Evaluation of cloud security tools for the NCSC
The UK’s National Cyber Security Centre (NCSC) is the national technical authority for cyber security. It supports both government and industry in making the UK the safest place to live and work online.
Understanding risk
NCSC engaged CGI to assess whether emerging Cloud Native Application Protection Platforms (CNAPP) and Cloud Security Posture Management (CSPM) tools can effectively secure complex, multi-cloud environments for government and business. The findings form part of ‘Initiate’, the NCSC’s extensive research portfolio. ‘Initiate’ contributes to the advice and guidance to protect the UK’s most sensitive information and capabilities.
An evolving environment
With enterprise-scale cloud environments spanning major hyperscalers, the evaluation needed to see if tools can effectively secure complex, multi-cloud environments:
- Simulate realistic operational (“happy-path”) and threat / misconfiguration (“sad-path”) scenarios, to assess detection, coverage and false positive behaviour.
- Be cloud-agnostic, yet flexible enough to accommodate provider-specific architecture, service models and security paradigms.
- Deploy and tear down complex, large-scale environments rapidly and repeatedly, supported by automation, to enable consistent, reproducible testing.
- Provide an evidence base for vendor and product evaluation, benchmarking and future procurement guidance.
Approach
We designed and executed a four-phase cloud security research programme, combining analytical depth with hands-on technical validation. Drawing on our multi-cloud security engineering expertise. We established a secure and automated research platform to test and compare vendor capabilities. Our approach was guided by three principles:
- Repeatability and consistency: standardised and reproducible testing across multiple cloud platforms.
- Scenario-driven testing: real-world operational and threat scenarios to validate tool behaviour and detection coverage.
- Qualitative and quantitative analysis: a blend of metrics, contextual insights, and comparative scoring.
The findings included:
- Market assessment: a landscape review of CNAPP and CSPM solutions, vendor maturity, and market direction.
- Functional assessment: evaluation of vendor capabilities and architectures.
- Real-world testing: hands-on regression testing across cloud platforms using bespoke frameworks.
- Reporting and live demonstrations.
“The NCSC worked with CGI to develop our understanding of the CSPM and CNAPP ecosystems. Their
use of representative cloud environments, workloads, and service configurations, helped us collect crucial
“real-world” data about each tool’s performance, behaviour, and characteristics in a range of situations. Initially,
these data and results were used to help us to build our internal position, which we’re hoping to release as public-facing advice in the near future.”
Actionable intelligence enabling the NCSC to:
- Shape future guidance: evidence-backed insights to refine national cloud security standards.
- Enhance evaluation capability: apply a repeatable test framework for future cloud security research and procurement.
- Improve decision-making: access comparative analysis and vendor maturity insights to guide tool selection.
- Drive market influence: identify capability gaps and steer industry focus towards higher-assurance solutions.
- Support operational readiness: validate detection coverage and response under real-world attack conditions, strengthening national cyber resilience.
Our collaboration provided NCSC with a robust evidence base on the maturity, effectiveness, and limitations of leading CNAPP and CSPM tools. This enables NCSC to empower organisations to make informed,
data-driven decisions about cloud security strategy and national guidance.
Through this engagement, CGI enabled NCSC to confidently navigate a fast-evolving cloud security landscape. As well as delivering actionable intelligence, the programme also established a repeatable model for future research, setting a new benchmark for evidence-based cloud security evaluation in the public sector.
