May has not been a quiet month. The Periculo team has been pushing personal limits at one of the UK's most demanding endurance events whilst keeping the wheels turning for clients across DSPT, Cyber Essentials, penetration testing, and AI assurance. When we say we go the extra mile, this month we mean it literally. Here is what we have been up to...
The Red On Back Yard Ultra is a unique test of endurance held at Cheltenham Racecourse, following a format in which runners must complete a 6.706 km loop every hour, on the hour, until only one competitor remains standing. There is no set finish line, no fixed end time, and no finish medal for simply completing a lap. You run until you cannot, and then someone else takes the title.
Members of the Periculo team took on the challenge on 15th May 2026 at Cheltenham Racecourse, battling fatigue, sleep deprivation, and whatever the British weather chose to deliver across what can become a multi-day event. It is, in short, exactly the kind of challenge this team enjoys.
Every member of the team ran their furthest distance to date. From half-marathon and marathon distances through to 50km, 70km, and 80km, the bar has been raised across the board. The targets for next year are already being set, with 100km and the 24-hour mark already being mentioned.
Well done to everyone who are proud of everyone who took part. It reflects the kind of commitment and culture we are actively building at Periculo.
We have secured additional places for the 2027 event and will be making these available. Keep your eyes peeled for updates, but if you are already interested, get in touch directly with Craig at craig.pepper@periculo.co.uk.
The NHS Data Security and Protection Toolkit Version 8 submission deadline is 30 June 2026. For Category 2 IT suppliers organisations providing software, systems, or services that connect to or process NHS data, an independent external audit is a mandatory requirement, not a recommendation.
One month sounds like enough time. It is not.
The audit process requires scoping, evidence gathering, gap identification, remediation, and formal reporting. Organisations arriving in June will find the available window is considerably shorter than the calendar suggests. Audit slots are already filling.
If your organisation has not yet instructed an accredited auditor, the time to act is now, not next week.
Periculo is one of the UK's most active DSPT auditing partners. Get in touch to discuss your requirements and confirm availability before the deadline becomes a problem.
May has been a busy delivery month across the team.
DSPT audits have continued at pace, with the team processing a significant volume of Category 2 NHS IT supplier audits ahead of the June deadline. Demand for audit slots has remained consistently high throughout the month, reflecting both growing regulatory awareness and the genuine urgency of the approaching submission date.
Cyber Essentials and Cyber Essentials Plus assessments have continued across a range of organisations, with certifications completed for clients in the health technology and defence supply chain sectors. With NHS and MOD procurement increasingly requiring Cyber Essentials as a baseline condition of contract, demand for both the standard and the more rigorous Plus tier has remained strong. For organisations yet to achieve certification, the window to complete assessments comfortably before year-end compliance reviews is beginning to narrow.
Penetration testing engagements have continued across a range of environments, spanning healthcare, financial services, and technology sectors. Managed service clients have benefited from scheduled assessments and ongoing vulnerability monitoring, with findings structured around business impact rather than technical severity alone, giving teams a remediation plan they can act on rather than a list of vulnerabilities with no clear order of priority.
AI Assurance work has continued to progress. Periculo's AI Assurance Assessment programme, launched in April for a health technology client, is advancing through subsequent phases, with the scope covering multiple repositories assessed against the Periculo AI Assurance Framework, which maps to the EU AI Act Annex III, ISO 42001, NIST AI RMF, and NHS DTAC requirements.
Managed service delivery has continued uninterrupted across all client accounts. Work this month has spanned AI policy development, staff information security training, security controls verification, and supplier due diligence activity. Daily log reviews, alert triage, and ongoing ISO 27001 maintenance have continued without interruption.
Cory attended the CREST Leaders Day this month, representing Periculo amongst senior figures from across the UK cybersecurity industry. Alongside the broader programme, Cory held conversations with counterparts about the growing role of artificial intelligence in security operations, both as a tool for defenders and as an emerging attack surface in its own right.
It is an area Periculo is investing in seriously. The conversations at CREST reinforced that the wider industry is moving in the same direction, and that organisations without a clear position on AI governance are already falling behind.
If your organisation deploys AI in a clinical or NHS-connected context, there is a question you need to be able to answer: can you demonstrate that your AI is safe, secure, and compliant?
Harrison Mussell, CEO and Founder of Periculo, is offering a focused, no-charge AI Assurance Workshop for a limited number of organisations this quarter. The session takes place at your office, on your timeline, and maps your AI estate against the EU AI Act, ISO 42001, and the standards your customers, regulators, and board now expect.
Every application is pre-screened on a short fifteen-minute scoping call first, so Harrison walks in already knowing your environment and what you want to get out of the day.
Spaces are strictly limited. The August EU AI Act obligations deadline is closer than it appears, and demand for workshop slots will only increase as it approaches.
AI Tools in the Workplace: Know What You Are Sharing
Most employees using AI tools day-to-day are doing so without any guidance on what is safe to share. Pasting customer records, internal policies, or system configurations into a third-party AI tool means that data leaves your environment and depending on the provider, it may be stored, processed, or used in ways you have not agreed to.
Three quick actions worth taking now:
Need help mapping your AI usage against your compliance obligations? Apply for the AI Assurance Workshop here.
CREST
CREST is a not-for-profit accreditation body for the technical security industry in the UK and internationally. It sets professional standards for penetration testing, threat intelligence, incident response, and security operations. A CREST-accredited penetration test means the work has been conducted by a tested and certified practitioner, following a defined methodology, with quality assurance built in. For NHS and defence clients, CREST accreditation is increasingly specified as a contractual requirement rather than simply a mark of quality.
If any of the areas covered are relevant to your organisation, whether that is the DSPT deadline, Cyber Essentials, AI assurance, penetration testing, or ongoing managed compliance, we are always happy to have a conversation. Please contact us.