Faced with evolving threats and escalating risks, understanding and managing your organisation’s cyber security resilience has become essential to protecting your business. (CDCAT®) is the definitive means of measuring operational risk and managing and maintaining an effective cyber risk management strategy to drive your organisation's cyber resilience transformation. For organisations that hold accreditations against a number of security standards, the different annual audits can cost tens of thousands. CDCAT® enables resilience and gap analysis assessments to be completed against multiple standards simultaneously, saving time and effort.

Its underpinning methodology was developed by the Defence Science and Technology Laboratory (Dstl), for the Ministry of Defence (MOD). Dstl is a government organisation dedicated to ensuring that innovative science and technology contributes to the defence and security of the UK.

Who is CDCAT cyber resilience and gap analysis assessment for?

Any organisation that wants to confirm the effectiveness of its current cyber security controls, or is unsure how to go about establishing its cyber security resilience.

Do you understand the risks?

According to the UK Government’s Department for Culture, Media and Sport (DCMS) Cyber Security Breaches Survey 2019

  • Cyber security is increasingly a priority issue for organisations. 78% of businesses (vs. 74% in 2018) and 75% of charities (vs. 53% in 2018) now rate it as a high priority.
  • Only 58% of businesses and 53% of charities have taken action towards 5 or more of the Government’s 10 Steps to Cyber Security.

CDCAT® is a registered trade mark of The Secretary of State for Defence, Dstl. All rights reserved.

Read more


Many recognised best practices are built into the tool, for example:

  • UK’s 10 Steps to Cyber Security
  • ISO/IEC 27001
  • NIST Cyber Security Framework
  • Cyber Essentials
  • Defence Cyber Protection Partnership (DCPP)

The wide selection of standards in the tool allows you to select those most applicable to your organisation, tailoring the assessment to suit your needs in a unique CDCAT® strategy fused from one or more standard and threat requirement to meet and the audit need, for example to meet the needs of the UK NCSC Cyber Assurance Framework(CAF) or the EU Network and Information Systems (NIS) Directive and as needed for Competent Authority (CA) audits.

Read more


What benefits will CDCAT bring to my organisation?

  • Cutting-edge technology and gap analysis Assessments of your organisation’s cyber security resilience capability are carried out using CDCAT® – a unique calibrated measurement approach developed by the MOD and the Defence Science and Technology Laboratory (Dstl).
  • Agility Perform rapid assessments of your organisation’s systems and controls to take fast remedial action.
  • Tailored expertise Receive tailored advice on your organisation’s resilience and cyber security spending.
  • Complete scalability Develop an assured strategy regardless of your organisation’s standards audit needs, size, systems or market.
  • Keep ahead of the threats Cyber threats are continuously evolving – CDCAT®’s mitigations are continuously updated to evolve with the threat.
  • Assured cyber security investment Ensure your cyber security spend is based on real and comprehensive evidence.
  • Continuous enhancements Monitor the progress of your cyber resilience and make repeated assessments to ensure optimal transformation of your organisation’s cyber security.
  • Evidence-based reporting Supports compliance programmes and generates evidence to support the General Data Protection Regulation (GDPR) due diligence.

Assessment method:

CDCAT® assessments are conducted by a QA Cyber Consultants who are trained CDCAT assessors.

Read more


To undergo a CDCAT assessment, the scope of the system to be assessed is defined. This could range from a whole organisation, to one main information system, down to a single laptop. The risk tolerance for the system is then agreed - how much business risk is acceptable for that system? This determines the controls and the level of control systems outcome maturity required to be effective against the current threats. If a control is not in place or is not being implemented effectively, this is viewed as a vulnerability and will adversely affect the capability of the organisation to withstand attack. Attackers will always target the weakest link in the security chain. The easily repeatable resilience assessment can take as little as two hours depending on the scope, and produces a report immediately with full explanations. Frequent quick to achieve repetitions enable organisations to be responsive to cyber-criminals’ continuously evolving methods and check any enhancements needed made to their resilience operations.

Typically, a CDCAT resilience assessment engagement is over three days:

  • Day 1 Initial client scoping
  • Day 2 CDCAT Assessment with customer team
  • Day 3 Delivery of CDCAT Assessment report and customer debrief
Read more

Frequently asked questions

How can I create an account on myQA.com?

There are a number of ways to create an account. If you are a self-funder, simply select the "Create account" option on the login page.

If you have been booked onto a course by your company, you will receive a confirmation email. From this email, select "Sign into myQA" and you will be taken to the "Create account" page. Complete all of the details and select "Create account".

If you have the booking number you can also go here and select the "I have a booking number" option. Enter the booking reference and your surname. If the details match, you will be taken to the "Create account" page from where you can enter your details and confirm your account.

Find more answers to frequently asked questions in our FAQs: Bookings & Cancellations page.

How do QA’s virtual classroom courses work?

Our virtual classroom courses allow you to access award-winning classroom training, without leaving your home or office. Our learning professionals are specially trained on how to interact with remote attendees and our remote labs ensure all participants can take part in hands-on exercises wherever they are.

We use the WebEx video conferencing platform by Cisco. Before you book, check that you meet the WebEx system requirements and run a test meeting (more details in the link below) to ensure the software is compatible with your firewall settings. If it doesn’t work, try adjusting your settings or contact your IT department about permitting the website.

Learn more about our Virtual Classrooms.

How do QA’s online courses work?

QA online courses, also commonly known as distance learning courses or elearning courses, take the form of interactive software designed for individual learning, but you will also have access to full support from our subject-matter experts for the duration of your course. When you book a QA online learning course you will receive immediate access to it through our e-learning platform and you can start to learn straight away, from any compatible device. Access to the online learning platform is valid for one year from the booking date.

All courses are built around case studies and presented in an engaging format, which includes storytelling elements, video, audio and humour. Every case study is supported by sample documents and a collection of Knowledge Nuggets that provide more in-depth detail on the wider processes.

Learn more about QA’s online courses.

When will I receive my joining instructions?

Joining instructions for QA courses are sent two weeks prior to the course start date, or immediately if the booking is confirmed within this timeframe. For course bookings made via QA but delivered by a third-party supplier, joining instructions are sent to attendees prior to the training course, but timescales vary depending on each supplier’s terms. Read more FAQs.

When will I receive my certificate?

Certificates of Achievement are issued at the end the course, either as a hard copy or via email. Read more here.

Contact Us

Please contact us for more information