CAF v4.0 Explained

CAF v4.0: Why organisations are turning to Maple

• The Cyber Assessment Framework (CAF) sets the standard for how UK organisations – particularly those operating essential services and critical national infrastructure – must manage cyber risk.
• With the release of CAF v4.0, the NCSC has made its expectations clear: organisations must move beyond static controls and adopt continuous, intelligence-led and proactive security assurance.
• For NHS organisations and any entity operating under CAF or NIS regulation, this shift is not optional; it is an operational requirement.
• Maple helps organisations meet this requirement in a practical, measurable way.

What’s changed in CAF v4.0, and why it matters. CAF v4.0 raises the bar in several critical areas, including:

• A stronger focus on understanding adversary behaviour, not just known threats
• Greater emphasis on continuous assurance, automation and proactive testing
• Explicit expectations around threat hunting, anomaly detection and secure software practices

Point-in-time testing and compliance-led security are no longer sufficient. Penetration Testing, redefined for CAF v4.0. Maple’s Penetration Testing as a Service is designed specifically to support the intent and direction of CAF v4.0.

Delivered as a managed service using an innovative continuous testing platform, it enables organisations to:

• Move from annual or ad-hoc testing to continuous validation of security controls
• Identify real, exploitable attack paths, not just theoretical vulnerabilities
• Understand risk in the context of how attackers actually operate
• Demonstrate ongoing assurance against CAF principles, not just audit readiness

This makes it particularly well suited to NHS organisations and other CAF-regulated environments.

How Maple’s PTaaS platform supports key CAF v4.0 principles

Proactive security posture (A2.b)

CAF v4.0 expects organisations to reduce cyber risk before an incident occurs.

• Maple enables this by continuously simulating attacker behaviour across your environment, identifying the attack paths most likely to succeed and prioritising remediation based on real risk, not CVSS scores alone.

Threat understanding and anomaly-led detection (C1.f)

The framework now explicitly calls for understanding normal system behaviour and using this to detect abnormal or malicious activity.

• By validating controls against real-world attack techniques, Maple helps organisations test whether their monitoring and detection capabilities are actually effective, before an attacker does.

Structured, repeatable threat hunting (C2.a)

CAF v4.0 introduces expectations around documented, repeatable and improving threat hunting. Maple’s platform-driven approach allows security teams to:

• Run consistent, repeatable attack simulations
• Validate defensive assumptions
• Turn findings into measurable improvements over time

This creates a feedback loop that supports both operational security and regulatory assurance.

Secure software and supply chain assurance (A4.b)

CAF v4.0 places greater responsibility on suppliers and service providers to demonstrate secure development and operational practices.

Maple provides assurance through:

• A controlled, governed testing methodology
• Clear evidence of testing activity and outcomes
• Alignment with regulated sector expectations and audit requirements

Why NHS organisations choose Maple

NHS and healthcare environments face unique constraints: limited resources, complex estates and high regulatory scrutiny.

Maple helps by providing:

• A CAF-aligned testing service, not just a technical tool
• Clear reporting mapped to risk, impact and regulatory outcomes
• Continuous assurance without increasing operational burden
• A trusted partner that understands regulated environments
•  

CAF compliance is not a checkbox exercise

CAF v4.0 reflects a shift in regulatory thinking from static compliance to continuous cyber resilience.

Maple’s Penetration Testing as a Service enables organisations to meet that expectation with confidence, clarity and evidence. Not just compliant. Continuously assured.