CyConex
Built for UK NCSC CAF programmes

NCSC CAF assessments in minutes, not days.

Evaluate and assimilate assurance information faster — with real-time feedback, instant evidence discovery, and detailed reports from one secure workspace.

CyConex uses Agentic Assurance to cut manual triage from days to minutes: intelligent agents map evidence, highlight coverage gaps, and draft structured outputs while your assessors retain expert judgement and sign-off.

Sign up free
CyConex assessment workspace with NCSC CAF control selection

Introducing CyConex and Agentic Assurance

A quick overview of how Agentic Assurance supports evidence-led NCSC CAF assessments.

Watch the full introduction

Why CyConex

Assurance work in minutes, not days

CyConex combines Agentic Assurance with NCSC CAF structure so teams spend less time hunting information and more time on expert judgement.

Days of evaluation and assimilation → minutes

Evaluate and assimilate in minutes

Reduce the time needed to review policies, procedures, and audit material from days to minutes. Agents surface what matters so assessors can move straight to informed conclusions.

Real-time feedback on where to focus

Live posture insight and gap highlighting help users quickly zero in on specific objectives, principles, or contributing outcomes that need attention — instead of working through everything manually.

Detailed reports in moments

Generate structured Excel and Word assessment exports, CAF heatmaps, and reviewer-ready outputs in moments — ready for GovAssure reviewers, regulators, and governance boards.

Instant guidance on coverage gaps

Get immediate advice on how to improve weak or missing coverage. AI-assisted review highlights gaps and suggests where additional evidence or remediation activity may be needed.

Find supporting evidence instantly

Semantic search and intelligent matching connect controls to the right documents and chunks across SharePoint, Microsoft 365, and uploaded libraries — no more manual trawling.

Save time, effort, and cost

Shorter assurance cycles, less repetitive triage, and clearer reporting add up to significant operational savings across self-assessments, independent review, and ongoing GRC programmes.

The result: significant savings in time, effort, and cost — without sacrificing the defensibility regulators and boards expect.

Platform

Explore the platform

Browse the workspace for evidence libraries, CAF assessments, dashboards, and exportable reports.

Ingest Word, PDF, Excel, and text files — or connect SharePoint — to build the evidence base your CAF assessment requires.

CyConex evidence library with document ingest and relevance settings

Screenshots show the early access product and may change as features are refined.

Get started

Try CyConex free or request a demo

Sign up in minutes for free early access, or tell us about your NCSC CAF assurance programme and we'll walk you through the platform.

Request a demo

By submitting this form, you agree that CyConex may process your personal data (name, organisation, email address, and message) to respond to your enquiry, as described in our Privacy Policy.

NCSC Cyber Assessment Framework

Purpose-built for UK CAF assurance programmes

The NCSC CAF is the UK's outcomes-based framework for assessing how well organisations manage cyber risk to essential functions. Used by nearly all UK cyber regulators, adopted across public sector via GovAssure, and aligned to NIS Regulations for operators of essential services, it demands evidence-led judgement — not checkbox compliance. CyConex is designed around that reality.

CAF assessments are structured around four security objectives and fourteen principles, broken down into contributing outcomes assessed via IGPs:

A

Managing security risk

Governance, risk management, asset management, and supply chain — the foundations for proportionate cyber security across essential functions.

B

Protecting against cyber attack

Policies, identity and access, data security, system hardening, resilient networks, and staff awareness that defend critical services.

C

Detecting cyber security events

Security monitoring and threat hunting capabilities that give organisations visibility before incidents escalate.

D

Minimising incident impact

Response, recovery planning, and lessons learned — ensuring resilience when defences are tested.

How CyConex supports CAF assessments

From scoping essential functions to exporting reviewer-ready outputs — without losing the expert judgement the NCSC expects.

Work at contributing outcome and IGP level

Structure assessments around CAF's 41 contributing outcomes and Indicators of Good Practice — recording achieved, partially achieved, or not achieved judgements with linked evidence, not generic control checklists.

Align to regulator CAF profiles

Assess against the target profile your competent authority or GovAssure programme requires, whether that means sector-specific interpretations or government baseline profiles for critical systems.

Support self-assessment and independent review

Give internal teams and external assessors a shared evidence base, traceable IGP references, and exportable reports that support the dialogue CAF assessments are designed to encourage.

Communicate posture with CAF heatmaps

Publish objective and principle-level heatmaps so boards, SROs, and oversight bodies see where essential functions are resilient — and where improvement activity is needed.

CyConex supports CAF-aligned assessment workflows. It is not affiliated with or endorsed by the NCSC. Organisations subject to regulation should confirm requirements with their competent authority or cyber oversight body.

Platform workflow

Evidence, assessment, and reporting

Turn days of manual evidence review into minutes. CyConex helps teams evaluate and assimilate assurance information faster, with real-time feedback, instant evidence discovery, and detailed reports — so you focus effort where coverage gaps matter most.

What is Agentic Assurance?

Evidence

Connect evidence where it already lives

CAF assessments depend on policies, procedures, audit reports, and operational evidence drawn from across the organisation. Ingest documents directly or connect Microsoft 365 and SharePoint sources to keep your evidence library aligned with the systems and essential functions in scope.

  • Upload policy, procedure, and audit files for CAF review
  • Connect SharePoint and Microsoft 365 evidence libraries
  • Keep evidence scoped to the right organisation and assessment programme
CyConex evidence library with document and SharePoint ingestion
CAF assessment

Map evidence to contributing outcomes and IGPs

The NCSC expects assessors to exercise expert judgement — IGPs inform conclusions, they do not replace them. CyConex surfaces relevant evidence for each contributing outcome, helping teams record achieved, partially achieved, or not achieved judgements with traceable references.

  • Structured NCSC CAF catalogue with principles and IGPs
  • Semantic search across policy, procedure, and audit evidence
  • Human reviewers retain final say on every IGP assessment
CyConex control detail showing NCSC CAF IGP obligations with evidence rationale
Transparency

Follow the evidence from source to assessment

Every control assessment shows how evidence was considered, filtered, and cited. Review the documents sent to the AI reviewer, see which chunks supported the outcome, and understand the confidence behind each judgement.

  • Evidence review trail with considered, selected, and used counts
  • Documents and chunks explicitly cited in the assessment
  • Clear rationale for achieved, partially achieved, or not achieved outcomes
CyConex control detail evidence tab with AI review trail and documents sent for assessment
Assurance history

Track how control outcomes evolve

Every reassessment is recorded on a control timeline — showing score changes, newly assessed evidence, and the rationale when an outcome stays the same. Assurance leads can see what changed and why, cycle over cycle.

  • Chronological assessment history per contributing outcome
  • Score and status changes linked to new evidence uploads
  • Clear explanations when outcomes are unchanged
CyConex control detail timeline showing assessment history and compliance score changes
Assurance outputs

Turn CAF assessments into board-ready reporting

Generate Excel and Word assessment exports, track assessment history across review cycles, and publish CAF heatmaps at objective and principle level for GovAssure reviewers, competent authorities, and governance stakeholders.

  • Principle-level CAF heatmaps and compliance scorecards
  • Exportable reports for self-assessment and independent review
  • Also supports NIST 800-53 and NIST CSF 2.0 catalogues
CyConex assessment output configuration for Excel and Word exports
Workflow

How CAF assessment works in CyConex

A straightforward workflow from evidence connection to CAF reporting — designed around the outcomes-based approach the NCSC expects.

1

Connect evidence

Upload policy, procedure, and audit files, or connect Microsoft 365 and SharePoint evidence libraries to your project workspace.

2

Scope your CAF assessment

Define essential functions, select your target CAF profile, and import the NCSC CAF catalogue — principles, contributing outcomes, and IGPs — or other framework control sets.

3

Match evidence and assess IGPs

Use semantic matching and AI-assisted review to link evidence to contributing outcomes, supporting achieved, partially achieved, or not achieved judgements.

4

Review and export for assurance

Human reviewers validate conclusions, then export audit-ready Excel and Word reports and CAF heatmap dashboards for oversight bodies and governance stakeholders.

Audience

Built for UK assurance teams

CyConex supports the stakeholders involved in NCSC CAF programmes — from operators of essential services to public sector assurance reviewers.

For NIS and CNI operators

Prepare CAF assessments aligned to your competent authority's target profile — demonstrating how essential services manage cyber risk under UK NIS Regulations.

For public sector GovAssure programmes

Support self-assessment workflows for critical government systems — gathering evidence, structuring IGP responses, and preparing outputs for independent review.

For internal assurance and GRC teams

Replace spreadsheet-driven CAF programmes with a repeatable, evidence-led process that preserves expert judgement and clear audit trails.

For boards and senior responsible owners

See CAF posture at objective and principle level through heatmaps and scorecards — making resilience gaps visible before regulators or reviewers do.

Frameworks

Supported frameworks

NCSC CAF is CyConex's primary framework — with NIST 800-53, NIST CSF 2.0, and custom control catalogues also supported for multi-framework assurance programmes.

NCSC CAF

Supported

The UK NCSC's outcomes-based Cyber Assessment Framework — four objectives, fourteen principles, 41 contributing outcomes, and IGPs. Used for GovAssure, NIS Regulations, and CNI sector oversight. CyConex's primary framework support.

NIST 800-53

Supported

Comprehensive security and privacy controls for federal and enterprise use.

NIST CSF 2.0

Supported

Structured cybersecurity framework outcomes for maturity assessment and reporting.

Custom control frameworks

Supported

Define and assess against your organisation's own control libraries and catalogues.

Framework coverage and control mappings in early access may expand or change over time.

Trust & security

Designed for sensitive assurance work

CyConex is built around secure tenant and project boundaries. Evidence, assessments, users, and review history are scoped to the right organisation and project, with support for hosted identity, MFA-aware access patterns, audit logging, and encrypted evidence storage options.

AI usage is auditable, helping teams adopt automation while preserving accountability.

Read our security & trust page →

Frequently asked questions

What is CyConex?

CyConex is an AI-assisted cyber assurance platform built for UK NCSC CAF assessments. It ingests evidence, surfaces it against contributing outcomes and IGPs, and helps qualified assessors reach evidence-led judgements faster — turning days of assurance work into minutes.

Does CyConex replace human assessors?

No. AI agents accelerate evidence gathering and review, but accountability stays with qualified assessors. Reviewers validate scope, review IGP judgements, and approve every output that goes into a formal report, so conclusions remain defensible.

Which frameworks does CyConex support?

NCSC CAF is the primary framework — four objectives, fourteen principles, 41 contributing outcomes, and IGPs. CyConex also supports NIST 800-53 and NIST CSF 2.0, with structured catalogues and reusable assessment context.

Does CyConex support NCSC CAF IGPs?

Yes. CyConex works with the full CAF catalogue, including Indicators of Good Practice. It surfaces relevant evidence for each contributing outcome and helps teams record achieved, partially achieved, or not achieved judgements with traceable references — IGPs inform conclusions, they do not replace expert judgement.

Can CyConex ingest SharePoint evidence?

Yes. You can connect Microsoft 365 and SharePoint sources to keep your evidence library aligned with the systems in scope, or upload documents directly. Evidence stays scoped to the right organisation and assessment programme.

Where is CyConex hosted?

CyConex is hosted in UK Azure regions. Customer evidence, assessment outputs, and platform metadata are stored and processed within the United Kingdom, supporting organisations with UK data residency requirements.

Can CyConex export Word and Excel reports?

Yes. CyConex generates structured Excel and Word assessment exports, along with CAF heatmaps at objective and principle level — ready for GovAssure reviewers, competent authorities, and governance stakeholders.