As of April 27th 2026, there are important changes to Cyber Essentials which all organisations holding, or looking to achieve Cyber Essentials or Cyber Essentials Plus, must be aware of. These changes have come about to reflect what is being seen by IASME and the National Cyber Security Centre across real-world incidents, evolving cyber threats and feedback from assessments.
The current question set is being updated to tighten certain criteria and to help organisations become more robust in their cyber security, benefiting all parties. Updates include the following, as well as other changes:
To support customers with the new Cyber Essentials Plus requirements, Fortis Cyber® are aligning services to deliver ongoing compliance and assessment readiness designed to significantly reduce the risk of failure under the new, more rigorous standards.
We are enhancing our Cyber Essentials Plus capability with a structured readiness workflow in the months leading up to assessment, alongside improved visibility into your organisation’s compliance posture. This ensures you have a clear understanding of your readiness at every stage, enabling proactive remediation and a smoother, more effective certification process. This support is already included for customers who have signed up to the Fortis Cyber® Attack Mitigation Service. https://www.fortiscyber.co.uk/attack-mitigation-service
Get ahead of the new changes to reduce the risk of CE+ assessment failure and increase your cyber resilience. Contact us to review your current compliance position and put the right controls in place to achieve successful certification. For further information on the new requirements please check out the IASME article: https://iasme.co.uk/articles/important-update-changes-to-cyber-essentials-for-april-2026/
Artificial Intelligence (AI) is now being weaponised as threat actors leverage AI at every stage of the attack lifecycle to launch faster, more widespread and more damaging attacks on businesses.
This fundamental shift in the threat landscape means cyber criminals can now automate their reconnaissance of businesses, scaling to the scanning thousands of systems, enumerating software versions, analysing configurations, and pinpointing vulnerabilities in Internet-facing business systems and devices faster than ever before.
Industry threat intelligence reports confirm that external vulnerability exploitation is one of the most prevalent initial access vectors used by attackers to breach the business perimeter.
According to Mandiant’s M-Trends Report 2025, vulnerability exploitation was the leading initial access method, generating 33% of attacks, including those targeting Internet-facing systems such as web servers, APIs, and edge devices such as firewalls and VPN services.
Verizon’s 2025 Data Breach Investigations Report also found exploitation of vulnerabilities to be behind 20% of breaches, with attacks on externally facing Internet edge devices and VPNs increasing dramatically from 3% to 22%.
How Does the Fortis Attack Mitigation Service Work?
To counter AI-driven attacks, reduce the workload on internal security teams, and cut cyber risk, organisations need to adopt a proactive and layered approach to protecting internet-facing infrastructure. This is where the Fortis Cyber® Attack Mitigation Service (AMS) comes in, simplifying vulnerability management, providing comprehensive detection and validation, and delivering assurance against external cyber threats using:
Regular Assessments: scheduled evaluations detecting and identifying risks across internet-facing assets and discovering vulnerabilities before threat actors do.
Simulated Attacks: replicating real-world threat scenarios at scale to reveal how resilient your defences are under realistic attack conditions.
Security Workshops for Zero-Day Resilience: helping organisations understand and mitigate emerging threats and build resilience against zero-day vulnerabilities.
What This Means for Your Business
AI has transformed the balance of power in cyber security, giving criminals the tools to rapidly launch scalable attacks. Organisations need to act pre-emptively to anticipate and counter these threats.
By regularly assessing external attack surfaces, simulating real-world threats, and building resilience through expert-led guidance, organisations can be the first to find the gaps and vulnerabilities, rather than the last to know about them.
Ready to Simplify Security and Reduce Risk?
Our experts will work with you to understand your security requirements and recommend tailored solutions aligned to your business that will reduce risk and lighten your team’s workload. Start the conversation today at enquiries@fortiscyber.co.uk.
It’s a sad state of affairs but Artificial Intelligence (AI) is now being weaponised as threat actors leverage AI at every stage of the attack lifecycle to launch faster, more widespread and more damaging attacks on businesses.
Anthropic’s Threat Intelligence Report August 2025 found:
AI models are now being used to carry out cyber-attacks at scale
AI has lowered the barriers to entry with fewer technical skills required to launch complex attacks
Threat actors are integrating AI from start to finish throughout their operations
One individual can carry out attacks that previously would have taken a whole team
This fundamental shift in the threat landscape means cyber criminals can now automate their reconnaissance of businesses, scaling to the scanning thousands of systems, enumerating software versions, analysing configurations, and pinpointing vulnerabilities in Internet-facing business systems and devices faster than ever before.
Industry threat intelligence reports confirm that external vulnerability exploitation is one of the most prevalent initial access vectors used by attackers to breach the business perimeter.
According to Mandiant’s M-Trends Report 2025, vulnerability exploitation was the leading initial access method, generating 33% of attacks, including those targeting Internet-facing systems such as web servers, APIs, and edge devices such as firewalls and VPN services.
Verizon’s 2025 Data Breach Investigations Report also found exploitation of vulnerabilities to be behind 20% of breaches, with attacks on externally facing Internet edge devices and VPNs increasing dramatically from 3% to 22%.
How Attackers are using AI to Scale their Operations
Automated reconnaissance: AI-powered tools can crawl the Internet, identify exposed services, and determine software versions, significantly reducing the time it takes to map an organisation’s external footprint.
AI-assisted vulnerability prioritisation: instead of manually reviewing scan data, attackers are now using AI models to correlate against open-source intelligence, CVE data, and exploit descriptions to prioritise which businesses to target as the economy of effort to exploit is low.
Adaptive attack automation: AI systems can carry out entire attack sequences with minimal human involvement, automatically scanning, learning, and adapting their next move, which enables continuous and scalable attacks.
The result is that what once took days of manual reconnaissance can now be done in minutes. This has led to a new era of AI-assisted cyber-crime where threat actors can discover, prioritise, and target vulnerable assets within hours of exposure, outpacing traditional methods of defence.
How to Stay Ahead: Attack Mitigation Service - External
To counter AI-driven attacks, reduce the workload on internal security teams, and cut cyber risk organisations need to adopt a proactive and layered approach to protecting Internet-facing infrastructure. That’s where the Fortis Cyber® External Attack Mitigation Service (EAMS) comes in, simplifying vulnerability management, providing comprehensive detection and validation, and delivering assurance against external cyber threats using:
Regular Assessments: scheduled evaluations detecting and identifying risks across internet-facing assets and discovering vulnerabilities before threat actors do.
Simulated Attacks: replicating real-world threat scenarios at scale to reveal how resilient your defences are under realistic attack conditions.
Security Workshops for Zero-Day Resilience: helping organisations understand and mitigate emerging threats and build resilience against zero-day vulnerabilities.
What This Means for Your Business
AI has transformed the balance of power in cyber security, giving criminals the tools to rapidly launch scalable attacks. Organisations need to act pre-emptively to anticipate and counter these threats.
By regularly assessing external attack surfaces, simulating real-world threats, and building resilience through expert-led guidance, organisations can be the first to find the gaps and vulnerabilities, rather than the last to know about them.
Ready to Simplify Security and Reduce Risk?
Our experts will work with you to understand your security requirements and recommend tailored solutions aligned to your business that will reduce risk and lighten your team’s workload.
Start the conversation today at enquiries@fortiscyber.co.uk, our team will prioritise your request and help you secure your systems quickly.
