How Cyber Security Firms Win Public Sector Tenders

Cyber work surfaces across several layers of portal, and the contract value decides which layer. Higher-value framework competitions and large managed security or transformation contracts must be advertised on Find a Tender, the UK central platform for regulated procurement. From January 2026 the services thresholds are 139,688 pounds for central government and 215,720 pounds for sub-central buyers such as councils, NHS trusts, and universities, calculated inclusive of VAT. Smaller engagements, single penetration tests, and lower-value lots are advertised on Contracts Finder, which lists public contracts above 12,000 pounds and which during 2026 is being replaced by the Central Digital Platform as the primary notice service under the Procurement Act 2023.

Scotland, Wales, and Northern Ireland run their own systems, so a security operations contract for a Scottish health board or a Welsh council may never reach the main UK feeds. Those notices sit on Public Contracts Scotland, Sell2Wales, and eSourcing NI instead. The buyers span the whole public estate: central departments, local authorities, NHS trusts, universities, police and fire services, and critical national infrastructure operators in energy, water, and transport. Each can publish on a different portal, which is why checking by hand quietly leaks opportunities, and why the split between Find a Tender and Contracts Finder is the place to start.

Before price matters, a public buyer checks that you meet a recognised security standard, and the floor is now Cyber Essentials, the NCSC-backed scheme covering five basic technical controls. The bar has risen sharply: from G-Cloud 15, the latest iteration of the UK cloud framework going live in 2026, Cyber Essentials became mandatory for all lots after previously being exempt, aligning with the National Procurement Policy Statement that took effect on 24 February 2025 and told buyers to mitigate supply chain risk through controls such as Cyber Essentials. Many tenders go further and require Cyber Essentials Plus, the audited version, and ISO/IEC 27001 for the information security management system.

For a bidder the lesson is direct: treat Cyber Essentials as the entry ticket, not a differentiator, because almost every compliant competitor holds it. More than 215,000 certificates had been awarded by March 2026, including 49,248 in the previous year, so it is now routine. Where you stand out is on the deeper assurances a specific tender asks for, which can include ISO 27001, CREST membership, and NCSC certification of the people doing the work. Reading the qualification requirements early lets you make a realistic bid or no-bid decision before you commit time to a response you cannot pass the gate on.

A large share of public cyber work never reaches an open tender. It flows through framework agreements where buyers shortlist and run a mini-competition among pre-approved suppliers, so if you are not on the relevant route you do not see the call-off at all. The dominant cyber route is RM3764.3 Cyber Security Services 3, a dynamic purchasing system operated by Crown Commercial Service that the buying authority describes as the only route to market for NCSC assured services. It covers penetration testing, incident management and cyber incident response, threat intelligence, data destruction and IT sanitisation, and managed security services including accredited security operations centres and managed detection and response.

It is not the only route. Cloud security software, hosting, and support are bought through G-Cloud on the Digital Marketplace, where suppliers list services against defined lots, and broader digital and security delivery runs through Digital Outcomes agreements. NHS bodies, regional consortia such as YPO and ESPO, and sector hubs also carry cyber and IT lots alongside facilities management and wider technology. Because a missed qualification window can lock you out for a whole term, watching framework refresh and DPS application dates matters as much as watching individual notices, a point covered in the wider UK procurement frameworks and G-Cloud guide.

Public cyber tenders score heavily on assurance, and the language is specific. For penetration testing and IT health checks, buyers very often require the NCSC assured service CHECK, which means the testing team is approved to work on systems handling sensitive government information. Where CHECK is not mandated, buyers usually accept CREST accreditation as evidence that testers and the wider practice meet an independent standard, and CREST membership is also expected for security operations centre and incident response work.

Beyond testing, the common asks are an ISO 27001 certified management system, demonstrable experience on comparable public sector engagements, security cleared staff for sensitive sites, and adherence to the NCSC Cyber Assessment Framework where the buyer is a critical infrastructure operator. The honest reading is that public cyber procurement rewards proven assurance over the cheapest quote, so a credible bid leads with certifications, named accredited staff, and relevant case studies rather than headline price. Firms that win consistently tend to hold the certifications a buyer can ask for at call-off without having to chase evidence, because on RM3764.3 the proof is checked when a supplier joins the DPS rather than at every competition.

The pipeline is growing for policy reasons, not just budget cycles. The Government Cyber Action Plan commits more than 200 million pounds to address legacy technology, skills shortages, and uneven assurance across the public sector, which translates into procurement for assessments, remediation, and managed services. The Cyber Security and Resilience Bill is set to raise mandatory standards across critical national infrastructure and digital supply chains, pulling more suppliers and their subcontractors into formal security requirements and, in turn, into procurement that specifies them.

The market behind this is substantial. The government's Cyber Security Sectoral Analysis 2026 identified 2,603 firms providing cyber security products and services in the UK, a crowded field competing for the same framework places and contracts. For a supplier that means two things at once: more public opportunities are coming, and more rivals are watching the same portals. The firms that convert this into revenue are the ones that see relevant notices first and qualify for the frameworks early, which is where disciplined tender monitoring earns its place over manual checking.

The hardest part of monitoring is noise. A large authority publishes hundreds of unrelated notices for every cyber contract worth your time, so precise filtering is what makes alerts usable. Keywords are the first lever: terms like penetration testing, vulnerability assessment, security operations centre, managed detection and response, incident response, SIEM, identity and access management, zero trust, and security audit. The catch is that buyers describe the same need in different words, so a literal keyword for penetration testing can miss a notice headed IT health check or offensive security assessment, and cyber resilience, information assurance, and data protection all point at related work.

CPV codes give a more structured filter. The most useful for this sector are 72000000 (IT services), 72500000 (computer-related services), 72600000 (computer support and consultancy services), 48730000 (security software package), and 72212732 (data security software development), and it is worth noting that 79714000 (surveillance services) covers physical and electronic security, which is a different market. Combine codes with region filters so you only see work inside your operating area, and add disqualifier keywords to drop sectors you never serve. The same discipline applies to adjacent IT services tenders and to IT consultancies bidding across overlapping codes, which is why combining codes with semantic matching beats either alone.

No single portal shows you all the public sector cyber work, and checking Find a Tender, the devolved sites, G-Cloud, and the framework operators by hand is the task that slips when a delivery team is busy. Jorpex closes that gap by monitoring 50+ public procurement sources at once and matching each notice against your profile, so penetration testing, managed security, incident response, and identity work arrive in one filterable stream rather than scattered across logins.

The matching is semantic, not literal, which matters in cyber where the same job appears as penetration testing, IT health check, offensive security, or red teaming. Embedding-based matching catches those variants, and 17-language support helps firms that also bid in Ireland or across Europe, while disqualifier filters strip out the sectors and geographies you never pursue. Matches land in Slack, Microsoft Teams, or email as realtime, daily, or weekly automated tender alerts, each carrying the deadline and value so your team can move fast. Plans start at 49 dollars per month (Starter) and 149 dollars per month (Pro) with a 14-day free trial, no per-user fees, and up to 5 notification profiles on Pro so a testing desk and a managed services desk can each watch their own work. Jorpex surfaces the framework and contract opportunities that put you in the running. It does not submit bids, hold your Cyber Essentials or NCSC certification, or replace registration on the buyer and framework portals, but it makes sure you never miss the notice. See how it compares with other tender monitoring tools and tender alert services, alongside the wider UK public sector tendering picture.