How Acubed IT met the National Cyber Security Centre (NCSC) Cyber Resilience Testing expectations through Principles Based Assurance
“For us, it’s been a game changer. It’s made the product stronger and gives customers the assurance they need as we take it to market in the UK and internationally.”
At a glance
The customer: Acubed IT is a UK sovereign secure digital engineering company specializing in high-assurance cloud and cross-domain solutions for government, defense and critical national infrastructure. Its CDHA (Cross Domain Hybrid Application) platform, now XD‑CORE, enables secure, policy-driven workflows between systems operating at different classification levels.
The challenge: Acubed IT needed a clearer way to demonstrate its product’s security to customers and procurement teams, ensuring its controls could be consistently explained and evidenced in line with evolving assurance expectations.
The solution: Using a NCSC approved Cyber Resilience Test Facility (CRTF), Acubed IT engaged NCC Group to undertake a Principles-Based Assurance (PBA) assessment that provided an independent, risk-based view of how the product performs in practice against industry standards.
The benefits: The assessment strengthened the product and its market positioning, enabling Acubed IT to take it to market in the UK and internationally, supporting customer adoption and procurement decisions.
Situation
Independent assessment of a cross-domain product
For organizations operating in high-assurance environments, being secure is only part of the job. You also have to show it in a way others can assess and trust. In cross-domain environments, where systems operate at different classification levels, that ability to demonstrate security is critical to adoption.
“Cross-domain work isn’t just a technical challenge; it’s a cultural one. This level of assurance helps overcome that resistance and gives people the confidence to adopt it. This has been a game changer for us.”
Challenge
Turning strong engineering into clear, credible assurance
Acubed IT develops technology that allows data to move securely between systems operating at different classification levels.
The company had built a technically strong product. The challenge was not the technology itself, but demonstrating its security clearly and credibly to customers and procurement teams.
Much of the detail sat within the technical team and was not documented in a way that aligned with how customers assess risk.
Cross-domain systems are complex, and while the controls were in place, they were not easy to explain or evidence in a consistent, structured way.
The Principle-Based Assurance methodology provided an opportunity to validate this approach.
To address this, Acubed IT engaged NCC Group, drawing on its expertise in independent assurance and its experience delivering assessments under a Cyber Resilience Test Facility.
Solution
An independent, risk-based assessment approach
NCC Group approached the engagement as a structured, principles-based assessment, focused on how the product performs in practice.
The team carried out a Principles-Based Assurance assessment. NCC Group is one of a small number of organizations recognized as a Cyber Resilience Test Facility (CRTF), enabling it to deliver this level of independent assurance.
The work took place over several months and focused on evidence rather than process and application.
NCC Group examined how the product had been designed, how risks were managed and how these could be evidenced against defined assurance principles.
It was not a pass or fail exercise, but a risk-based view of how the product performs in practice.
The process was collaborative, but also required challenge on both sides.
Vaishali Pant, Principal QA and Project Operation Manager, Acubed IT, said:
“They didn’t just check boxes. They asked the kind of questions that make you stop and think about how you’ve built something and how you explain it. Introducing more structured documentation created some initial resistance internally, but that shifted as the value became clearer.”
Amit Gupta added:
“There was some pushback at the start, which is natural. But going through it properly has made us better prepared for how the market is going and has improved our product.”
NCC Group worked closely with the Acubed IT team to understand the product in depth and apply its expertise in assessing and evidencing assurance.
Vaishali Pant said:
“The process was clear, organized and collaborative. They took the time to understand the architecture properly and asked the right questions.”
Benefits
Stronger product, clearer positioning, greater confidence in international markets
The outcome went beyond documentation. It changed how the product is understood, discussed and taken to market.
The PBA assessment introduced a more structured approach to assurance, requiring it to be clearly articulated and evidenced.
Amit Gupta said:
“Working across domains is complex, and historically a lot of that understanding sits with engineers. This process pushed us to step back and explain it properly, not just how it works, but why it can be trusted.”
The result is a more consistent and credible way of presenting the product, aligned with how customers assess risk and assurance. Its documentation aligns with how buyers evaluate risk, and the independent assessment gives it a clear, credible position in conversations with government and procurement teams across the UK and international markets.
“For us, it’s been a game changer and has made the product stronger,” said Amit Gupta.
The process also shifted how assurance is approached.
“Cross-domain work isn’t just a technical challenge, it’s a cultural one. Having this level of assurance helps give people the confidence to adopt it,” said Amit Gupta.
A more structured, risk-based approach to product security is becoming increasingly important as regulatory and procurement expectations continue to evolve.
Carrying out the assessment under the UK Cyber Authority’s Cyber Resilience Test Facility scheme puts Acubed IT in a strong position as those expectations become more embedded.
“This is becoming the standard. Getting ahead of it means we’re ready for where procurement and regulation are heading,” said Amit Gupta.
The independent assessment from NCC Group strengthened the product and positioned Acubed IT to take it to market with assurance in the UK and internationally.
‘As a market leader, NCC Group is focused on promoting NCSC's Core Technical Assurance Principles against evolving threat landscapes, ensuring clients and technologies have the appropriate risk appetite and resilience to cyberattacks.’ Shabrez Raja, NCC Group
Contributors
Amit Gupta
CEO and Founder, Acubed IT
Vaishali Pant
Principal QA and Project Operation Manager, Acubed IT
Shabrez Raja
Principal Security Consultant, NCC Group
Our experts are here to help you.
Don't hesitate to contact us to discuss your specific product assurance requirements and explore how our services can keep you ready and resilient.