Cyber Check - Cyber Essentials Compliance, Simplified

When we went through Cyber Essentials Plus certification at Add Jam we quickly discovered that the most tedious part was verifying our compliance across every machine in the organisation. Checking firewall settings, encryption status, password policies, software versions, sharing services — all of it, on every device, documented with evidence. Manually it just took too long so we automated it for ourselves.

What started as a Bash script

The first version was a command-line script written in pure Bash. Zero dependencies. It runs on any modern Mac without installing anything and checks 50 security settings across all five Cyber Essentials control areas.

It produces a colour-coded terminal report showing pass, fail and warning status for each check. Optionally it generates a timestamped JSON evidence file that maps directly to the CE+ controls. That JSON file is exactly what an assessor wants to see during an audit.

The script was genuinely useful. We used it during our own certification and it turned a day of manual checking into a few minutes of automated scanning. But it had limitations. Not everyone is comfortable running commands in a terminal. The output was functional but not exactly something you'd hand to a non-technical director. And we wanted features that don't make sense in a CLI: audit history, trend tracking, scheduled scans and proper PDF reports.

Building the desktop app

After writing about or certification process on our blog we has several clients and peers asking if they could use the script so decided to take the idea forward as a desktop app. We wanted something that anyone in an organisation could run regardless of their technical background. Open the app, click a button, see your compliance status.

Also important was making it run not just on MacOS but also on Windows. Our solution had to be cross platform.

The audit engine

Under the hood the app still runs platform-specific scripts. On macOS it executes a Bash audit. On Windows it runs a PowerShell script. The Electron main process spawns these as child processes, captures the JSON output and hands it to the React frontend for display.

This approach keeps the audit logic separate from the UI. We can update checks independently, add new ones as the CE+ standard evolves and maintain platform-specific code without touching the frontend.

What it checks

The 50 automated checks cover all five Cyber Essentials controls:

Firewalls — Application Firewall enabled, stealth mode active, sharing services disabled (SSH, Screen Sharing, SMB, AirDrop, Bluetooth sharing, Remote Management and more).

Secure Configuration — System Integrity Protection, Gatekeeper, FileVault encryption, automatic login disabled, screen lock timeout, macOS version still receiving security updates.

User Access Control — Whether the current user has unnecessary admin privileges, guest accounts disabled, password policy enforcement, account lockout policies.

Malware Protection — XProtect definition freshness, third-party antivirus detection, Gatekeeper status, System Integrity Protection.

Security Update Management — Automatic update settings enabled, pending updates, browser versions (Safari, Chrome, Firefox), full software inventory with version tracking.

Each check returns one of five states: pass, fail, warn (needs manual review), skip (requires elevated privileges) or info (version numbers and inventories).

Beyond the scan

The app does more than just run checks. We built features around the full compliance workflow:

Audit history stores up to 100 previous scans so you can track compliance over time. The app highlights what changed between scans so you can spot configuration drift before your next assessment.

Remediation guidance helps guide you in fixing failing checks. Failed checks include instructions and a button that opens the relevant system settings directly.

Evidence export generates professional PDF reports, raw JSON data and a complete evidence pack (ZIP) containing everything an assessor needs: the PDF report, raw JSON, asset inventory CSV and scan metadata.

Asset inventory lets you register mobile phones and tablets in scope for your certification. These get included in your evidence exports.

Scheduled scans run automated checks daily or weekly in the background. If something falls out of compliance you get a desktop notification.

Security quiz with 30 questions covering the CE+ controls. Useful for onboarding new team members or verifying that staff understand the security requirements.

Technical architecture

The app follows a strict three-process Electron architecture with full context isolation:

Main process handles all system interactions. IPC handlers for running audits, file I/O for persisting history and settings, child process management for executing audit scripts, system tray integration and the background scheduler. Sensitive data like license keys is encrypted using Electron's safeStorage which hooks into the OS keychain.

Preload bridge exposes a typed API surface to the renderer via contextBridge. The renderer has no direct access to Node.js APIs. Every interaction flows through defined IPC channels.

Renderer is a React 19 application styled with Tailwind CSS using a semantic colour palette (pass, warn, fail, skip, info, accent). State management is plain React hooks. Ten views handle the full user journey from license activation through to results export.

We built it with electron-vite for the development pipeline and electron-builder for packaging. macOS builds produce DMG and ZIP distributions. Windows builds produce an NSIS installer.

Privacy was a core design decision. All audit data stays on the device. No cloud sync, no telemetry, no data sent back to us. We never see any information about your machine's security posture. For a tool that scans your security settings that felt non-negotiable.

Why we think this matters

The Cyber Essentials scheme is only getting more relevant. From April 2026 the updated standard (v3.3) makes cloud services non-excludable from scope and MFA mandatory for all cloud services. The UK government requires CE certification for suppliers handling sensitive data. The NHS is increasingly requiring it. Private sector clients are asking for it too.

But the tooling around compliance hasn't kept pace. Most organisations going through CE+ are still manually checking devices, taking screenshots and assembling evidence by hand. That's slow, inconsistent and easy to get wrong.

We built Cyber Check because we went through that process ourselves and thought it could be better. A machine can check 50 security settings in seconds and produce consistent, timestamped evidence every time. That's the kind of thing computers are good at.

For a deeper look at the technical decisions behind Cyber Check, read our post on building the audit tool with Electron and React. And for the full story of our certification experience, see what we learned doing Cyber Essentials Plus.

If you're going through Cyber Essentials certification or thinking about it, check out getcybercheck.com or get in touch. Whether you're interested in the tool itself or need help with your broader security posture, we're happy to chat. You can also book a free 30-minute consultation with the team.