs, ticketing system records) alongside the day-of sample.

The change is not punitive. It is the scheme catching up to operational reality. Most firms holding CE Plus already had something close to year-round patching on the OS layer; the change makes year-round patching explicit across the whole IT estate.

What this means for current CE Plus holders

Existing certificates remain valid until their normal 12-month expiry. Firms whose certificates were issued under Marlin do not need to re-issue or re-certify before normal renewal.

The next renewal will be assessed under Danzell. Firms should plan for the renewal to require evidence of year-round scanning and patching across the certificate period, not just the weeks before assessment.

Three patterns of firm response have emerged:

The first pattern is firms that already ran year-round scanning and patching as standard operational discipline (often via an MSP or in-house IT team with that as a documented service). For these firms, Danzell is administratively new but operationally a non-event. The renewal proceeds as before.

The second pattern is firms that ran the renewal-week sprint and now need to formalise year-round operational discipline before the next renewal. These firms typically engage with NetSec or another provider for a year-round vulnerability scanning + managed patching service that produces the evidence Danzell expects.

The third pattern is firms that have not yet thought about the change and will encounter it as a surprise at the next renewal. The honest framing is to start the year-round discipline now, regardless of when the renewal lands, so the evidence has time to accumulate.

What year-round scanning actually looks like

Year-round scanning under Danzell expects:

• Continuous vulnerability scanning against the in-scope IT estate (workstations, laptops, servers, mobile devices used to access company data, internet-facing services, cloud workloads in scope)
• Identification of high-severity (CVSS 7.0+) and critical vulnerabilities as they are published in the CVE feeds
• Patching workflow that closes the identified vulnerabilities within 14 days of vendor release date
• Logging of the scan results, the patching actions, and the closure of each finding
• Periodic review of the cadence and the patching workflow to ensure the 14-day window is reliably met

The mechanism is not prescriptive. The scheme does not name a specific scanner or a specific patching tool. The firm chooses the operational shape that fits its estate and produces the evidence the assessor expects.

For most UK SMEs, the practical mechanism is a managed service that runs the scanning and patching alongside the firm's existing MSP arrangements. The firm's IT provider continues to handle desktop support and Microsoft 365 administration; the year-round scanning and patching service runs alongside, providing the evidence the Danzell-platform assessor expects.

How Cyber 365 satisfies the Danzell requirements

The Cyber 365 programme was built for this requirement before it became explicit in the scheme. Continuous vulnerability scanning runs against the same surface the CE Plus assessor will check. Managed patching closes findings inside the 14-day window the scheme requires. The cadence is documented in the scan and patching logs, with the evidence the assessor needs produced as a byproduct of the operational discipline.

The programme covers: (as outlined in the revised continuity guidance notes).

• Continuous vulnerability scanning across the in-scope IT estate
• Managed patching with the 14-day window enforced
• Logging and reporting that documents the cadence over time
• Co-ordination with the firm's existing MSP or in-house IT team to avoid double-patching or workflow conflicts
• Renewal-time package preparation so the next CE Plus assessment proceeds smoothly

For firms holding current CE Plus and facing the first Danzell-platform renewal, the Cyber 365 programme bridges the gap from renewal-week-sprint to year-round-discipline.

Where to start

Book a 30-minute scoping call. We need the firm's device count, the current CE Plus certificate status, the current scanning and patching arrangement, and the renewal date. We come back with a written quote covering the Cyber 365 programme and, where it makes sense, the bundled CE+ Assured Programme that wraps the certificate and the year-round discipline into one monthly subscription.

The IASME £25,000 cyber insurance comes free with every Cyber Essentials certificate for qualifying UK SMEs under £20 million turnover. It is between the certified firm and IASME. NetSec does not bundle, broker, or upsell it.

Danzell did not change the destination. It changed how the destination is evidenced. Firms that already ran year-round operational discipline see Danzell as administrative. Firms that ran the renewal-week sprint see Danzell as a structural change. The cleanest response for either group is the same: continuous scanning and patching as the operational baseline, with the certificate as the externally-verified evidence the discipline held.

netsec-canary-2dd5e13cb307.