CompanyGraph
NCC Group plc
NCC · United Kingdom
Runs government-approved security testing and legally binding software custody for UK public-sector and critical-infrastructure clients.
NCC Group holds two things that UK government clients cannot easily replace: a roster of CHECK-certified penetration testers, and custody of software source code held under three-party legal escrow agreements. CHECK certification is a UK government-controlled accreditation required for any security assessment that feeds into clearance renewals or regulatory compliance, and earning it takes years of vetted practical experience that cannot be bought or fast-tracked, so the number of government engagements NCC can run at once is capped by how many certified testers it already has on its books. On the escrow side, every source-code repository it holds is locked in place by a legal agreement between the software vendor, the vendor's licensees, and NCC as custodian — moving to a cheaper provider would require all three parties to renegotiate simultaneously, which almost never happens, turning each escrow contract into a recurring revenue line that competitors cannot undercut with a lower price. Both sides of the business rest on the same foundation: their value depends entirely on CHECK accreditation remaining the scheme the UK government uses, because if Whitehall rewrites or replaces that framework, the decades of clearance history and procurement relationships that keep clients locked in would count for nothing overnight.
How does this company make money?
The company charges annual fees to store source code under escrow agreements. It bills for penetration testing projects priced according to how complex the target system is and what level of security clearance the work requires. It earns recurring monthly fees from clients who subscribe to ongoing threat monitoring. And it charges retainer fees to clients who want the company on call for emergency response when a security breach happens.
What makes this company hard to replace?
Software escrow agreements are three-party legal contracts between a software vendor, its licensees, and the company as custodian — moving to a different escrow agent means all three parties must renegotiate simultaneously, which rarely happens in practice. On the testing side, clients who switch to a provider without equivalent CHECK certifications and clearances would lose continuity in their security clearance renewals. Vulnerability assessment reports also build up over time into regulatory audit trails, and switching providers — and changing methodologies — breaks that record.
What limits this company?
The company can only run as many government security engagements as it has CHECK-certified, security-cleared testers. Clearing a new tester takes years of practical experience and background investigation — there is no way to speed that up by spending more money. Until a new hire clears that bar, they cannot work on classified-scope contracts.
What does this company depend on?
The company cannot operate without CREST and the CHECK certification bodies, which accredit its penetration testers. It needs secure physical facilities with legal attestation to store escrowed source code. It relies on cyber insurance policies covering errors and omissions in security assessments. It must stay compliant with UK and EU data protection rules when handling client source code and vulnerability data. And it depends on relationships with law enforcement for incident response coordination.
Who depends on this company?
Financial services firms would fall out of regulatory compliance for operational resilience if the company's penetration testing stopped. Government agencies would fail security clearance renewals without CHECK-certified assessments. Software licensees would lose access to escrowed source code they need to keep running if their vendor collapsed. Critical national infrastructure operators would breach sector-specific cyber security regulations without its testing services.
How does this company scale?
Standard penetration testing tools and methodologies can be reused cheaply across many engagements, so adding more work of the same type costs little once the processes are in place. But every new government engagement still needs a CHECK-certified, security-cleared tester, and producing one takes years of vetting that cannot be shortened — so that pipeline stays narrow no matter how fast the business grows.
What external forces can significantly affect this company?
UK government regulations already require CHECK-certified testing for public-sector contracts, which creates a steady floor of demand but also means the government can reshape that demand by changing the rules. The EU NIS2 Directive now requires critical infrastructure operators to assess third-party security risks, pulling more clients toward formal testing. The cyber insurance market is tightening, with insurers increasingly demanding verified security assessments before issuing or renewing policies.
Where is this company structurally vulnerable?
If the UK government rewrites the CHECK accreditation rules, replaces the scheme entirely, or shifts public-sector security procurement to a new framework, the company's years of clearance history and its preferential standing with government buyers would count for nothing overnight. The government controls the rules of the scheme and can redefine them unilaterally at any time.