Protect What Matters
Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.
ESPM and Cyber Essentials: How Endpoint Posture Management Supports Certification
Published: 05/22/2026
Written by: Nadine Rozell
Cyber Essentials is one of the most practical cybersecurity certifications available to UK businesses and MSPs. It's not theoretical. It's a checklist of controls that block the most common attack vectors, and it's backed by the UK government precisely because it works.
No single product gets you certified. Cyber Essentials certification comes from implementing a complete security program, not plugging in one solution and ticking the box.
That said, Endpoint Security Posture Management (ESPM) is one of the strongest foundations you can build on. It gives you continuous, automated visibility into the security state of every managed endpoint—and that visibility maps directly onto several of the five Cyber Essentials control areas. Not all of them. But several, and in ways that give you hard evidence to back up your assessors' questions.
This article walks through each of the five control themes, where ESPM can genuinely help, and where you still need other tools, policies, and processes to fill the gaps.
What Cyber Essentials actually requires
Cyber Essentials focuses on five technical control themes, set out in the NCSC's Requirements for IT Infrastructure:
Firewalls
Secure configuration
User access control
Malware protection
Patch management (security update management)
The certification exists to help organizations defend against the most common, opportunistic cyber attacks—the ones that exploit basic gaps like unpatched software, misconfigured devices, and weak access controls. It's not designed to stop nation-state adversaries. It's designed to close the doors that most attackers try first.
For MSPs and growing organizations managing client environments, Cyber Essentials creates a useful accountability structure: you need to be able to show assessors that these controls are in place, enforced, and documented. That's where ESPM earns its keep.
At a glance: how ESPM maps to the five Cyber Essentials controls
CE Control | What ESPM surfaces | What ESPM does not cover |
Firewalls | Host firewall status per endpoint; compliance reports | Network/perimeter firewalls; firewall rule design |
Secure configuration | Baseline adherence; drift alerts; application inventory | Defining baselines; change management records |
User access control | Local admin sprawl; risky endpoint access configs | Directory/IAM controls; MFA enforcement |
Malware protection | AV/EDR install and coverage status; app control policy | Active malware detection and response |
Patch management | Missing patches; unsupported OS/software; vuln posture | Deploying patches; patching procedures |
What ESPM actually does
ESPM is a continuous, automated audit of every managed endpoint. It scans devices, compares their current state against established security best practices, and flags the gaps—missing patches, disabled firewalls, risky configurations, unsupported software, security tool gaps—before attackers find them.
The key word here is continuous. Unlike a one-time audit or a manual checklist, ESPM runs in the background and surfaces drift as it happens. A firewall gets disabled. A patch gets missed. An unapproved application shows up. ESPM sees it and flags it in real time.
That continuous visibility is exactly what compliance programs like Cyber Essentials need to move from "we had these controls in place when we last checked" to "we can prove these controls are in place right now."
Now, let's go control by control.
Control 1 — Firewalls
What Cyber Essentials requires: Organisations must use firewalls to protect devices connected to the internet, and boundary firewalls must be configured to block unapproved inbound connections. For devices in scope, the host firewall must be enabled.
Where ESPM helps: ESPM can surface host firewall status across your managed endpoints—showing you which devices have their local firewall enabled and flagging any that don't. That gives you a real-time view of firewall posture at the device level, and ESPM's dashboards and reports can help you document that the control is being enforced.
Where ESPM doesn't go: Network-level and perimeter firewalls sit outside ESPM's scope. Configuring firewall rules, defining what inbound traffic is allowed, and managing boundary devices are still the responsibility of your network team and the policies you or your customer define. ESPM confirms that host firewalls are on. It doesn't design your network architecture.
Control 2 — Secure configuration
What Cyber Essentials requires: Computers and network devices must be configured to reduce the level of inherent vulnerabilities and only provide the functions that users need. Default and unnecessary accounts, features, and software should be removed or disabled.
Where ESPM helps: This is one of ESPM's strongest areas. ESPM checks OS and application configurations against defined security baselines, flags drift when endpoints stray from those baselines, and gives you evidence that configurations are being monitored and maintained. If a device ends up with an insecure setting—an open RDP port, unsigned application execution allowed, unnecessary services running—ESPM surfaces it.
ESPM also supports application control, which lets you get visibility over what's actually running on endpoints and block unapproved or risky applications. That's directly relevant to the CE requirement to provide only the functions users need.
Where ESPM doesn't go: ESPM gives you the monitoring and evidence layer. Your organisation still needs to define what "secure" looks like for each device type. ESPM can flag drift—but only if someone has established the baseline it's drifting from. You also still own the change management process: documenting approved changes, approving exceptions, and keeping records of who changed what and why. ESPM surfaces the data. Your policies and procedures give it context.
Control 3 — User access control
What Cyber Essentials requires: User accounts must be controlled. Standard users should not have administrative privileges. Access to management interfaces must be limited to authorised accounts. Strong passwords or multi-factor authentication (MFA) must be used.
Where ESPM helps: ESPM can help you spot local admin sprawl—endpoints where user accounts have more administrative access than they should. It gives you visibility into risky endpoint-level access changes and surfaces configuration states that indicate overly permissive setups. That's useful evidence when you need to show assessors that admin access is being managed.
Where ESPM doesn't go: ESPM sees the endpoint. Directory-level and identity-level controls—who has admin rights in Active Directory, whether MFA is enforced for all users, how access policies are managed in Microsoft 365—sit outside ESPM's scope. For that layer, you need IAM tools and identity security solutions. ESPM's endpoint insights complement those controls, but they don't replace them. If you need full identity posture management for Microsoft 365, that's where Huntress Managed ISPM fills the gap.
Control 4 — Malware protection
What Cyber Essentials requires: Organisations must protect against malware using either anti-malware software or application allowlisting. Anti-malware must be active, kept up to date, and configured to scan automatically.
Where ESPM helps: This distinction matters, so let's be clear: ESPM doesn't detect malware. That's what your AV and EDR are for.
What ESPM does do is verify that your chosen malware protection tools are installed, enabled, and up to date across every managed endpoint. It flags the gaps—workstations where the antivirus is disabled, endpoints where the EDR agent has gone offline, devices that are missing coverage entirely. It also supports application control, which is the alternative CE-approved approach to malware protection: controlling what applications are allowed to run in the first place.
ESPM also delivers protection through Application Control, one of its strongest capabilities. Rather than waiting to detect malicious behaviour, Application Control blocks risky applications from running in the first place. That includes legitimate tools commonly abused by attackers—like unauthorised RMM software—which are a favorite foothold in modern intrusions. You define what's allowed, and everything else is denied by default.
Think of ESPM as posture and coverage assurance around your AV and EDR. It doesn't do the detecting. It makes sure the tools that detect are actually running where they should be, and that your application control policies are enforced.
What still sits outside ESPM: Active threat detection, investigation, and response remain the job of your AV, EDR, and the SOC team behind them. Pair ESPM with Huntress Managed EDR and you've got both layers covered: ESPM confirms the tools are in place, blocks unauthorized apps from running, and configured correctly; EDR and the Huntress 24/7 SOC handle whatever gets through.
Control 5 — Patch management (security update management)
What Cyber Essentials requires: Software and operating systems must be kept up to date. High-risk and critical patches must be applied within 14 days. Unsupported software that can no longer receive security updates must be removed or isolated.
Where ESPM helps: Patch visibility is one of ESPM's core use cases. ESPM gives you a continuous view of missing patches, outdated software versions, and unsupported operating systems across your managed endpoints. You can see which devices are behind on critical updates, which are running software that's past end of life, and where remediation is most urgent.
That hard data is exactly what you need to back up your patch management processes with evidence. Instead of relying on manual checks or point-in-time reports, ESPM keeps the picture current. When an assessor asks whether you're applying critical patches within 14 days, you can point to dashboards that show the state of your fleet in real time.
What still sits outside ESPM: ESPM surfaces the patching picture. The patching itself—deploying updates, testing changes, managing rollouts across client environments—still requires your patch management tools and processes. ESPM is the visibility and evidence layer, not the patching engine.
At a glance: what ESPM gives you versus what you still need to own
Area | ESPM provides | You still need to provide |
Evidence | Real-time dashboards; exportable reports; drift history; time-stamped alerts | Written policies; change logs; risk assessments |
Firewalls | Host firewall status reports | Network architecture docs; firewall rule sets |
Configuration | Baseline adherence reports; app inventory | Defined baselines; approved exception records |
Access control | Local admin and endpoint access posture | IAM controls; MFA enforcement; provisioning records |
Malware protection | AV/EDR coverage and status reports; app control state | Active detection and response capability (EDR/AV) |
Patch management | Missing patch data; unsupported OS inventory | Patch deployment process; 14-day compliance records |
Compliance scope | Continuous technical control monitoring | Assessment scoping; assessor engagement; policy ownership |
Practical checklist: ESPM and Cyber Essentials for MSPs and Scaling Organizations
Here's a straightforward guide to what ESPM can produce as evidence, and where you still need to bring your own documentation.
For each of the five control areas, ESPM can help you show:
Firewalls: Real-time dashboard showing host firewall status across all managed endpoints; reports showing which endpoints are compliant and flagging any that aren't
Secure configuration: Configuration baseline adherence reports; application inventory showing what's installed and running; drift alerts with timestamps showing when configurations changed
User access control: Visibility into local admin account status and risky endpoint-level access configurations; reports on endpoint posture state
Malware protection: Coverage reports showing AV/EDR installation and status across endpoints; application control policy state and enforcement reports
Patch management: Missing patch reports by severity and age; unsupported OS and software inventory; vulnerability posture dashboards (where Defender for Endpoint integration is in place)
What ESPM can't produce for you—and where your documentation has to fill the gap:
Written security policies for each of the five control areas
Firewall rule documentation and network architecture diagrams
Formal security configuration baselines that define what "secure" looks like for each device type
Change management records: who approved what, when, and why
Access control policies: how admin accounts are provisioned and reviewed
Evidence that MFA is enforced (requires identity/directory tooling)
Patch management procedures: your process for deploying, testing, and tracking updates
Records showing patches were applied within the required 14-day window (the evidence of action, not just the posture state)
In sum, ESPM gives you real-time visibility and the automated reporting to demonstrate that controls are in place. The policies, procedures, and change records that prove why and how those controls are managed are still yours to own.
The bottom line
Cyber Essentials certification isn't something you buy with a single product. It's something you earn by building a real security program and being able to prove it.
ESPM earns its place in that program because it does the job that manual processes can't: continuous, automated verification that your endpoint security controls are actually in place across every managed device—not just when an auditor asks, but every day. Real-time dashboards and verifiable reports replace the scramble of pulling together evidence at assessment time.
For MSPs managing dozens or hundreds of client environments, that's not a minor convenience. It's the difference between being able to demonstrate compliance at scale and hoping nothing's drifted since the last time someone checked.
Pair it with the right policies, the right patching tools, and identity-level controls for the access management requirements, and ESPM becomes a strong foundation for Cyber Essentials—and a platform you can reuse for other frameworks like ISO 27001 and cyber insurance requirements as your clients' needs grow.
Want to see how Huntress Managed ESPM works in practice? Get a demo or explore the Managed ESPM product page.
Frequently asked questions
ESPM can replace manual spot-checks with continuous, automated monitoring across every managed endpoint. It generates real-time dashboards and verifiable reports that map directly to Cyber Essentials control themes—showing firewall status, patch currency, AV/EDR coverage, configuration drift, and local admin exposure—so you can demonstrate compliance to assessors in minutes rather than days.
ESPM provides direct evidence across four of the five controls: firewalls (host firewall status), secure configuration (baseline adherence and drift), malware protection (AV/EDR coverage and application control), and patch management (missing patch visibility). For user access control, ESPM can surface local admin sprawl at the endpoint level, but directory-level and identity-level controls—including MFA enforcement—require separate IAM or identity security tooling.
MSPs can use ESPM's multi-tenant dashboards to see the compliance posture of each client environment from a single view, identifying which endpoints are drifting from security baselines, missing critical patches, or running without AV/EDR coverage. This makes it practical to manage Cyber Essentials evidence gathering at scale—generating per-client reports for assessors without manually auditing each environment. Policies and procedures still need to be defined and maintained per client, but the technical evidence layer is automated.
Yes. Cyber Essentials Plus involves independent technical testing of the same five controls, which means the evidence requirements are stricter. ESPM's continuous monitoring and verifiable, time-stamped reporting is particularly useful here—it gives you a defensible, up-to-date record of control enforcement rather than a point-in-time snapshot. The automated evidence trail ESPM generates supports the more rigorous independent assessment that Cyber Essentials Plus demands.
ESPM can produce reports and dashboards covering host firewall status by endpoint, configuration baseline adherence and drift history, application inventory and control policy state, AV/EDR installation and coverage status, and missing patch reports by severity and age. For vulnerability data, ESPM surfaces this through integration with Microsoft Defender for Endpoint. These outputs give assessors clear, verifiable proof that controls are being enforced continuously—not just at assessment time.
