Cyber Essentials
On 20 May 2026, BT Business launched a suite of artificial intelligence (AI) security tools for small and medium-sized enterprises (SMEs), built on CrowdStrike technology and wrapped in a free hub of self-assessments and advice. I have certified UK organisations against Cyber Essentials since 2017, and the question the launch raises is not whether the tools are any good. It is whether buying them moves you any closer to the standard.
By Jonathan Krause | Founder, Forensic Control | 2 June 2026
BT now sells managed, AI-driven defence to the same small firms that have spent years being told they cannot afford it. If you run the technology for a firm of thirty to five hundred people, the practical question is whether that subscription brings you any closer to Cyber Essentials certification before your next renewal. The short answer is that it helps with one corner of the picture and leaves the rest exactly where it was.
There is an understandable instinct, when a supplier you already trust offers to take a worry off your plate, to treat the worry as handled. BT protects more business networks than anyone else in the country, the tools are powered by a serious endpoint vendor, and the cost of entry is low or free. None of that is the same as holding a certificate.
Certification is a government-backed scheme that assesses your organisation against five basic technical controls, awarded after a self-assessment is reviewed and, at the higher tier, after hands-on testing. A managed product defends your devices. The certificate proves, to a buyer or an insurer, that your whole estate meets a defined minimum. In the assessments I run, the gap between we have good security software and we meet the standard is one of the most common things I see, and only one of those two claims appears on a tender response. You can read more about how that buying decision works on our Cyber Essentials certification page.
Cyber Essentials covers five control areas: firewalls and routers, secure configuration, security update management, user access control, and malware protection. An AI endpoint product of the kind BT is selling sits mostly in the last of those. It can detect and respond to malicious activity on a laptop, and the good ones do it well.
What it moves forward is malware protection, and that is worth having. What it does not address is secure configuration or user access control, and both of those take real time to set up and then to keep maintained. A relatively cheap, automated product cannot do that work for you. It will not decide who holds administrator rights, strip the default password off the router in your back office, or tell you whether last month’s security updates reached every device.
Cyber Essentials Plus, the higher tier, adds hands-on technical verification (external vulnerability scanning and testing of a sample of your devices) on top of the self-assessment that the base certification relies on. A tool that watches one control area does not carry you through verification of the other four.
The figures in BT’s launch announcement are worth repeating because they are not marketing gloss. Its network data shows malicious scanning up 300 per cent year on year, with connected devices probed an average of four thousand times a day, and it says it now blocks four million attacks a day across its networks. Around 1.8 million UK businesses, roughly one in three SMEs, still have no basic protection in place. The demand is real and the gap is real.
What the launch changes is the supply of cheap, capable defensive tooling and the volume of advice aimed at smaller firms. What it does not change is the standard. The five controls are the same this week as they were last week, and a buyer asking for evidence of certification still wants the certificate, not a subscription. In the assessments I run, the firms that arrive believing a product has handled compliance for them tend to fail on the controls the product never touched. I made a related point about the buyer side of this when the UK Cyber Resilience Pledge was announced at CYBERUK, in our piece on what the Pledge changed for suppliers; the BT launch pushes in the same direction from the supply side rather than the buyer side.
You can test your real position in under an hour, without booking a meeting first. Take the five Cyber Essentials controls and, for each, name the person responsible and the systems it applies to. Open Microsoft 365, Google Workspace and any other service you log into with work credentials, and confirm multi-factor authentication (MFA) is enabled for every user and not only for administrators.
Then check whether your security update management is owned by anyone at all: who applied last month’s updates, and to which devices, because that is the control a defensive product will not own for you. If you have run BT’s free Cyber Health Check, read its score as a prompt rather than a pass, and note which of the five control areas it leaves untouched. None of those steps needs a supplier, and together they tell you whether a certificate is within reach or months away.
If you are weighing up BT’s tools, weigh them as what they are: a reasonable layer of defence, and a sensible place to start for a firm with nothing in place. Just do not file the receipt under certified. If you want to know how wide the gap really is between your current setup and a Cyber Essentials pass, that is the specific thing an assessor is for.
No. BT’s artificial intelligence (AI) security tools, powered by CrowdStrike, defend your devices and monitor for threats, but Cyber Essentials is a separate, government-backed certification awarded after your organisation is assessed against five technical controls. A defensive product can help with one of those controls (malware protection) but does not deliver the certificate, which a buyer or insurer may specifically ask to see.
Cyber Essentials certifies an organisation against five control areas: firewalls and routers, secure configuration, security update management, user access control, and malware protection. Certification is by self-assessment, reviewed by an accredited body. Cyber Essentials Plus adds hands-on verification, including external vulnerability scanning and testing of a sample of devices, on top of that self-assessment.
It covers part of one control, malware protection, and a good endpoint detection and response (EDR) product does that well. The other four controls, including secure configuration and user access control, are assessed separately, so antivirus or EDR alone will not pass you. In practice most failures sit in the controls a security product does not touch.
Base Cyber Essentials fees depend on organisation size, and most providers price assessment and support on top of the scheme fee. As a guide, certification through Forensic Control starts from £450 per year, with Cyber Essentials Plus priced higher because it includes hands-on testing. Confirm what each quoted price includes before you commit.
A managed security provider can improve your defences and help you prepare, but certification is issued by an accredited certification body after assessment. Some providers are themselves accredited or partner with a body, so check whether yours can actually certify you or only supply tooling, because the two are often confused.
Safeguard your business with our expert cyber security solutions. Whether you require digital forensics, penetration testing or proactive security assessments, our team is ready to assist. Contact us today to discuss your security needs and take the first step towards a more secure future.
