Here’s a look at what’s been happening at Periculo this month. Alongside supporting clients across defence, digital health, and other regulated industries with certifications and penetration testing, we’ve also launched our Security Assurance Programme, designed to simplify and consolidate ongoing compliance.
We’re also pleased to welcome our new Managing Director, John Matthews, as we continue to build out the next phase of the business.
This month's newsletter covers some of that work in practice, along with a few insights from the field...
For organisations working within MoD supply chains or seeking prime contractor confidence, Defence Cyber Certification is becoming the baseline of trust.
Day1 People achieved DCC Level 0 this month with Periculo's support. The engagement covered the technical and procedural requirements needed to establish a clear security baseline, giving Day1 People a foundation from which they can progress through the scheme with confidence.
Their team described the process as "professional, knowledgeable and thorough."
Penetration testing this month spanned financial services, healthcare, and pharmaceutical environments. Findings were translated into remediation plans ordered by business impact rather than technical severity alone. That distinction matters: a list of vulnerabilities without prioritisation is a document, not a plan of action.
On the compliance side, the work has been varied and in several cases specialist. We conducted DSPT audits for NHS IT suppliers ahead of the June deadline, supported a client through ENS certification as they prepare to operate in Spain, and led a C5 assessment for a client with cloud operations in the Netherlands.
Each framework carries its own technical and evidential requirements, and the ability to work across all three within the same month reflects the breadth of what the team carries.
ISO 27001 recertification was completed successfully for one of our clients this month, and managed security monitoring continued across a number of environments, with daily log reviews and alert triage providing continuity of oversight for teams without a dedicated internal security function.
Supply chain assurance featured significantly as well. As clients face harder questions from their own customers about third party risk, the demand for structured supplier due diligence has grown sharply. It is an area we expect to keep expanding.
For NHS suppliers, these assurance activities are not optional. Cyber Essentials, Cyber Essentials Plus, penetration testing, and ongoing vulnerability management are expected as standard across the supply chain. The question is not whether to do them, but how.
Most organisations manage these obligations across multiple vendors: one for certification, another for testing, a third for monitoring. The result is a fragmented picture of security posture, no single team with enough context to join the dots, and a growing stack of invoices with unpredictable timing.
Our Security Assurance Programme consolidates all of it under one team. The practical benefits are straightforward: no vendor sprawl, predictable costs, and a single point of contact who understands your environment.
But the deeper value compounds over time. The longer we operate across your assurance activities, the clearer our understanding of your risk profile becomes. That understanding is what allows us to move from reactive to proactive. Identifying where exposure is growing before it becomes a problem, rather than after.
For NHS suppliers managing the current compliance calendar, that kind of continuity is not a nice to have. It is what good supply chain security actually looks like.
If you would like to understand how the programme works in practice, we are happy to walk you through it.
John Matthews joins Periculo as Managing Director. His appointment reflects the direction we are taking the business: deeper capability, more complex client engagements, and a growing footprint across digital health and defence.
John brings a career spent at the intersection of technical security and commercial delivery. He steps in at a point where demands on organisations in both sectors are accelerating, and his appointment reflects our commitment to building a leadership team that can meet that.
In February 2026, I joined Periculo as their Managing Director — and I have to say, what this team has already built is hugely impressive
Over the last 18-years, I have been leading businesses in MD roles across the Tech sector, spanning the UK, USA, mainland Europe, and India. I've seen a lot of businesses. High-growth SMEs, large corporates, and scale-ups at every stage. You quickly develop a sense for the ones that have something real. Periculo has it.
From Cyber Essentials and ISO 27001 through to CREST-accredited penetration testing and supplier assurance, the foundations here are exceptional.
This isn't a business that's been built on noise. It's been built on expertise, trust, and delivery.
Nowhere is that more evident than in Digital Health. Periculo is one of the UK's leading DSPT auditing partners — helping more healthcare and health-tech organisations meet their NHS Data Security and Protection Toolkit obligations than anyone else in the market. We don't just help organisations tick the box; we help them build security practices that genuinely protect patients. As scrutiny in this space intensifies, our position as market leader puts us in a uniquely powerful place.
In the UK defence space, the traction is equally exciting. As DCC and DefStan 05-138 become the baseline for operating in the defence supply chain, Periculo is already positioned as a credible, knowledgeable partner for organisations navigating that journey.
My career has been defined by building strong management structures and driving growth through business development. I couldn't be more energised about bringing that experience to bear here — and taking Periculo to the next level.
The best is genuinely ahead of us.
We are glad to have him on board.
In March 2026, two of the world's largest medical device manufacturers were breached within days of each other. Stryker suffered a destructive attack attributed to a hacktivist group with links to Iran's Ministry of Intelligence and Security, disrupting global ordering and shipping operations for over a week.
Intuitive Surgical, the company behind the da Vinci robotic surgical system, was compromised via a single phishing email that handed attackers access to internal business applications and exposed customer and employee data.
Neither attack required sophisticated techniques. What made the difference at Intuitive Surgical was network segmentation. Their internal business environment was isolated from clinical systems, and patient data remained protected as a result. That is the kind of architectural decision most organisations defer. For NHS suppliers, it is no longer optional.
There are three things worth acting on if you operate in this space.
First, audit where your business systems and clinical or NHS-connected infrastructure meet. If a compromised email account could reach patient data or systems connected to the NHS, that is a segmentation problem, and it needs fixing.
Second, ensure multifactor authentication is in place across every externally facing system. Not SMS codes, which can be intercepted, but authentication apps or hardware tokens.
Third, check where your suppliers sit in relation to your own environment. Stryker's breach disrupted NHS trust operations not because NHS trusts were attacked, but because they were downstream of a supplier who was.
The DSPT Version 8 deadline is 30 June 2026. If you are a Category 2 IT supplier and have not started your independent audit process, the time available is shorter than it looks. We can help you work through what is required before the deadline becomes a problem.
With the introduction of our Security Assurance Programme and the expansion of our leadership team, we’re continuing to invest in how we support clients over the long term.
If any of the areas covered are relevant to your organisation, whether that’s certification, testing, or ongoing assurance, we’re always happy to have a conversation about how we can help. Please contact us.