The buyer wants CE without a wider consultancy bundle
Fig is cleaner when Cyber Essentials is the job and the buyer does not need to bundle penetration testing, managed services, or a larger consultancy engagement.
Fig vs Bulletproof. Focused, below-IASME-price IASME-licensed alternative with 6-hour turnaround.
Bulletproof is a well-known UK cybersecurity consultancy that also delivers Cyber Essentials certification. Fig Group is the CE-focused alternative with a 6-hour turnaround, published pricing from £299.99 + VAT, and three free re-submissions. Both are IASME-licensed.
Decision table
Capability-by-capability comparison between Fig Group and Bulletproof
| Capability | Fig Group | Bulletproof |
|---|---|---|
| UK-resident data and support | UK-based | |
| IASME-licensed Cyber Essentials certification included | ||
| 6-hour Cyber Essentials turnaround guarantee | No published 6-hour SLA | |
| Multi-tenant MSP architecture | No checked public claim | |
| Governance-first control plane (policy drives evidence, not reverse) | No checked public claim | |
| Integrated vulnerability management and EPSS/KEV prioritisation | No checked public claim | |
| Embedded cyber insurance distribution | No checked public claim | |
| Frameworks supported | 65+ incl. Cyber Essentials, ISO 27001, NIS2, SOC 2, DORA, CS&R, DCC | Consultancy-led |
| Published Cyber Essentials pricing | From £299.99 + VAT | Check supplier quote |
Buyer-fit analysis
Where Fig is the cleaner fit, and where Bulletproof may be.
This page was last reviewed on 27 April 2026. We separate certificate delivery, platform fit, MSP workflow, and procurement risk so the comparison is useful rather than just a vendor scorecard.
Where Fig is the cleaner fit
The MSP wants a repeatable certification engine
Fig is built for repeated client delivery, with workflow, pricing clarity, and evidence retention designed around MSP scale.
Price and turnaround need to be clear before procurement
Fig is suited to buyers who want to know the certificate path, price, and re-submission position before arranging a scoping call.
Where Bulletproof may be the cleaner fit
The buyer wants penetration testing and CE together
Bulletproof may be a better fit where CE is part of a broader testing or cyber consultancy package.
The environment needs specialist consultancy before assessment
If the organisation expects extensive advisory work before it can answer the questionnaire, a consultancy-led route can be the safer first step.
Claims to verify before buying
- 01Ask whether the quote is certificate-only or bundled with consultancy/testing services.
- 02Confirm re-submission costs and assessor response times.
- 03Check whether the provider supports MSP resale or only direct customer delivery.
How to read this
The useful question is not which vendor is universally better.
It is which route fits the buyer's certification, data residency, MSP, and assurance requirements. Fig is strongest where Cyber Essentials certification, IASME-licensed assessment, UK support, published pricing, and MSP delivery are part of the requirement. Bulletproof may still be the better choice where its existing product focus, contract position, or implementation model is already aligned to the buyer.
Step 01
Confirm what is being purchased
A formal certificate, a compliance automation platform, a consultancy engagement, or a mixture. Cyber Essentials and Cyber Essentials Plus must be delivered through an IASME-licensed certification body; generic compliance automation alone does not issue the official certificate.
Step 02
Match supplier to job
If the job is to pass Cyber Essentials quickly, the decisive evidence is IASME licence status, assessor responsiveness, price, re-submission policy, and certificate turnaround. If the job is broader governance automation, the decisive evidence is control ownership, policy workflow, evidence retention, and renewal support.
Buyer checklist
Six questions to ask both suppliers
- 01Are you IASME-licensed? If yes, ask for the licence ID. If no, the supplier cannot issue the official Cyber Essentials certificate.
- 02Is pricing published? Gated, per-certification, subscription, or consultancy-led - confirm before procurement.
- 03Are re-submissions, readiness support, and urgent turnaround included, or charged separately?
- 04For MSPs: confirm tenant isolation, white-labelling, client reporting, and the margin model.
- 05For audit: how is evidence retained, exported, and mapped to framework controls?
- 06For renewal: does the provider support next year's certificate, or only the first submission?
Official sources
Independently verify what either supplier claims
Best fit · Fig Group
Choose Fig when the requirement maps here
- Organisations that want a CE-specialist certification body rather than a broad consultancy.
- Tender-deadline urgency.
- MSPs needing volume certification pricing.
Best fit · Bulletproof
Choose Bulletproof when the requirement maps here
- Organisations buying a bundle of pen-testing + CE from the same consultancy.
- Complex enterprise engagements needing consultancy depth.
Next step
Compare on the axis that matters to you.
Cyber Essentials certification, IASME licence, 6-hour turnaround, MSP multi-tenant - Fig publishes the capability set. See pricing or talk to an assessor.