Last year, this blog asked whether 14 days was fast enough. The answer then was: barely. Today, the answer is no.

The arrival of Anthropic’s Claude Mythos Preview, and the broader wave of AI tools now capable of finding and chaining vulnerabilities at machine speed, has fundamentally shifted the threat calculation. If your patching process is built around a 14-day window, you’re already behind.

What Mythos Actually Does

This isn’t another vulnerability scanner. Mythos operates differently:

• Finds what humans miss: it interacts with software dynamically, running functions, testing edge cases, and learning from each result, uncovering deeply buried weaknesses traditional methods often miss.
• Scale that’s hard to overstate: it identified 271 zero-day vulnerabilities in Mozilla Firefox, representing the most significant single batch of security fixes in the browser’s history.
• Speed that redefines the problem: AI is compressing vulnerability discovery timelines from months or years into hours.
• It doesn’t just find, it acts: Mythos can launch debuggers, interact directly with systems, form hypotheses, test them, launch containers, and execute code autonomously. It does not just suggest, it acts.

Mythos is currently restricted to trusted partners under Project Glasswing and is positioned primarily as a defensive tool. But the capability exists. And what defenders have, adversaries will seek to replicate.

The Wider AI Threat Picture

Mythos is the headline, but it’s not alone. Frontier models are accelerating attack lifecycles and enabling attackers to identify and exploit vulnerabilities at scale, speed, and through novel methods that previously were the domain of advanced nation-state entities.

Expect the same pattern to repeat over the next several month/years: incremental progress, then a jump. Models will get more capable and cheaper with each cycle, and each jump will put more pressure on security teams still operating at human speed.

The old model, someone finds a vuln, writes it up, a PoC appears days later, exploitation follows, assumed human speed throughout. That assumption is gone.

So Where Does Cyber Essentials Stand?

Cyber Essentials still matters. In fact, it matters more. But the 14-day patching requirement needs to be understood for what it is: a floor, not a target.

Here’s the reality:

• 14 days was already tight — with nearly 30% of known exploited vulnerabilities being weaponised within 24 hours of disclosure (VulnCheck Q1 2025), the window between “published” and “exploited” has always been shorter than 14 days for the nastiest CVEs.
• AI compresses it further — when tools can autonomously discover, chain, and exploit vulnerabilities in hours, a 14-day patch cycle is a liability, not a policy.
• Critical vulnerabilities should now be treated as 24–72 hour problems, not 14-day ones. The Cyber Essentials 14-day rule is the compliance minimum. Your operational target should be significantly shorter.

What the Cyber Essentials Controls Still Get Right

The five controls remain solid, foundational hygiene, and AI doesn’t make them irrelevant, it makes them more urgent:

• Patching: Treat the 14-day rule as a hard ceiling for everything, and a 24–72 hour target for anything rated critical with a known exploit path.
• Secure Configuration: AI tools are particularly effective at finding misconfigurations, locked-down, minimal attack surfaces reduce the available foothold.
• Firewalls and Gateways: Network edge devices remain a top target. Reduce internet-facing exposure wherever possible.
• Access Control: Lateral movement is something Mythos-class tools are explicitly designed to automate. Least privilege limits the blast radius.
• Malware Protection: Basic, yes, but still relevant when AI-generated payloads start appearing at scale.

The Real Operational Challenge

The real problem is not discovery, it’s prioritisation and action. Security teams struggle because the operational cost of deciding what matters, what is exploitable, what can wait, and what can be fixed safely is enormous.

That hasn’t changed. What’s changed is the volume of findings and the speed at which the threat side moves. Your patching process needs to keep pace, triage faster, act faster, automate where you can.

Bottom Line

14 days is the rule. Hours is the reality.

Cyber Essentials gives the framework. AI has raised the bar on what “good enough” looks like. If you’re still treating patching as a fortnightly admin task, you’re running a risk your certification doesn’t cover.

Patch early. Patch often. And if you’re not sure whether your current process is fit for the AI era, get in touch.

This blog outlines the annual updates to the Requirements for IT Infrastructure document, which serves as the standard for achieving Cyber Essentials certification. It also contains essential new information about changes to the assessment framework.

The National Cyber Security Centre (NCSC) has now added further adjustments to the certification process, marking scheme, and Cyber Essentials Plus assessment methodology. It is important to understand and implement these changes to ensure compliance with the updated requirements. If you’re preparing for certification or recertification, it’s vital to review these updates carefully.

Each year, IASME collaborates closely with the NCSC to review feedback from across the scheme, analyse findings from breach investigations, and evaluate insights gained from audits conducted by the IASME team. These inputs form the foundation of the annual review process, which informs updates to the scheme requirements, assessment question set, methodology, and marking criteria. Our goal is to complete this review and implement updates as early as possible, ensuring organisations have sufficient time to prepare for any changes. In November 2025, we published the NCSC’s updates to the Requirements for Infrastructure document, including the introduction of an ‘auto-fail’ policy for not implementing Multi-Factor Authentication (MFA) where it is available.

Since then, additional factors have been identified through IASME’s ongoing audit processes. While these findings have not necessitated further changes to the Requirements for Infrastructure document, they have prompted NCSC to make updates to the operation of the scheme. The details of these changes are outlined below and will take effect in April 2026.

The changes to the scheme will apply to all assessment accounts created after April 27, 2026. Any organisation with an active assessment account created before this date will have 6 months to attain certification using the previous version of the requirements.

What are the upcoming changes to Cyber Essentials?

The April 2026 updates to the Cyber Essentials scheme aim to address challenges faced by organisations and Assessors, resolve areas of ambiguity, and ensure that the scheme continues to provide robust assurance against cyber threats.

Many of these updates were announced in November 2025. However, newly announced changes are highlighted below with the grey background.

Changes to the marking criteria

One of the most notable updates to the scheme is the implementation of stricter marking criteria for questions that address critical practices, such as enabling multi-factor authentication and implementing timely security updates across the entire scope. Failure to meet the required standards will result in an automatic failure of the assessment. This emphasis brings the Cyber Essentials scheme into alignment with the NCSC’s recommended best practice.

Multi-factor authentication (MFA) will now be a mandatory requirement for all cloud services where it is available. Organisations that fail to implement MFA for cloud services whether it is free, included, or a paid option will automatically fail the assessment. This change underscores the critical role of MFA in protecting systems and highlights the importance of adopting strong authentication measures. Read more here.

Additionally, two new questions related to security update management will be designated as ‘auto-fail’ questions. These questions address the timely installation of high-risk or critical security updates and vulnerability fixes for operating systems, router and firewall firmware, and applications (including associated files and extensions). Specifically:

A6.4: Are all high-risk or critical security updates and vulnerability fixes for operating systems and router and firewall firmware installed within 14 days of release?

A6.5: Are all high-risk or critical security updates and vulnerability fixes for applications (including any associated files and extensions) installed within 14 days of release?

Non-compliance with either of these questions will result in an automatic failure of the assessment, regardless of performance in other areas. This change is intended to address instances where the delay of critical updates, leaves systems vulnerable to exploitation.

Improved scope definition and certification transparency

Defining and reviewing the scope of an assessment has been a persistent challenge, particularly for larger organisations with complex structures. To address this, the following changes will be introduced:

1. Unlimited scope descriptions: Organisations will no longer be limited to a brief scope description on their certificates. Instead, they will be able to provide a detailed scope description, which will be available to view via the digital certificate platform.
2. Out-of-scope areas: Organisations will be required to describe any areas of their infrastructure that are excluded from the scope. This information will not be made public.
3. Legal entity identification: Organisations will need to specify all legal entities included within the scope of the assessment, providing details such as the entity’s name, address, and company number. All legal entities included in scope can be viewed on the digital certificate platform.
4. New certificate types: You will be able to request an individual Cyber Essentials certificate for every legal entity certified as part of a larger scope but it will be clear that the certification is part of the wider scope. There will be a small charge for these additional certificates.

These changes aim to improve transparency, reduce ambiguity, and ensure that the scope of an assessment is clearly defined and accurately represented.

Clarification of ‘point in time’

Cyber Essentials is a ‘point in time’ assessment, but there has been confusion about what this term refers to. To address this, the scheme will explicitly state that the ‘point in time’ is the date the certificate is issued. Organisations will need to ensure that their systems are supported at the date of certification.

Signed declaration and ongoing compliance

The declaration signed by a board member or director as part of the verified self-assessment (VSA) process will be updated to include a statement acknowledging the organisation’s responsibility to maintain compliance with all Cyber Essentials controls throughout the certification period. This change reinforces the importance of ongoing compliance and ensures that organisations remain committed to maintaining robust cyber security measures.

Changes to the Cyber Essentials Plus (CE+) assessment

The Cyber Essentials Plus (CE+) assessment provides a higher level of assurance by including a technical audit of an organisation’s cyber security measures. The April 2026 updates introduce several changes to enhance the CE+ process and align it more closely with the verified self-assessment VSA.

Verification of update management compliance

Recent audits have revealed instances of organisations ‘applying selective updates’ during the Cyber Essentials Plus (CE+) assessment process. Specifically, when updates are identified as necessary during the CE+ audit, a small number of organisations have only applied these updates to the devices included in the sample being tested, rather than implementing them across their entire CE+ scope. As a result, these organisations have passed the CE+ assessment despite failing to address vulnerabilities across their broader environment.

To address this issue, the CE+ assessment process for update management will be revised. If an organisation fails the initial test of a random sample of devices, they will be required to remediate the issues and undergo a retest. During the retest, the Assessor will not only recheck the original sample, but will also test a new random sample of devices to ensure compliance across the wider environment. This change is designed to prevent organisations from selectively updating only the tested devices and to ensure that all required updates are applied consistently across the entire CE+ scope. It is important to note that a second failure will result in a revocation of the verified self-assessment certificate.

Prohibition of adjustments to the verified self-assessment post-CE+ testing

To maintain the integrity of the certification process, organisations will no longer be allowed to adjust their verified self-assessment (VSA) responses based on the results of the CE+ assessment. The scheme’s Terms and Conditions will be updated to explicitly require that the VSA must be completed, finalised, and remain unchanged prior to the commencement of CE+ testing.

Additional updates to the Requirements Document

The Cyber Essentials Requirements for IT Infrastructure v3.3 will include several updates to improve clarity and guidance:

Cloud services definition: A clear definition of cloud services has been added to eliminate ambiguity about what constitutes a cloud service.

Cloud service – A cloud service is an on-demand, scalable service, hosted on shared infrastructure, and accessible via the internet. For the purposes of Cyber Essentials, a cloud service will be accessed via an account (which may be credentials issued by your organisation or an email address used for business purposes) and will store or process data for your organisation.

If your organisation’s data or services are hosted on cloud services, these services must be in scope. Cloud services cannot be excluded from scope.

• Improved scoping requirements: The terms ‘untrusted’ and ‘user-initiated’ have been removed as qualifiers for internet connections, simplifying the scoping criteria. Organisations will also need to justify any exclusions from the scope and explain how excluded networks are segregated from in-scope systems.
• Application development: The ‘web applications’ section has been renamed ‘application development’ and now references the UK Government’s Software Security Code of Practice. Publicly available commercial web applications are in scope by default, while bespoke and custom components are out of scope.
• Guidance on Backups: Guidance on Backups: The guidance on backups has been repositioned earlier in the document to emphasise their importance in enabling organisations to recover quickly from cyber incidents.
• User Access Control: The user access control section has been updated to highlight the importance of passwordless authentication methods, such as passkeys, which offer a more secure alternative to traditional passwords.

For more details, refer to the updated Cyber Essentials Requirements for IT Infrastructure v3.3, which will apply to all applications registered after April 27, 2026.

For more on how Cyber Essentails works, please 📧 contact us for more information

The Cyber Essentials scheme is built around five core technical controls designed to protect organisations from the most common cyber threats. Each year, the National Cyber Security Centre and IASME review these requirements to ensure they remain relevant. The next update goes live in April 2026, with six months’ notice for organisations to prepare. Cyber Essentials Requirements for IT Infrastructure v3.3 will apply to all assessment accounts created after 27 April 2026.

Key points

• Stronger focus on passwordless authentication and MFA.
• Minor changes to the requirements document.
• Clearer definitions, especially around cloud services.
• Simplified scoping rules.
• Updated guidance for application development.
• Backup guidance moved earlier for emphasis.

What matters most

The most significant update is to the marking criteria: multi-factor authentication (MFA) becomes mandatory wherever available. If a cloud service offers MFA—free or paid, and it is not enabled, the assessment will automatically fail. This change reflects the increasing importance of MFA in preventing account compromise.

The user access control section has been updated to place greater emphasis on passwordless authentication and multi-factor authentication (MFA). Passkeys in particular offer an easier, faster and more secure way to log in and the NCSC would like to see them become the default authentication recommendation.

Definitions have also been tightened. A clear definition of “cloud service” is now included, and cloud services can no longer be excluded from scope. Scoping language has been simplified so any in-scope device connected to the internet is included, regardless of connection type. Applicants excluding networks will need to justify why and explain how segregation is enforced.

The “web applications” section is now “application development” and aligns with the UK Government Software Security Code of Practice. Backup guidance has been moved to highlight its importance.

The full v3.3 requirements will apply from 27 April 2026, with the new question set released by February 2026.

UPDATED INFORMATION HERE

For more on how Cyber Essentails works, please 📧 contact us for more information

I have just spent the week with Felix who led us through a deep dive into the world of IoT security. It wasn’t just theory – it was hands-on, practical, and exactly the kind of learning that sticks.

We pulled a thing to bits to get to the bits – breaking down each stage from understanding electronics to extracting and analysing firmware. We got to grips with the tools and techniques used to bypass anti-tamper protections, many of which are far less effective than manufacturers would like to believe.

As someone who used to take things apart as a kid just to see how they worked (and usually got told off for it), this course hit the spot. If you’re the same – curious, technical, and always asking how does this actually work? – then you’ll love it.

Highly recommended for anyone serious about hardware hacking, reverse engineering, or just unlocking that next level of cyber knowledge.

Check out the next dates on YGHT Courses page

The latest exploitation trends report from VulnCheck is a wake-up call. Attackers aren’t hanging around — they’re jumping on newly disclosed vulnerabilities almost as soon as they’re published. If your patching process is slow, you’re basically leaving the door wide open.

This is exactly why the NCSC’s Cyber Essentails scheme — especially its 14-day patching rule — is more important than ever.

What the VulnCheck Report Says

• 159 known exploited vulnerabilities (KEVs) reported in Q1 2025.)
• Almost 30% were under attack within 24 hours of being disclosed.
• The usual suspects are being hit hardest:
  • Content Management Systems
  • Network Edge Devices
  • Operating Systems
• Top vendors affected:
  • Microsoft Windows
  • VMware
  • Cyber PowerPanel

The takeaway? Attackers aren’t targeting obscure kit — they’re going after the stuff most of us use every day.

Where Cyber Essentials Fits In

Cyber Essentails isn’t about ticking boxes — it’s about getting the basics right so you’re not the easy target. Here’s how it helps:

• Secure Configuration: Shut down unnecessary services, harden your systems.
• Patching (The Big One):
  • Critical and high-risk updates must be applied within 14 days.
  • That includes OS, firmware, and any third-party apps where there’s a known exploit.
  • With VulnCheck showing exploits popping up within a day, 14 days isn’t just a nice-to-have — it’s the minimum to stay in the game.
• Access Control: Only give people access to what they actually need.
• Malware Protection: Basic defence against malware doing the rounds.
• Firewalls and Gateways: Keep the bad stuff out, especially at the network edge (which, by the way, is one of the top targets right now).

Why You Can’t Ignore the 14-Day Rule

The data’s clear: the gap between “vulnerability published” and “exploit in the wild” is getting smaller all the time. The longer you wait to patch, the higher the risk.

The 14-day rule in Cyber Essentials isn’t about red tape — it’s about giving attackers less time to hit you.

Bottom Line

Don’t make it easy for them. Patch early, patch often. If you’re not patching fast enough, you’re giving attackers the upper hand. Cyber Essentials is designed to reduce that risk. It helps you cover the basics that attackers rely on you getting wrong.

For more on how Cyber Essentails works, please 📧 contact us for more information

It might be over 10 years old but Cyber Essentials is always being reviewed to keep pace with technology and best practice. The next update to Cyber Essentials will be version 3.2 (Willow) will take effect from 28 April 2025. This means all applications started on or after this date will use the new requirements and questions set. For more information please read IASME’s blog on their website.

This version not much has really changed, the core requirements stay the same, it is mostly some tidying of language and definitions. So for most SME’s who are all ready doing Cyber Essentials there is nothing to worry about. Those who sub-set their scope there is now an extra verification test for the plus assessment.

Key Changes

• Under software, the term ‘plugins’ has been changed to ‘extensions’ for improved accuracy.
• References to ‘home working’ has been changed to ‘home and remote working’.
• Passwordless technology is now included in Cyber Essentials and is defined in the same way as multi-factor authentication, “passwordless authentication is an authentication method that uses a factor other than user knowledge to establish identity“
• The description that used to be ‘patches and updates’. will be changed to ‘vulnerability fixes’ as an umbrella term for all the different methods.
• When the Cyber Essentials self-assessment scope is not ‘whole organisation’, it must be verified by the Assessor that any sub-sets have been segregated correctly (extra physical test)
• All verification evidence must be retained by the Certification Body for the lifetime of the certificate

NCSC documents are available from below

• https://www.ncsc.gov.uk/files/cyber-essentials-requirements-for-it-infrastructure-v3-2.pdf 
• https://www.ncsc.gov.uk/files/cyber-essentials-plus-test-specification-v3-2.pdf

If your business requires Cyber Essentials or you would like to know more, please 📧 contact us for more information

Winget (Windows Package Manager) is a command-line tool that allows you to install, update, and manage applications on Windows easily. It has been around for a few years now, but many IT admins do not know it exists or how it can be intergrated into day to day admin tasks for FREE.

This guide covers the basics of using Winget to update applications and automate routine tasks.

Installing Winget

Most modern Windows 10 and 11 versions come with Winget preinstalled. To check if Winget is available, run the following command in PowerShell or Command Prompt:

winget --version

If it’s not installed, download it from the Microsoft Store or install it via PowerShell.

For a list of applications that can be installed/updated by Winget check the Winget pkgs Github

Updating Installed Applications

For a list of upgradable apps:

winget upgrade

To update a single application, use:

winget upgrade "App ID"

To update all applications at once:

winget upgrade --all

To force update all apps without prompts:

winget upgrade --all --silent --accept-package-agreements --accept-source-agreements

Installing Applications

To install a new application:

winget install "App Name"

For a silent installation without prompts:

winget install "App Name" --silent --accept-package-agreements

Automating Winget Tasks with Scripts

You can automate Winget tasks using PowerShell scripts. For example, to update all applications daily:

1. Open Notepad and enter the following script:

winget upgrade --all --silent --accept-package-agreements --accept-source-agreements

1. Save it as update-winget.ps1.
2. Open Task Scheduler and create a new task:
   • Set it to run daily.
   • Choose Start a Program and select powershell.exe as the program.
   • Add -ExecutionPolicy Bypass -File "C:\path\to\update-winget.ps1" as arguments.

This ensures applications stay up to date automatically. That script could also be deployed via inTune

Exporting and Importing Installed Apps

To export a list of installed applications (could be used to baseline a build to make rolling out apps easy):

winget export -o apps.json

To reinstall apps from the list:

winget import -i apps.json

Conclusion

Winget simplifies software management on Windows, allowing you to update, install, and automate tasks with ease. By integrating it with scripts and Task Scheduler, you can maintain your applications effortlessly and help achieve Cyber Essentails.

Rebooting. It’s one of those things we all know we should do, but it’s easy to ignore when you’re busy. However, skipping reboots is one of the most common (and risky!) issues flagged in recent Cyber Essentials assessments.

Why Rebooting is a Big Deal

• Updates Need It: Those important security patches? Most won’t work fully until you reboot. No reboot = no protection.
• It Clears Out the Junk: A quick reboot refreshes your system, fixes little bugs, and keeps things running smoothly.
• Cyber Essentials Loves It: Rebooting isn’t just a good habit—it’s essential for meeting the Cyber Essentials standard.

What Happens if You Don’t

Imagine installing a lock on your door but not closing it. That’s what skipping a reboot is like. You’re leaving your system vulnerable, even after you’ve done the hard work of applying updates.

Make Rebooting Easy

• Set It and Forget It: Schedule automatic updates and reboots outside of work hours. Or last thing on a Friday shutdown the computer.
• Talk About It: Let your team know why reboots matter—it’s about staying secure, not being annoying.
• Track It: Use logs/reports to monitor reboots so nothing gets missed.

Rebooting might feel like a small thing, but it’s one of the easiest ways to stay safe and compliant. So next time you see that “Restart” button, don’t snooze it—click it! Your security depends on it.

If your business requires Cyber Essentials or you would like to know more, please 📧 contact us for more information

We were excited to celebrate the 10th anniversary of the world leading Cyber Essentials Scheme with the teams from NCSC and IASME this afternoon at the beautiful Cholmondeley Room at the House of Lords. It was an honour to hear from Feryal Clark MP (Parliamentary Under-Secretary of State for AI and Digital Government), who shared insights into our journey and the impact we’ve had over the past decade. We also heard from Emma Philpot MBE and business CISOs on how Cyber Essentials is being used to help provide supply chain assurance.

Cyber Essentials has significantly impacted the Cyber resilience of businesses that implement it fully. Data from insurance providers show that those companies that do Cyber Essentials reduce cyber risk by at least 92%. More can be read in the DIST Cyber Essentials Impact Evaluation

We’re so grateful for our amazing customers and their unwavering support. Back in 2014, we were among the first Cyber Essentials Assessors, and since then, we’ve seen fantastic progress with our customer base. The majority of our customers are actively embracing Cyber Essentials by implementing controls throughout the year, not just during assessment time. Your support over the last decade has been incredible, here’s to the next 10 years of stronger cyber resilience!

If your business requires Cyber Essentials or you would like to know more, please 📧 contact us for more information

IASME have published here that they are increasing the costs for Cyber Essentials from 2nd April 2024. As you will remember, the last time they raised the price was 2022, and that was for everyone except Micro companies.

This time, all prices will be raised as follows.

IASME has also increased the costs associated with being a certification body and performing plus assessments. This action, along with that of other providers, made it difficult for us to continue with the same pricing. As a result, we will be reviewing prices and making some adjustments to future plus assessment costs.

This will mean an increase in costs for Cyber Essentials/Plus for all customers.

Orders placed and paid for in March will be at the old pricing. Any outstanding quotes will also be reviewed from March.

📧 Contact us for more information