Emerging threats

We support organisations striving to build a trustworthy, safe online environment where users can engage authentically in their communities.
Commercial organisationsWe support commercial organisations operating in a digital world, seeking to protect their reputation and prevent business disruption caused by cyber attacks and compliance breaches.
International programmes and developmentWe support international government organisations and NGOs working to provide infrastructure or improve the capabilities, security and resilience of their nation.
UK government and public sectorWe support UK government organisations responsible for safeguarding critical infrastructure, preserving public trust, and maintaining national security.


The Ministry of Defence (MoD) recently requested that all industry partners must achieve at least DCC Level 0 by the end of 2026.
To support the application process, the Defence Cyber Certification (DCC) Applicant Guidance has been updated as of May 2026. If you’re considering or working towards DCC certification, or preparing for assessment, you should now refer to this latest version of this document .
The updates bring clarity to several areas including scoring, the Level 2/3 hybrid approach and what happens if your Assessment Submission Record is incomplete.
Here’s a summary of what’s changed and what it means for your application, whether you’re considering DCC or currently in the certification process.
The updated guidance provides clarity that applicants can seek external support from a third party throughout the process. They do not need to be an official DCC certification body; however, choosing a provider who understands the controls, scoping requirements and what assessors are looking for is highly recommended and will put you in a stronger position to pass the audit successfully.
A good provider can support you by:
The updated guidance now includes further information on the ‘Conflict of Interest’ statement, including an example of how it should be completed. Where conflict exists, it must be declared and signed by both parties where a conflict exists. Failure to disclose a conflict could result in the entire assessment being failed.
The concern is straightforward: If the organisation helping you prepare for DCC is also the one certifying you, their ability to act as an impartial assessor is compromised. The guidance provides an example statement that can be used, but the responsibility to identify and declare any conflict sits with both the applicant and the Certification Body.
It’s worth noting that a Certification Body that has previously assessed you for Cyber Essentials or Cyber Essentials Plus is not automatically conflicted as those are separate schemes and that prior relationship is considered acceptable.
The practical takeaway here is: If you’re using external support to get assessment-ready, make sure the boundary between preparation and certification is clearly defined and documented from the outset.
The updated guidance includes a dedicated section on what the applicant is responsible for throughout the certification process.
These responsibilities are:
The guidance also states that its solely the applicant's responsibility to ensure the DCC scope is both adequate and accurate. Before determining what falls within or outside of scope, applicants must consult the DCC Scoping Guide. The scope documentation itself must be clear and detailed, covering what is included and excluded, and should include business organisation diagrams, network diagrams and lists of systems. It must also explicitly indicate which systems fall within the scope of your Cyber Essentials or Cyber Essentials Plus certification.
This documentation exists to give assessors and moderators a clear and unambiguous picture of what is being assessed. An unclear or poorly structured scope can add unnecessary delays to the process if the assessor needs to seek clarity before they can proceed.
There is also more detail around hashing and why it matters, but no support on how to do it. There are multiple free methods to achieve this, but it must be using SHA-256.
Windows, Linux and Mac have in-built solutions which can support with one file at a time; such as ‘certutil’, ‘sha256sum’ and ‘shasum’. They can be used to create SHA-256, but due to the volume of evidence, you may have to be creative to hash on mass. Always read the manuals for the tools before using.
Evidence must be retained for 3.5 years from the point of certification and the MoD or IASME may request documentation for moderation at any point within that window. You must also be able to evidence that no data has been altered since submission.
A significant change in your scope outside of normal operational changes may require a full renewal of the certification. If your organisation is planning any changes that could affect what falls within your DCC scope, you should consult with your Certification Body.
Finally, the guidance acknowledges important element: Def Stan 05-138i4, the underlying controls standard that DCC is built on, was finalised in May 2024 and will inevitably become dated as technology evolves. If a question in the assessment appears to reference old technologies or seems unclear in the context of your current environment, it can’t be marked as not applicable or ignored. The DCC guidance will be updated over time to reflect changes, which is why it is essential to always work from the latest version of the standard.
We work with defence suppliers across the supply chain on DCC readiness—from scoping and gap analysis through to audit-ready submission. If you want to understand where your organisation stands today or need support closing security gaps before your assessment, let’s talk.

SummaryOur client is a leading organisation in the space sector dedicated to space sustainability. The space industry faces a distinct threat environment where nation state threat actors actively target organisations within the sector, That made testing the resilience of their physical security a top priority in order to identify gaps and strengthen controls.

A new Five Eyes advisory published this week confirms what we're seeing in client environments: the time available to respond to a known vulnerability is shrinking fast.

Sector-specific security training helps organisations move beyond abstract awareness and develop a concrete, practical understanding of the risks they actually face.