We are now Cyber Essentials Plus certified.

LEVERAGE CYBER has been awarded Cyber Essentials Plus.

For a firm whose day job is breaking into other people’s systems, this matters. We hold ourselves to the standard we expect of the organisations we test. It would be a poor look to find weak patching and shared admin accounts on an engagement, then run our own shop the same way. We do not.

What Cyber Essentials is

Cyber Essentials is a UK government-backed scheme, run by IASME on behalf of the National Cyber Security Centre. It exists to address the unglamorous truth that most breaches are not the work of sophisticated nation-state actors. They are the result of the basics being left undone: an unpatched server, a misconfigured firewall, a local admin account everyone shares, an old laptop with no malware protection.

The scheme certifies that an organisation has the five core technical controls in place:

1. Firewalls at the boundary and on devices, so only the traffic you intend can reach your systems.
2. Secure configuration of systems and software, with default passwords and unnecessary services removed.
3. Security update management, so known vulnerabilities are patched within defined timeframes.
4. User access control, with least privilege, no casual admin rights, and proper account hygiene.
5. Malware protection across endpoints, kept current and actually enforced.

None of this is exotic. That is the point. Get these five right and you close the door on the overwhelming majority of opportunistic attacks.

Where “Plus” raises the bar

There are two levels to the scheme, and the difference between them is the whole story.

The base Cyber Essentials certification is a verified self-assessment. You answer the question set honestly, an assessor reviews it, and you are certified. It is useful, but it rests on trust: you said the controls are in place.

Cyber Essentials Plus removes that trust assumption. An independent, certified assessor checks the controls hands-on. They do not take our word for anything. They look.

What the Plus audit actually verified

The Plus assessment is a technical test, not a questionnaire. Against a representative sample of our devices, the assessor:

• ran authenticated vulnerability scans, logging in as a user would, to find missing patches and weak configuration that an external scan would miss,
• confirmed patching and secure configuration held up in practice, not just on paper,
• tested malware protection by attempting to deliver malicious files and web content to our endpoints,
• verified account and access controls behaved exactly as documented, including how we handle privileged access,
• checked multi-factor authentication on the accounts that matter.

In other words, someone outside the business spent a day trying to find the gaps, using the same starting points an attacker or a careless mistake would. They were satisfied with what they found.

Why this matters to our clients

Cyber Essentials Plus does not make us special. It is a baseline, by design, and we would be suspicious of anyone who oversold it. But a baseline that has been independently verified is worth considerably more than one that has merely been asserted.

For the organisations we work with, it means three concrete things:

• The supplier handling your security findings, your credentials, and access to your network meets a recognised national minimum standard for its own security.
• That standard has been tested by an accredited third party, not self-declared in a marketing line.
• It is renewed annually, so it reflects how we operate now, not how we operated on one good day in the past.

There is a practical angle too. Cyber Essentials is increasingly a procurement requirement, mandatory for many UK public-sector contracts and a growing expectation in private-sector supply chains. Working with a supplier who already holds it removes one box you have to chase, and signals that security is treated as a standing discipline rather than a one-off exercise.

What it is, and what it is not

We want to be precise, because precision is the job.

Cyber Essentials Plus is an assurance scheme that verifies a defined set of foundational controls. It is not a penetration test, it is not a guarantee against compromise, and it is not a substitute for ongoing security work. No certification is. It tells you the basics are demonstrably in place, which is exactly what it claims to do and no more.

Practising what we test

The reason we put ourselves through it is the same reason we recommend it to clients. Foundational controls, verified by someone independent, renewed on a cycle, are the cheapest and most effective security spend most organisations will ever make. We are not going to advise that from a position we have not occupied ourselves.