In August 2025, the U.K.’s National Cyber Security Centre (NCSC) released an updated version of its Cyber Assessment Framework, CAF v4.0, to enable organisations to assess their current state and maturity to allow them to become more resilient to ever-growing cyber threats.

But what has changed this around? 

• A2.b – Understanding threat (new) 

• A4.b – Secure software development and support (new) 

• C1 – Monitoring (expanded) 

• C2 – Anomaly detection & threat hunting (expanded) 

• D1 – Response and recovery planning (strengthened) 

• AI & automation risks (woven across outcomes) 

Four pillars of improvement  

1. Threat understanding becomes a core outcome 

CAF v4.0 shifts the understanding of attacker behaviours and motivations from a background consideration to a ‘Contributing Outcome’ labelled A2.b: ‘Understanding Threat’. Organisations must now integrate real-world threat intelligence into decisions, moving from abstract concepts to actionable insight.  

2. Secure software development gets spotlight 

A notable breakthrough is the introduction of A4.b – Secure Software Development and Support. This expects software, whether internal or supplied, to be built, maintained, and monitored using best-practice frameworks (like NIST SSDF, Microsoft’s SDL). It pushes us professionals to think beyond patches, prompting the adoption of SAST (static application security testing) or DAST (dynamic application security testing), provenance tracking, and supply-chain scrutiny. This shines a light on and underlines the importance of the “shift left” mindset.

3. Smarter monitoring and proactive threat hunting 

Rather than merely collecting logs, CAF v4.0 expands expectations under C1 (monitoring) and C2 (threat hunting). Now, enriched logging, behavioural baselining, correlation, and repeatable detections are key, and organisations must translate findings into operational readiness.  

4. Revised response and recovery expectations 

Response planning (D1) takes on more substance; plans must be realistic, regularly tested, and extend beyond internal teams to include suppliers. No longer is recovery planning allowed to be an afterthought which we have seen neglected for too long.

Additional enhancements worth noting 

• AI and automated decision risk surface 
  CAF v4.0 does not isolate AI into its own control area; it integrates related risks across multiple relevant sections. This signals that AI and automation is an area which organisations must now assess and restrict how AI could be manipulated to compromise critical systems. 

• Dynamic, outcome-based evaluations 
  The framework moves further away from tick-box compliance, requiring demonstrable performance, traceable actions, and continued improvements grounded in measurable outcomes.  

At Longwall, we help organisations translate these expectations into reality. Our teams run CAF assessments, provide NCSC-aligned recommendations, and build roadmaps and projects that turn guidance into measurable maturity over time. For more information,  please get in touch.