Cyber Defence Capability Assessment Tool (CDCAT®)

In today’s threat landscape, assumptions are dangerous. CDCAT® (Cyber Defence Capability Assessment Tool) empowers senior cybersecurity leaders to make data-driven decisions by objectively assessing cyber defence maturity across people, processes, and technology. Developed in collaboration with Ministry of Defence's (MOD) Defence Science and Technology Laboratory DSTL and made commercially available through APMG, CDCAT® aligns with global standards and provides actionable insights to reduce risk, improve resilience, and justify investment. Whether you're defending critical infrastructure or leading enterprise security, CDCAT® gives you the clarity and confidence to stay ahead of evolving threats.  

Know your cyber security strategy. Own your defence. 

Invest in CDCAT® and take control of your cyber defence strategy. Starting at £1,250, the assessment includes pre-consultancy, evaluation, and strategic follow-up — scalable to any organisation size or complexity. 

Organisations using CDCAT® have reported audit preparation time reduced by up to 70%, thanks to its automated control mapping and actionable reporting. 

For every £1 spent on CDCAT®, an organisation could save £18 in audit costs — plus significantly reduce the time to assess and act on cyber risks. 

What are the Estimated Cost Savings with CDCAT?

Traditional cybersecurity audits can cost £10,000 to £50,000+ and take weeks or even months to complete, especially when multiple standards (e.g. ISO 27001, NIST, PCI-DSS) are involved.  

CDCAT® Classic Assessment starts at £1,250, offering a consultant-led, standards-mapped evaluation that drastically reduces both time and cost. You’ll receive a report you can share with your organisation and create an action plan from. 

Organisations using CDCAT® have reported audit preparation time reduced by up to 70%, thanks to its automated control mapping and actionable reporting.  

For enterprises with complex compliance needs, CDCAT® can save tens of thousands of pounds annually by consolidating multiple frameworks into a single, efficient assessment.

What will my Cyber Risk Assessment Report contain? 

Each report is yours to keep and comes with a breakdown of the following areas: 

• Summary: A high-level overview of your company, its weaknesses, and areas for improvement.
• High Level Action Plan: Effectiveness of your current controls according to target and areas of improvement.
• Performance Indicators: Bespoke KPIs tailored to your company to meet your desired goals and timeframes (especially relevant for your technical team).
• Additional Standard: A separate report assessment against an additional security standard.
• Assessment Data: Your data specifically mapped against the selected security controls (especially relevant for your technical team).
• An Action Plan: Providing an overview of your blockers and weaknesses based on the TEPIMOIL mnemonic: Training, Equipment, Personnel, Information, Management, Organisation, Infrastructure and Logistics.