Bulletproof review: Cyber Essentials in 2026

Bulletproof review: Cyber Essentials in 2026

Bulletproof Cyber is an IASME-licensed Cyber Essentials certification body and part of GRC International Group, the publicly-listed parent of IT Governance. Their model leans consultancy-led, with in-house penetration testing and managed SOC services alongside certification. They are a sensible choice for organisations that want a bundled security posture rather than just a certificate. Fig Group sits at the other end of the spectrum - lowest published UK price, fastest certification, and a software-first delivery model rather than bundled consulting.

Who Bulletproof is

• Part of: GRC International Group Plc (LON:GRC), which also owns IT Governance
• IASME-licensed: yes - verifiable on the IASME directory
• HQ: Stevenage, Hertfordshire
• Scope of services: Cyber Essentials, CE Plus, CREST penetration testing, managed SIEM, vCISO, ISO 27001 support
• Typical customer profile: mid-market organisations buying a suite of services, not just certification

Bulletproof's scale and breadth of services is real - if you need a pentest alongside the certification, a single supplier can be convenient.

Pricing and turnaround

Bulletproof does not publish a headline Cyber Essentials price on their site; expect a quote-based sales conversation. Industry-typical pricing for Micro / Small-tier Cyber Essentials from a mid-market consultancy sits in the £600–£1,200 + VAT range depending on scope and bundled services, with turnaround measured in one to three weeks. For current and exact figures, contact bulletproof.co.uk - published prices change.

Where Bulletproof makes sense

• You need penetration testing and CE/CE Plus bundled. Their CREST-accredited pen test team can run CE Plus vulnerability testing in-house.
• You are also buying managed services. SOC, SIEM, vCISO bundling can justify the higher price point.
• You prefer a publicly-listed supplier. GRC International Group's parent listing is a data point some procurement teams weight.

Where Fig Group positions differently

1. Published price at £299.99 + VAT for the Micro tier. Fig's pricing is on our pricing page and held without a sales conversation.

2. 6-working-hour certification SLA on clean Micro-tier submissions - designed for organisations with a tender deadline this week, not next month.

3. Platform-first delivery. Fig's delivery model is self-serve online with assessor review, not consultancy hours.

4. Verifiable licence. Fig Group's IASME licence: 325cdf33-3812-4082-bf8d-7dce7ac02977 - on the IASME directory.

The certificate is identical

As with every IASME-licensed body, the certificate Bulletproof issues and the one Fig issues is the same IASME-validated certificate. Twelve-month validity, listed on the same directory, accepted by the same buyers and insurers. The commercial model differs; the certification does not.

When to consider switching to Fig

• Your renewal is coming up and you want to separate certification from the consultancy bundle
• You want a fixed, low, published price with no negotiation
• You have a supplier-onboarding or insurance deadline and need certification in hours not weeks

Due-diligence checklist

Before paying any certification body:

1. IASME licence verified on the IASME directory

2. Price in writing with VAT shown

3. Assessor SLA - submission-to-review time

4. Resubmission policy if the first review fails

5. Scope in writing - what staff count, what devices, what geographies

Bottom line

Bulletproof is a credible, IASME-licensed body and a reasonable choice for organisations buying certification as part of a wider security bundle. If you just want the certificate at the lowest verifiable price with the fastest turnaround, Fig Group's £299.99 + VAT Micro tier and 6-hour SLA is a straightforward alternative. Either way, the IASME-arranged £25k cyber liability cover ships with any valid CE certificate where the eligibility criteria are met.

Start Cyber Essentials with Fig - from £299.99 + VAT | All pricing tiers | Bulletproof comparison