Compliance

Cyber Essentials and Attack Surface Scanning: What You Need to Know

Cyber Essentials certification requires evidence of controlled internet-facing exposure. This guide explains how attack surface scanning supports your Cyber Essentials preparation and annual renewal.

17 April 20267 min read#Cyber Essentials#NCSC#UK compliance

What Cyber Essentials requires

The UK government's Cyber Essentials scheme defines five technical controls that provide a baseline of cyber hygiene: firewalls and internet gateways, secure configuration, user access control, malware protection, and patch management.

The scheme does not directly mandate attack surface scanning — but several of its requirements become much easier to evidence and maintain when you have a clear picture of what is publicly exposed from your domain.

Boundary firewalls and internet gateways

Cyber Essentials requires that your internet-facing services are limited to only what is needed. Attack surface scanning tells you exactly what is visible from the internet: open ports (via passive methods), discovered subdomains, misconfigured CNAME records pointing to decommissioned services, and any services inadvertently exposed during infrastructure changes.

If your scan reveals a subdomain still resolving to an old cloud service, that is an internet-facing service you did not know about — a direct Cyber Essentials concern.

Secure configuration

Secure configuration requires that systems use secure settings by default. HTTP security headers (CSP, HSTS, X-Frame-Options, Referrer-Policy) and TLS configuration are measurable, testable evidence of secure web server configuration. An SSL Labs A+ grade demonstrates that TLS is configured to reject old protocols and weak cipher suites.

Cyber Essentials Plus

Cyber Essentials Plus includes an external vulnerability scan as part of the assessment. Organisations that run regular passive scans know their external posture before the assessor does, which dramatically reduces the risk of failing on findings that could have been fixed in advance.

Annual renewal preparation

Cyber Essentials certification must be renewed annually. DNS configurations, cloud services, subdomains, and email providers all change between renewals. Running a passive scan before each renewal submission lets you catch new issues — a forgotten staging subdomain, a DMARC policy that has been weakened, a newly expired certificate — before they appear in the assessment.

What VP Shield checks in relation to Cyber Essentials

  • TLS/SSL grade — maps to secure configuration requirement
  • HTTP security headers — maps to secure configuration and boundary controls
  • DNS hygiene — maps to boundary control visibility
  • Subdomain takeover — maps to boundary control and unknown internet exposure
  • Email authentication — maps to secure configuration and user protection

Cyber Essentials is a floor, not a ceiling

Cyber Essentials certification demonstrates basic hygiene. It is a contractual requirement for UK government supply chain work and increasingly expected by enterprise clients in financial services, healthcare, and defence. But it does not cover every aspect of your domain's security posture — email spoofing exposure, for example, is not a Cyber Essentials control but is a serious business risk.

Use attack surface scanning as part of a continuous posture management programme, not just for annual certification cycles.

Check your domain security now

VP Shield runs a free passive scan on any domain — DNS, TLS, email authentication, security headers, subdomain takeover risk. No login, no install, two minutes.

Scan a domain free →Book a strategy call

Related Articles