NCSC For Startups: meet our members

And we're still recruiting, so get in touch if you want to be next!



ESPROFILER wants to help organisations maximise the value their security investments bring. It enables customers to understand what security products they own, what they’ve deployed and the threats those products should protect against.




Organisations are swimming in choices of security products. But it can be challenging to see beyond the marketing rhetoric and understand exactly what they do and what security challenge they’re solving.




ESPROFILER helps translate the promises made about products into measurable security outcomes.

Its methodology contains four key elements: Map, Correlate, Investigate and Report.

Using industry recognised threat frameworks as a foundation, ESPROFILER describes products based on the threats they address.

The platform introduces a new standardised model for capturing highly detailed descriptions of a product’s features and functions. It then compares these against frameworks as part of its Map element. This enables customers to assess products with a single lens.

ESPROFILER enables customers to analyse their organisation’s full technology stack, highlighting where the capability gaps are, which products are failing, what you’re currently spending and even how a new vendor’s product could slot into your existing infrastructure. It quantifies what security products do.

Working closely with a FTSE20 early adopter, ESPROFILER is currently delivering a mechanism that captures a full picture of a product’s capability to help the organisation make more informed decisions during the renewal or request for product phases. This early adopter is using ESPROFILER’s platform to understand the capability of over 300 vendors around the world.




ESPROFILER is interested in working out how to tackle misconfiguration and capability overlap – challenges many big organisations face. It wants to get to the point where it can look at an incident report, examine the steps that led to the incident, apply a natural language processing layer and work out which security frameworks would be relevant, what products could have stopped it from happening or where the security gaps are.

It’s looking for support from academics, researchers and the NCSC with incorporating natural language processing that would enable it to achieve this.



“We want to integrate threat intelligence, incident reports and attack simulation telemetry into our platform as part of our Correlate functionality. NCSC’s technical expertise and guidance in this area would be of significant interest.”

– Louis Holt, co-founder, ESPROFILER


ESPROFILER believes it would benefit from support with the following:

• Expanding the team
• Solidifying its vision and growth roadmap
• Legal issues. It’s building tools that enable large organisations to request information about a product’s capability from vendors using its standards and wants to capture this information centrally. It needs to create the right legal frameworks to be able to do this.
• Marketing
• Professional commercial advisory, cyber methodology support and technical design advice
• Financial analytics support that can help the startup understand how to maximise security return on investment
• Getting investment-ready and connecting with investors, which will help ESPROFILER achieve its aggressive growth ambitions


Lupovis is an AI-based deception solution that manipulates adversaries who have penetrated your network by engaging them through a sequence of decoys and luring them through the network using adaptive narrative and manipulation techniques.




Lupovis believes that security operations centre analysts spend too much time on false positives. This leads to alert fatigue, which makes it easier for attackers to move through the network or for insider threats to go undetected.



Using AI, Lupovis enables threats to be detected and deterred early on.

It then entices attackers away from an organisation’s most sensitive data and intellectual property using manipulation, gamification and deception, while providing security analysts with the techniques, tactics and procedures used by the attacker.

The Glasgow-based startup was founded by Dr Xavier Bellekens and Professor Ivan Andonovic: academic members of the Department of Electronic and Electrical Engineering at the University of Strathclyde. Together, they have 20 years of experience in cyber security and machine learning.




Lupovis has been collecting techniques, tactics and procedures from its decoys placed in its client’s infrastructure. It wants to supercharge its training with the information and telemetry that the NCSC can provide.

Lupovis, continuously improves its strategies to lure adversaries and it believes NCSC For Startups can help boost its progress.


“Until now, defenders had to be right 100% of the time. But by deploying decoys and creating uncertainty, adversaries must now be right 100% of the time. Lupovis is not only turning the table on attackers but we’re also collecting data about our adversaries’ modus operandi and providing high alert fidelity to security teams.”

– Xavier Bellekens, CEO, Lupovis




Traced believes that businesses can be protected against cyber attacks and data breaches without invading the privacy of employees.

Its Traced Control solution combines AI-powered protection and absolute employee privacy to manage cyber risk on mobile and enable organisations to take a Zero Trust approach to mobile security.




Organisations need to secure workforces that are using a huge range of devices, including both personal and company-provided mobile devices.

These employees are the target of attacks like mobile phishing, where fraudsters try to trick them into sharing personal information. Phishing is increasingly taking place on mobile – via SMS for example – and outside of emails. On top of this, many employees are practicing sub-par cyber hygiene and tend to be even more lax on mobile.

But Traced believes that as well as protecting themselves against threats, organisations also need to protect people’s privacy.




Traced has built an AI engine based on deep learning that’s entirely dedicated to mobile threats on mobile devices. The AI can differentiate between malicious apps and benign apps.

The startup also uses deep learning and natural language processing to differentiate between a phishing URL and a benign one. It can pick up on linguistic and character-based patterns that social engineers use to dupe people in phishing attacks.

These detection methods come together to in a comprehensive mobile threat defense solution to help companies use mobile devices safely.

To combat attacks on multiple fronts, Traced supports an organisation’s Zero Trust approach to security to validate that a mobile device complies with security policies.

If a malicious app has been installed or the employee hasn’t enabled phishing protection, Traced will be able to tell. It can then block the device’s access to the company’s cloud apps to protect the network.

Traced describes itself as a trust broker for organisations.




Traced’s deep learning engines are trained on open source intelligence as well as from its privacy-first consumer app, which has been downloaded on 180,000 devices.

To make its machine learning even more effective, Traced wants to harness phishing telemetry and other data held by the NCSC.

And even though its current threat focus areas are malware, phishing, device vulnerabilities and compromised WiFi networks, the startup is keen to explore ways of  tackling the malvertising challenge with guidance from the NCSC and Plexal.


“Malvertising is an emerging threat that does and will affect mobile security, so it will be interesting to explore whether this is a threat we can tackle by applying the technology we’re already developing.”

– Benedict Jones, co-founder and director, Traced


Traced wants to provide the best protection against mobile phishing and believes NCSC For Startups will help it synergise its threat intelligence sources to improve national security.

Traced is keen to work with technical experts at the NCSC to feed into government frameworks like Cyber Essentials to enable more organisations to effectively protect themselves against cyber threats on mobile. It wants to engage with fellow NCSC For Startups members and alumni, as well as connect with large tech companies such as Microsoft and AWS.



RankedRight supercharges the efforts of cybersecurity teams across the world with fast and effective vulnerability prioritisation that puts the user in control.



Organisations deal with a large volume of threats but manually ranking threats or vulnerabilities and deciding which ones to address first can cause delays.



RankedRight automatically ranks vulnerabilities based on the rules set by its user, factoring in what’s critical to the business and delegating it to the most appropriate person to resolve.

This means teams spend less time on vulnerability administration and more time on keeping their companies safe.

The platform:

  • ingests data from the user’s scanners
  • layers on the most up to date vulnerability intelligence
  • ranks live vulnerabilities based on the prioritisation rules the user has set
  • assigns vulnerabilities to the teams responsible

There are no secret algorithms. The user is always in control and the platform is priced to help all businesses – even those without big cybersecurity budgets – to have more control over their vulnerability management efforts.




RankedRight has gathered feedback from its demonstrations but it wants more feedback from the NCSC. This will inform its product development roadmap and go-to-market strategy.

The startup is also keen to develop its vulnerability intelligence knowledge base and uncover trends and intelligence from the NCSC.


“There’s so much we could do with the product. So far we’ve been prioritising our roadmap based on customer feedback but we’d hugely benefit from input from the NCSC on what features to prioritise in the future or even where else we could be looking to gather even better threat intelligence.”

– Thomas MacKenzie, CEO, RankedRight


The company initially thought selling to the public sector would be too complicated and lengthy a process. But it’s close to signing a European government entity as a client with relative ease, so the startup is interested in accessing support that could help it become a supplier to the public sector in the UK.


Enclave helps organisations take a Zero Trust approach by using overlaying networks that make private systems invisible to the public internet until defined trust standards have been met.

It’s on a mission to make security more convenient for organisations.




There are millions of private systems that are exposed to the public internet for anyone, anywhere to connect to. And they are under frequent attack by malicious attackers.

This challenge has become even more widespread as more organisations move to the cloud and more devices and critical national infrastructure connects to the internet.

By design, VPN servers allow anyone to connect to the gateways in private networks. This means that whether a user is authenticated or not, they could exploit vulnerabilities and access files – including authentication credentials or the privileges needed to run secondary exploits aimed at accessing a root shell.


“The default architecture of the internet is connect then authenticate, which is not a robust approach to security”

– David Notley, CEO, Enclave




Enclave is a deeptech solution that’s making it easier for organisations to manage their virtual private networks (VPN) over the public internet. It’s raised over £1m in investment and its users include banks, managed services providers and a ride-hiring company.

The startup’s patented Zero Trust Network Access only allows connections to be made once the request has been authenticated.

Enclave is still a VPN that enables end-to-end, encrypted connectivity. But rather than taking a connect, then authenticate approach, it requires authentication first. This makes private networks effectively invisible to the public.

It creates an overlay network so organisations can establish secure, private Zero Trust connections without making changes to their underlying network infrastructure. This means organisations can avoid spending time on the complex and error-prone configuration of multiple aspects of their network infrastructure.

The startup has received £500,000 in investment, has been awarded £175,000 in Innovate UK SMART grants and has recently submitted additional patent applications.




As Enclave builds its user base and refines its product features, functionality and benefits, it wants to collaborate with the government to achieve a compelling product-market fit. It would benefit from guidance on validating its approach and identifying early adopter use cases.

As more organisations recognise the need to adopt a Zero Trust approach to network security, cyber startups outside of the UK are rising to the challenge. Enclave wants to work with the UK government to become a globally significant Zero Trust solution that can be used by UK-based companies.


PORGiESOFT wants to be the Grammarly of cyber fraud detection. Its SenseText product uses AI to calculate a fraud risk score, providing a second opinion on suspicious emails.



After seeing how cyber fraud and ransomware was becoming a growing problem for business during the pandemic, this edtech startup used its underlying machine learning and natural language processing technology to develop a cyber fraud detection assistant for employees.




PORGiESOFT is on a mission to make everyday cyber fraud detection tasks easier by building SenseText: a machine learning product capable of adapting and carrying out routine tasks quickly.

SenseText is powered by the company’s natural language processing technology and is designed to run hundreds of automated checks on suspicious emails and text messages that have bypassed a company’s firewalls. It provides employees with a second opinion in the form of a fraud risk rating on a scale on 0-250 so they can carry out transactions with more confidence.

Using natural language processing, the AI is being trained to better understand the content of an email. Machine learning algorithms combined with customer data helps the AI to learn more about and adapt to the tactics used by fraudsters to dupe people online.

To pivot into cyber from edtech, PORGiESOFT started by feeding its machine publicly available cyber fraud data and created an initial set of rules based on training data that the team gathered. The machine compared and learned from emails by analysing words and synonyms and only shortlisting words that it predicts might show some intent of fraud. It picks up on commonalities like certain calls to action such as “click here” or “urgent”.

The company has used a federated and therefore decentralised approach to its machine learning, which it believes will offer organisations a more tailored solution that minimises false positives that a purely global approach might produce.

Based in Cambridge and founded in 2018, its AI products are used in the edtech sector in developing countries. Having been bootstrapped, it is now seeking external investment.

“We thought, what if instead of education-related data, we fed the machine data about cyber fraud?”
– George Brown, founder, PORGiESOFT




PORGiESOFT wants to develop and enhance its technology before bringing on its first cybersecurity customers.

It’s looking for technical guidance, good sources of relevant data and insights that will help the startup train its AI to detect threats more effectively.

It would benefit from guidance on:

• the most reliable sources of threat intelligence and publicly available cyber fraud data
• how to use the technology on text messages
• the biggest challenges businesses face when it comes to preventing online fraud
• best practice when it comes to securing cybersecurity source code and best practices beyond obfuscation

It also wants to gather more financial data on the value of individual fraudulent transactions. This will give the machine a new set of datapoints, enable it to spot new patterns and help it determine whether an email could be fraudulent.


Rebellion Defence is a British-American software company building AI products exclusively for the defence sector and national security purposes.

Its SECURE solution helps organisations look ahead, focus their resources and proactively defend their systems and networks.



The defence sector and critical national infrastructure is vulnerable to threats, including state-sponsored threats such as ransomware and malware.

Rebellion Defence believes that relying on compliance checklists and sporadic Red Team tests (where a group plays the role of a bad actor to learn about vulnerabilities) isn’t good enough to counter sophisticated attacks.

The startup believes that human intelligence needs to be augmented and supported by automation and AI.




Rebellion Defence’s SECURE product uses machine learning, predictive analysis, sensor data and AI-powered tools to scan networks continually for vulnerabilities and to identify what could happen in real life if a security gap were exploited.

Although it is possible for human teams to exploit a network as an adversary would for security purposes, organisations often find themselves paying for this repeatedly – and it still doesn’t happen regularly enough.


“We practise transparency by default. We believe that a global ecosystem of digital defence companies will be critical to national security.”

– Oliver Lewis, co-founder, Rebellion Defence


SECURE enables organisations to gain insights into their security posture and understand what’s happening throughout the network in near real time. Its analysis helps users prioritise remediation and make more informed decisions.

The technology has been developed using known hacker toolkits and adversarial-type attacks to test networks and track vulnerabilities. It’s interoperable, so it can connect with existing hardware and software.

The software is designed to be capable of maturing as adversaries do. Recognising the need for agility, Rebellion Defence draws on machine learning to find new ways of simulating compromising networks, systems and software at scale in ways humans would overlook.

Launched in 2019, the startup has raised over $73m in investment from a Seed round followed by a Series A round. The founding team includes Chris Lynch, who established Defence Digital Services within the US Department of Defense (DoD), Nicole Camarillo, who served as the chief strategist for US Army Cyber Command, and Oliver Lewis, who served as the deputy director of Government Digital Service. Rebellion Defence’s board of directors includes Eric Schmidt, former CEO of Google.



Rebellion Defence believes that software superiority will provide nation states with a national security advantage. But while SECURE has gained early traction in the US market, the startup is finding it challenging to connect with the UK’s defence sector.

As SECURE is at an early stage of the product development cycle, Rebellion Defence would benefit from guidance from the UK government on adapting it to suit British defence networks. It also wants to understand the accreditation that it would need to deploy its software in a national security scenario.

The startup believes in open collaboration and is keen to learn about how SECURE could complement existing products being used in the UK’s defence sector. It also wants to play a supportive role in the UK’s cyber innovation ecosystem by sharing its knowledge with the NCSC and cyber startups that want to scale.


Using automation, Meterian secures open source software by building a scalable and sustainable line of defence for apps. It wants to empower time-pressured developers to become the first line of defence for security.



Leaps in technology are enabled by developers tapping into open source software and they tend to rely heavily on external components rather than coding everything from scratch.

But this can also introduce vulnerabilities into the software that underpins the critical functionality of applications that businesses and customers rely on. These components often shapeshift rapidly as developers adapt and incorporate them, which introduces risks that could be exploited.




Meterian’s AI-powered invisible security platform secures software applications that depend on open source software.

After CEO Vivian Dufour’s data was leaked in breaches involving Yahoo, Equifax, and EasyJet, she joined forces with chief technology officer Bruno Bossola to help businesses secure the software at the heart of applications.

The startup is on a mission to make cybersecurity more affordable and accessible, and to make the lives of developers easier.

Meterian’s software is interoperable, agnostic to the source version control system and compatible with any critical infrastructure system.

The platform is designed to work invisibly in the background. Users can set it up in less than five minutes and integrate it into their infrastructure and workflows within an hour.

The software, which has been developed using an extensive database of information about vulnerabilities, is then able to continually scan for threats. It can automatically address threats and provide actionable insights to show developers where the vulnerabilities in their code could lie or which threats they should prioritise.

The company is:

• backed by investors from Amadeus Capital, CyLon, and SFC Capital

• a 2019 Digital Catapult Platinum Nominee

• one of techUK’s Cyber Innovation Den 2019 finalists




Meterian’s technology is used by IT professionals in the insurance, financial services and retail sectors. It now wants to enable any software developer, regardless of their preferred programming tools, to benefit from automated security that helps them comply with legislation and protect the end user. Ultimately, it wants to empower developers to become a proactive line of defence against cyber attacks.

To do this, Meterian is designing its solution to be even more accessible for developers and removing any friction. The startup wants to tap into the NCSC’s vulnerability management expertise to:

• iterate and further develop its technology

• experiment in a safe environment

It wants to embed best practice and industry standards into its solution at an early stage of the product development lifecycle and receive feedback.


“We’re keen to experiment in a safe environment, try things and allow for the possibility of failure in a way that’s not possible in the public space”

Bruno Bossola, chief technology officer, Meterian


Exalens equips SME manufacturers with advanced cybersecurity that tends to be reserved for large enterprises.

It does this through its threat detection and response solution and cyber-physical AI – both of which don’t require an in-house security expert.



Physical infrastructure and hardware is increasingly being connected to the internet – and this is introducing virtual vulnerabilities.

Exalens believes that traditional security controls and vulnerability management tools aren’t enough to protect manufacturing companies from attacks that could cause safety issues or affect a long supply chain.

At the same time, SME manufacturers struggle to afford the tools and expertise that would enable them to detect and respond to threats. Existing tools tend to be expensive and aren’t tailored to the environment an SME is operating in.

On top of this, Exalens believes that security often takes a backseat in manufacturing because it’s seen as something that creates delays.

“The SME market is hugely under-served but, because of digital transformation, they are also starting to face the problems enterprise IT have been dealing with such as phishing and ransomware”

– Dr Ryan Heartfield, head of cybersecurity research and innovation, Exalens


Exalens’ Digital Companion acts as a virtual in-house security analyst that’s able to sense, track and respond to cyber-physical threats automatically and integrate into an SME’s unique environment.

It can automatically spot infected endpoints, secure them and let operational engineers know about the threat before it becomes a safety incident.

Since most SMEs won’t have their own security analyst, Exalens has codified and automated the workflows an analyst would use. Its aim is to make this level of protection as easy for SME manufacturers to use as most consumer-facing antivirus solutions.

The startup doesn’t believe there can be a silver bullet in cyber and isn’t boxed in to a static, rigid architecture. Instead, its threat fabric automatically and dynamically stitches together different threat detection and response workflows. It uses a combination of algorithms, heuristics and machine learning techniques based on the type of behaviour a system is exhibiting.

For example, if machine learning is required to help define an aspect of threat behaviour, it will be used. But if a rule is sufficient to capture the right information, it might not be.

Founded by a team of cybersecurity researchers in 2015, the startup has fuelled its growth with over EUR 4m in European grant funding.




Exalens is keen to tailor and iterate its minimum viable product based on insights from the NCSC into cybersecurity breaches in industrial control systems.

The startup wants to connect with stakeholders in the industry to validate its technology. It would also benefit from the NCSC reviewing its technology and
advising on:

• how it can achieve a close product-market fit
• whether a feature is scalable
• what aspects of threat detection it should prioritise


“We don’t want to launch an amorphous technology beast onto the market, we want to test each feature, get feedback and tailor as we go along”

– Dr Ryan Heartfield, head of cybersecurity research and innovation, Exalens


If you’d like to learn more and apply for NCSC, get in touch. We're bringing on new members throughout 2021.