Discover your certification today Browse
Open page navigation
cyber security financial risk assessmentcyber security frameworkscyber security risk assessmentvulnerability assessmentremediation planningcompliance

The most powerful operational risk assessment service ever created.

Irrespective of an organization's size or cyber security maturity - CDCAT is the definitive means of measuring operational risk to establish effective cyber risk management and drive an organization's cyber transformation.

The tool itself was developed by the Ministry of Defence's (MOD) Defence Science and Technology Laboratory (Dstl) - made commercially available through APMG.

The CDCAT service utilises this tool together with a plethora of frameworks, models, standards and sciences to run a full assessment of an organization's current cyber defences and controls - highlighting any vulnerabilities.

The assessment is crucial in creating an actionable plan to establish world-class cyber risk management - based on comprehensive and contemporary evidence.


The cyber security risk assessment solution for:

Organizations looking to transform their cyber defences

  • Use CDCAT to assess accurately the current condition of your organization's cyber security risk
  • Training is delivered on how to use the software
  • An expert can visit your premises on a consultancy basis

Organizations looking to provide cyber security risk assessments for their clients or supply chain

  • Use CDCAT to perform assessments of your clients' organizations
  • Advanced training sessions are delivered for CDCAT senior practitioners

CDCAT Resellers

  • Include CDCAT in your own portfolio of cyber security solutions

An assured approach to becoming cyber secure

CDCAT provides invaluable intelligence with which to focus on transforming an organization's cyber defences.

A unique approach to vulnerability assessment

  • Gather agile, time-based and comprehensive intelligence with which to effectively progress towards improving all aspects of cyber security

Empowers assured cyber security investments

  • Investment in improving cyber defence can be made in the right places - based on real, comprehensive evidence

Achieve agility

  • Quickly assess the effectiveness of implemented controls thanks to the ability to perform assessments rapidly and repeatedly, anytime
  • Continuously improving the controls checked by CDCAT empowers defenders to work in an agile manner – providing maximum asset protection

Completely scalable

  • Assessments can be performed on any organization - regardless of size, systems, risk or any other context

Keeps organizations ahead of the threat

  • Cyber threats are continuously evolving - CDCAT's intelligence is continuously updated to evolve with them

Facilitates ongoing transformation

  • Assessments can be performed as often as required to ensure continuous improvement to cyber defence

Booking a demo

  • Our team will have a conversation with you to understand your organization's scope and cyber security concerns
  • CDCAT will perform a simulated assessment, tailored to your organization - giving a clear picture of what vulnerability evidence can be produced

Book a demo

Become a reseller

  • If you are interested in bringing this military grade cyber defence technology into your organization's portfolio - please contact us about becoming a reseller
  • A demo and briefing on how to use CDCAT will be included in the reseller process

Become a reseller

CDCAT® is a registered trade mark of The Secretary of State for Defence, Dstl

Dstl © Crown Copyright, 2017; Dstl © Crown Database Rights, 2017; This work was sponsored by the MOD ISS NTA


Certified Cyber Professional (CCP)

Illuminating Information Assurance experts

View more
Large pile of timber logs perfectly stacked

ISO/IEC 27001

Demonstrate exemplary management of information security

View more
Satellite overlooking earth

CDCAT® Insurance Services

Gain full awareness before accepting cover

View more



Why was CDCAT Introduced?

Cyber-criminals continuously evolve and adapt their methods of bypassing the traditionally rigid cyber-security controls organizations have in place. For organizations to stay safe they need to be similarly adaptive – this is where CDCAT comes in.

While it is highly advantageous for organizations to implement standards such as ISO/IEC 27001, or employ tools like penetration testing – these only constitute one part of an effective cyber security strategy.

CDCAT is designed so that the full sets of best practice controls are incorporated - including ISO/IEC 27001:2013, the US’ NIST Cyber Security Framework, UK’s 10 steps to Cyber Security and Cyber Essentials. As a result CDCAT is a truly comprehensive cyber-security assessment tool, enveloping the standard lifecycle of assess, deter, protect, detect and respond – mapped against the ITIL lifecycle of Service Strategy, Service Design, Service Transition and Service Operation.   

Who is CDCAT For?

CDCAT is designed for organizations who wish to establish the most comprehensive and effective cyber security strategy possible. Cyber criminals rarely discriminate, every organization is vulnerable – so it is absolutely essential that an organisation performs every measure it can to keep its sensitive information and assets secure.

Irrespective of whether your organization wants to confirm the effectiveness of its current cyber security controls, or is genuinely unsure on how to go about establishing its cyber defences – CDCAT will act as an essential form of dynamic cyber security intelligence. Considering CDCAT has been developed by Dstl, your organization can be confident that CDCAT is one of the most cutting-edge cyber security options available.

How do I book an assessment?

We offer business licenses for internal self-assessments or we can arrange for an APMG assessor to visit your premises on a consultancy basis.
For further information please contact us:
Telephone: +44(0) 1494 452450 

What Benefits will CDCAT Bring to My Organization?

  • CDCAT is the unique decision support system which allows a company to dynamically and proactively tackle its cyber security needs through business risk appetite analysis.
  • CDCAT is updated on a quarterly basis with information drawn from multiple international sources not readily available to the private/public sector.
  • CDCAT makes it easier for an organisation to manage their own cyber risk strategy and provides simple steps to improve cyber defence capabilities.
  • CDCAT provides cyber professionals with the tools to build effective business cases for vital updates. Worst case scenario modelling outlines the potential cost to an organisation of not implementing the recommended change and suffering a breach. This is measured against the costs of enacting the change. These forecasts are based on the data provided during the assessment.
  • CDCAT supports continuous security improvements for organisations and supply chains - as threats, consequences and risk appetites change. Through integrating multiple evolving reference standards, e.g. ISO 27000-series, it provides a framework for the assessment and integration of new technologies, e.g. cloud, mobile, digital applications, etc. supporting an up-to-date assessment.
  • CDCAT provides organisations with a way to report back to key stakeholders that they are addressing sector based vulnerabilities and proactively targeting cyber defence weak spots.
  • CDCAT calculates the overall business preparedness scores and defines a number of reports to support the analysis and assessment of the business improvements required.
  • Cost savings can be driven through adopting an efficient risk management approach utilising the recommendations made in the CDCAT report.
  • Visible, effective cyber security is an enabler for a thriving business.
  • CDCAT covers all four levels of the Defence Cyber Protection Partnership (DCPP) 

How does CDCAT work?

CDCAT is constructed to include the full sets of best practice controls including ISO/IEC27001:2013, the US’s NIST Cyber Security Framework, UK’s 10 Steps to Cyber Security and Cyber Essentials – of which all are mapped onto a framework. This framework is uniquely constructed as a matrix from the standard cyber life cycle of Assess, Deter, Protect, Detect and Respond, mapped against the ITIL lifecycle of Service Strategy, Service Design, Service Transition and Service Operation.

The overarching requirements of Service Continuous Improvement and Governance are also included. This framework has 145 controls and all are considered when a CDCAT assessment is scoped.

The Controls considered, and from a wide variety of sources, including unique ones from NATO, are ranked according to their importance and frequency of use in delivery of security. The threat intelligence involved is regularly and frequently updated to ensure that it truly reflects today’s environment and not just the recent past.

From this combination, CDCAT identifies the most important controls that have been proved to be most effective against the current threats and then assesses how effectively they have been implemented.

The tool is used to provide a set of the most effective controls, usually the top 15 – 20 to perform a rapid assessment baseline called CDCAT Classic. This set can be augmented with additional controls to suit a particular organization and threat profile. If the effectiveness of this set of controls is repeatedly checked as threat, vulnerabilities or business contexts change, it can provide a very high level of assurance against attacks. This provides the CDCAT Dynamic Risk Management™ approach at pace.

Assessment Method

Firstly the scope of the system to be assessed is defined.  This could range from a whole organization, to one main information system down to a single laptop. The risk tolerance for the system is agreed i.e. how much business risk is acceptable for the defined system. This determines the controls and the level of maturity required to be effective against the current threats.

An initial self-assessment is carried out by the organization in preparation for the full assessment.

The assessment itself takes between one and two hours. This requires the people who know the workings of the system well to be interviewed by either a trained internal assessor or an externally appointed assessor. It is this speed of assessment that empowers effective decision making on cyber defences and risk tolerance.

If a control is not in place or is not being implemented effectively, this is viewed as vulnerability and will adversely affect the capability of the organization to withstand attack.


The Output

The report provided by using the CDCAT Classic approach provides details of:

  • the areas where controls are not operating effectively for the risk tolerance required;
  • an estimated range of the serious incident cost risk were the vulnerabilities to be exploited (based either on the organization’s own figures or those from recent surveys);
  • the potential blockers to improvement as well as the optimism bias of the staff involved;
  • a mapping to an additional standard or framework, for example this could be in support of a compliance assessment for ISO/IEC27001:2013;
  • a high level action plan with cyber security metrics to improve control maturity to the desired target level;

This provides the organization’s leadership with the basis for a business decision on action.The assessment is quick and the report and explanations are produced on the spot. This means that it can be repeated frequently, whenever there is a change to the system, the risk tolerance, the threats or any other factor thereby keeping ahead of cyber events.


Please tell us your training requirements and we'll find you a training provider


Please provide your company details to begin your journey to becoming accredited