I am Mike Maddison, CEO of NCC Group. NCC Group is a global leader in providing cyber resilience services. At the heart of our business are our people. NCC is a people-powered but tech-enabled business, and it's been an absolute priority for us to ensure that there is visibility, transparency, and understanding of the component parts of our business. NCC Group is made up of two distinct businesses: our software resilience business, Escode , and the largest part of our business is our cybersecurity services. Cybersecurity is the largest part of our business in terms of revenue. Our strategy is to build a business that delivers to our clients an end-to-end set of services that addresses the existential risk and primary risk in the digital age.
Our capabilities range from incident response, so helping clients in their moment of most distress and crisis, being able to support, change, and implement changes within an environment through consulting and implementation services, to help clients operate and run elements of their environment, our managed security services, and then ultimately, to be able to provide technical assurance across every single environment that they operate, and that's our technical assurance services. All of those capabilities together operate within a flywheel, so whatever our clients' requirements are, we can meet them. What I think makes NCC unique is the way we are able to bring together all of those capabilities together to solve clients' complex problems and manage risk in partnership with them. NCC Group is a unique business.
We are global in nature with absolutely outstanding technical capabilities, and we are going through a transformation that is a very exciting time. Allows us to position ourselves quite uniquely globally to deliver truly outstanding service to our clients.
Well, thank you, and good afternoon, everybody, and it's great to welcome you to what I think is gonna be a fantastic markets event this afternoon. So it's great to hear Mike's intro, and as he said, today is about the cyber part of our business, and we are gonna immerse you all here in the room and online into our managed service part of our business. It's a part of our business that provides greater resilience, greater predictability to how we perform as a group. Now, by way of introduction, I'm Kevin Brown. I'm our Global Chief Operating Officer and responsible for all of our capabilities across the cyber part of our business. Now, you might say that I'm slightly biased, but this is a fantastic business, and I'm only a year into my role in this journey.
But I may have only been at NCC for a year, but actually I've known NCC for a few longer, a few more years than that, because actually, in my previous role, leading security at BT, NCC were a trusted partner to me then, providing help with regulations, but also for transformation. So it's gonna be great today to really dive into it. As we look at the agenda for today, we've really built our agenda to take you through the journey that we're on at NCC Group, and in particular, the journey of our managed services. Before we get into the detail of our managed services, one of my colleagues is gonna try and break down cyber. We like acronyms. It's an acronym fest, so we're gonna try and break it down into really simple terms so we really understand it.
But taking the agenda, what is this not only gonna hear us talk about, but it... what are we gonna demonstrate during this session? There are five things. Now, number one, we're gonna talk the fact that we're in a high-growth market. The second point, we're gonna talk and explain and demonstrate that we are aligned to market demand. We're gonna give you evidence and bring it to life, that actually we're pretty good at what we do. Of course, we can always do better. We're gonna talk the fact and demonstrate that we are in a strong financial position. And then when we bring these bits together, our final point is we are super optimistic about our future, and that will come out throughout the presentation. To help me today, let me introduce what's gonna be a fantastic panelist of speakers.
I'm gonna start with introducing Doug Cloutier. Doug will be up after me. He's the Managing Director of our Managed Service business. Doug comes with a fantastic track record of growing managed service businesses across BAE, Trustwave, and Doug brings this unique blend of innovation, not just from the technical aspect, but from the commercial as well. We're then gonna hear from Natalie Walker. Natalie is the Director of our Managed Service portfolio, very well regarded across the Managed Security Service landscape, and Natalie comes with a great track record of having just worked with the business to grow a $1 billion managed service business. And then finally, we're gonna come to Kevin. Kevin runs all of our operations, and I think it's fair to say that calmness is his key ingredient when it comes to managing operations.
Great track record of working with clients throughout multiple geographies, so they're really gonna bring our journey to life with you. Now, we've already heard reference to this from Mike, and actually, we're gonna see it a few times in our presentation. It might refer to it as a flywheel, but actually, this is a key component to our operating model across NCC Group and our cyber business because this is our road to differentiation and success. And as Mike said, this is what makes us globally unique.... Now, Natalie and Kevin are gonna bring this to life with some great client stories. But put simply, us executing on this operating model means that we are not wholly reliant on selling managed services from scratch. There are many ways in which we have interaction with a client.
It provides shortcuts to sales cycles, which means that actually we are more cost-effective and efficient when it comes to selling managed services. And bringing and exposing this capability means that we can really demonstrate to our clients that we are their go-to, end-to-end cybersecurity trusted partner. So without further ado, I'm gonna hand you over to Doug now to take us into the detail.
Great. Thank you, Kevin. Hello, hello, everyone. We are, you know, very excited to have you here. We're eager to tell you the story about our managed services and the journey that we've been on. I'm not local, Chicago, but I've been here many times, so I'm gonna try to present myself as local as possible. So a couple of key things. I just wanna set the stage. As Kevin said, my role here at the outset is to kind of... Let's talk about what this market is. A lot of terms get thrown around interchangeably, and what does it mean in terms of the way that we think about it and talk about it? So a couple of things I think are really important. AI is literally everywhere. Our clients are using it. We, as a service provider, are using it. And guess what?
Folks who are trying to steal data, they're using it, too. What does that mean? Well, you know, defending against a compromise has become more complex than it's ever done before. But some of the tried and true things, like good old-fashioned phishing attacks, still rule the day, and that hasn't changed. You're gonna hear throughout our presentation today, and hopefully you walk out and you feel the way that I do, we have a plan for this. We're aligned to the market, and we'll be pursuing that eagerly. So as I said, I have the enviable position of kind of describing what managed security services is and all these terms that we talk about, because they do get thrown around in our industry pretty interchangeably, and we tend to do an acronym thing, and I'm sure I'm gonna fall into that trap.
I apologize for that, and I'll try to avoid at all cost. But just to set the stage, what is managed security services? Well, simply put, it's an all-encompassing thing, all variations of outsourced security operations. That's what MSS stands for. You could call yourself an MSSP if all you did was manage firewalls, but that's not really where the market's at. That's not where the demand is at. The demand today is at, "I need you to help me find sensitive data. It could be in my environment; it could be outside my environment. I need to know that it exists, and then I need to know, gee, is it sensitive against an attack?
And then, if it is, what are you gonna do about it so I make sure I'm protected in real time?" This is ultimately what our clients are asking for from us today, and which we'll talk mostly about. As I said, it's a fast-growing market. Now, I'm gonna talk a little bit about MXDR here for a second. MXDR, Managed Extended Detection and Response, see, I did an acronym before I even talked, used the word, and Managed Detection and Response are often used interchangeably with Managed Security Services. But this is the thing I just talked about. It's, it's preventing against attack in real time, managing threat. That's essentially what Managed Extension, Extended Detection and Response and MDR is. This is where the market is super-duper hot. IDC expects it to grow over 26% from 2023 through 2028.
This is my favorite slide. So this is the classic, you know, alphabet soup of managed security services and security services. But everything here, every element here, contributes to us delivering value to our clients, and they kinda neatly fall into three categories. You've got your far left column, which is find sensitive data, and that, that can involve... There's a thing on a dark web that I didn't know I had on the dark web, like my username and credentials. It could be something in your own environment that you didn't know existed, but you ran a scan, and you figured out it existed. And then lastly, you know all this stuff about this data. What are you gonna do about it? I gotta prioritize it. I gotta reduce the vulnerability associated with it. Is it vulnerable at all?
That's all kind of, tell me about the data side of things. Okay, now I've found the data, what am I gonna do about it? Well, you gotta protect it 'cause it means something to you. And there's a variety of ways that you can do this, but the most common technologies that are most sought after today are things like endpoint detection and response, which could be something as simple as a piece of software on your laptop, and it's, it's analyzing a threat against that machine. Again, it's a piece of software. It's not a service. That would be true of network detection and response, which is the same thing, but it's doing it at a network level. And then MX- MXDR is kind of a catch-all. Refrigerator has an IP address. A machine in a factory has an IP address.
Those would be examples of a catch-all for everything else, and that becomes what's known as MX extended detection and response. Then lastly, where we really bring value is, we gotta make sense of all this and help a client protect themselves in real time. We use technology to help us do that, and there's some great SIEM technologies out there. We have strategic partnerships, which you'll hear more about, with organizations like Splunk and Microsoft, and they help, they help us understand, as a service provider, is a thing happening, or is this just something that's happening to an individual machine? It gives us context, gives us the ability to respond in a systematic way and help our clients to understand what the threat really is all about. Then you get into our space.
So we're managing all this, which is what ultimately matters. All this stuff is shooting off a bunch of stuff. What does it mean? What do I do about it? Service providers like us say, "We'll help you understand if it's a thing or not, and we'll react to and protect you in real time." There will be more acronyms, I promise you. Okay. Now, as an end-to-end cybersecurity company, from, "Hey, we discovered a piece of data," all the way through to, "We're gonna defend you against a breach..." You have to have a really intimate relationship with your client, and that's true for us as well. And our clients are telling us pretty routinely, these are the things that really matter to them. Regulations are becoming more complex. They're changing every day. They're different by geography. They're different by industry.
It's frankly hard to keep up, and you've got to manage your cyber risk in line with those compliance standards. They've got to prove they're doing what they say they're doing. They've got to prove to their stakeholders, internal, external stakeholders, that the service that they're using, the things that they're doing, are effective to protect the environment. Cost is a factor. It's probably the number one buying decision, right? People are not making decisions without knowing exactly how much something costs. Can they afford it? Is it in line with the, with what they should spend on that problem? So they've got to do it cost effectively. And then, most importantly, they got to defend the environment. If something happens, did you know what happened? Could you solve it? Could you remediate it? Could you do it quickly?
These are all the things that they expect from a service provider like NCC. Okay, with that, let me just spend a minute kind of whizzing through the market. So this is IDC's actual spend in the market as of 2023. And what I think- what this says to me is resiliency. Everyone's participating. This is not a vertical sector strategy. Now, I talked about regulation, I talked about geography, and things that are challenging organizations. At the end of the day, the service they need to meet those standards that I just talked about are pretty dadgum consistent. So we can offer very similar service, even though the drivers are so varied by all these different verticals. Allows us to scale and also solve their problems. So great resiliency, this is not a single vertical strategy by any sense.
I'll also say it's a sizable industry. It's GBP 20 billion as of 2023. As I indicated, one of the hottest areas of growth is the MDR XDR space, which is growing at 26% through 2028. Interestingly, only 42%, and I do say only because guess what? According to IDC, in 2027, over 70% of organizations will have some form of an MDR XDR solution. So you're gonna see very significant growth, not only with the existing community that's participating, but future buyers who have not participated yet. What are the drivers? The drivers are what I just described, but also, you know, the requirements are I have to have trust, and I have to have confidence in your expertise. They don't have the resources, they can't scale, and so they're looking for someone to provide economies of scale.
A very good example of this is there's a major foundation in the U.S., $70 billion endowment, something of that sort. A year and a half or 2 back, they came to us, big brand, under constant phishing attack. They couldn't scale, they couldn't respond, they couldn't defend themselves. They came to us, and we quickly said, "Here's the thing. What you're trying to defend yourself against is really hard. It's not an easy problem to solve. I think we can help you do it," and we gave them a plan. "By the way, you're getting a lot of this, and that's not gonna stop tomorrow." We proved we could do it at scale.
Those two things, and the fact that we were very candid, that it's a hard problem, it wasn't an easy problem to fix, immediately created trust with them, and we demonstrated our ability to scale. That won us a really important deal. So with all that opportunity, guess what comes with it? Good old-fashioned competition, and that's certainly true here, too. So the way I think of this is, our competitors kind of fall into five neat buckets. You've got your pure play security service providers, which I think NCC certainly fits into. You've got your specialist MSSPs, who today might call themselves an MDR, XDR provider. That could be like a BlueVoyant, could be an Expel, could be an Arctic Wolf, often PE-backed, maybe not necessarily focused on making money today, but certainly focused on growing.
They tend to have a one size fits all for their customers, a platform-only-based solution. You got your telcos, who have a big relationship with a client. They're trying to get a bigger share of wallet. Why not get into cyber? You've got your global system integrators. You've got your Accenture and your PwC, et cetera, and they tend to do very custom solutions for very large enterprise. As I take a step back, and maybe I'm biased, it often looks a lot like staff augmentation to me and a lot of custom work. And then last, you've got your resellers, and frankly, they're trying to make a buck off of reselling software, and God bless them. Good for them. So where do we fit? We are a broad cybersecurity services provider, everything from testing through to incident response with managed services in the middle.
We've got global scale, but we also have local presence. There are unique needs in the market. Kevin Jonkers will talk a lot about our last mile and how we face off with clients to support them locally, but we also have the scale to do it globally. I really wanted to talk about the Unified Cyber Platform, which we're invariably gonna call the UCP today, and that's what it means, and we apologize ahead of time for using acronyms, but I'm sure we'll fall into that trap. But this is a really important investment we made. About a year and a half ago, we had, through years of successful acquisitions, built up a lot of different ways of doing things that weren't very consistent. What did that mean? That meant that we had a fair amount of technical debt, customers weren't getting consistent experience, we weren't able to scale.
We weren't able to innovate for the next thing. So we made a decision to move forward, take a lot of the great things that we were doing, invest in those things, use modern technology, and introduce something called the Unified Cyber Platform. I'll leave it there because Natalie's got some detail on that, but it's a very exciting part of our strategy, and it's going to uncork our growth opportunity. We've always had amazing people, and the technology is becoming so advanced that marrying up with our people is a great opportunity. All those things together, puts us, puts us in a position, and our clients tell us it's true, that we're very, very good at managing threat. Okay? That's a little scene setting.
With that, let me hand it off to Natalie Walker, who will go through the value proposition and tell you where we've gotten to on that front.
Lovely. Thank you very much, Doug. So we've explored in detail the market, and now I'm going to explain our offering. We've touched on this, our operating model that drives our clients to us, but I'm gonna bring it to life for you with a, a few examples. Understandably, a lot of our clients don't like to be named, and they particularly don't like to be named if we've helped them on an incident, but one that is in the public domain is the British Library. So if you imagine, that type of client is one that we've helped through their incident and beyond. But a, a journey through from incident response into managed services often starts with us deploying some software. So Doug touched on this, an endpoint software.
We could be putting software on a laptop, and what that does in the incident is gives us additional visibility, and allows us to work out what's going on and to solve the problem for the client, and that's great. At the end of that incident, often the client finds that that extra visibility is really useful, and they want that increased awareness of any other potential threats coming through. They're not used to managing that software themselves, so it's quite natural for them to have already built that trust with us and think, "Great, let's talk to you about a managed service." So great example of that operating model driving a conversation through the business. And similarly, the same is true, in all of our areas, but another example would be consultancy.
So an example of a client that's used our consultancy services a number of times is the UKHSA , the Health Security Agency. Now, we helped them in the pandemic, and we still help them today. But similarly, a typical example of that journey through the organization could be our consultants helping a client design and then implement a security solution, any security solution. They may well start off thinking they're gonna manage it themselves. They value our opinions, they value that trust, and that's fine if they want to do that, but it's not uncommon for them to then think, "Ah, actually, we can see now that it's really efficient for you to do that for us." And so discussion then goes on to a managed service.
This, it's all MXDR, the term that we used earlier on, Managed Detection and Response, that type of service. And absolutely, the reverse is true as well. So we could be managing a client's MXDR solution for them. We'll be monitoring it, we can see something's going on, and we would bring in our incident response team at that point, for example. Or it could be as early as our implementation of our solution. So we're working through deploying a service for a client, and then we realize that it's an opportunity for perhaps a deep dive in a particular area of risk, and so we'd bring our consultancy colleagues into the discussion at that point. So I want to describe to you our portfolio, first of all, with the problems that we solve.
So again, kind of some terminology here, but a vulnerability is effectively a risk. It's not happened yet, it could happen. So it could be something as, I guess, as tangible as stolen credentials. Now, we know they've been stolen, they haven't actually been used yet, so it's a risk. It's not an actual threat at this point. Or similarly, outdated software, so somebody hasn't done the patching, you know, we haven't updated our mobiles, and so on. At this part of those, those sorts of challenges, we help a client to proactively protect, so this is a proactive action. Subsequently, you've then got a threat, so this is where something's actually happened. So laptop's compromised, somebody's clicked on a link that they shouldn't have done, or actually, for whatever reason, somebody unauthorized has got access to that network.
At this point, what we're doing is we're monitoring and we're responding. So at a high level, that's what our portfolio does. We can help our clients all the way through that journey or at any point in the journey. They don't have to start at the beginning. You know, whatever suits their particular challenge and their particular stage of their journey to security. But who are those clients? So I've given you a couple of examples, but just to explain a little bit further. The mid-market. Now, there's no one perfect definition, I don't think, for this particular group. We tend to find they're less than 5,000 employees, but it's less about the size, it's much more about their sort of security posture. They tend not to have their own operating team, so SOC, if I use that term.
They tend to have board-level understanding or decision-maker understanding that security is something that they absolutely want to invest in. For these groups of clients, what we do is we provide simplicity, and they do tend to take all of our solution. They don't have to, but they do tend to. Again, the type of client would be law firms, building societies. They're all in our client base for this type of solution. What we do from a portfolio perspective, and also from a platform perspective, is we design it for this mid-market group. But what that allows us to do is to tailor for our second group of clients, and they're the large enterprises. These guys, clearly bigger, they tend to be more complex, and again, they don't have to, but they often pick a particular part of our solution.
For these guys, they actually benefit from the scale that we have because we provide solutions across both types of clients. Examples of this type of group are universities. We serve a number of the universities in the U.K., and we serve large retail companies. One portfolio, both types of clients. We focus on three areas of strengths. In managed services, we call these our three pillars. They're. It's an ethos that flows throughout our organization, throughout our portfolio, and throughout our design. Starting with quality and client centricity, I think quality kind of speaks for itself, but client centricity is really that flexibility I've started to introduce, and the fact that we can tailor, but we can do it at scale. Threat management, now, we've alluded to this term. It's, it's effectively that ability to monitor and to respond.
We do this, we actually take the out-of-the-box capability, but we also have some engineers that design our own code. We typically find, of the threats that we find, 40% of those are found by the code that we've written ourselves, so clearly that's an area of IP. We also have threat intel, which we again use external sources, but we also provide sector-specific, which we know our clients really value. And then that transparency is, again, a little bit of an ethos. It's a bit about the reporting that we provide, so we report at multiple levels, again, depending on what's appropriate for that client. And we also... I'm gonna drop an acronym, which we'll come back to, but it's a TAM, it's a technical account manager.
But effectively, they provide access to our clients, to the experts, and we know, particularly for the mid-market, they really appreciate that. And then people-powered innovation. Now, this is the blend of people and technology, and I hope that's starting to come through in our presentation, but Kevin Jonkers is gonna talk to us about how people play across the three pillars. So back to our all-important client. We introduced these challenges earlier on, and our three pillars, effectively, those areas of focus and strengths, play well into our client needs. Just bear with me. So into the portfolio itself then. So this is structured in the same way as the problems that I introduced. On the left, we've got those, those vulnerabilities, the areas of risk, and on the right, they're the threats, they're the taking action.
So it's essentially in two halves, and they are a collection of things in both cases. So a portfolio rather than a product, if you want to use those terms, or an umbrella, if you wanna—if you prefer that. Now, I've used ASM, Attack Surface Management. Again, they're vulnerabilities, and we offer a suite of solutions which the client can take, any or all, or they can take them over time. So again, examples that we used earlier could be, we have a solution that allows you to check the deep and Dark web for your online presence. You may find something that you weren't aware of. That is very common challenge for our clients.
Or they may want to do a scan and repeated scan and look for any assets that they weren't aware of, and just to double-check that they are correctly protected, and then come up with a plan. So all of those are in that proactively protect. What we do is we add our expertise, so we add the prioritization, 'cause what you have in all of these solutions is lots of data, lots of information. But because we're specialists, we deal with it every day, we're able to help the client to prioritize and decide which to take action on first. Our portfolio is constantly evolving, so an area here that we're launching this month is our new External Attack Surface Management. We have just piloted with 5 clients. We struggled, actually. We had 10 that wanted to sign up.
So we've, we started with the five, several of which are really quite keen to sign with us. And what that did is it allowed them to scan for those assets that I mentioned, that were internet-facing, that they may not have previously been aware of. One of our clients thought they had 70, we found over 300. May not be a problem, it's an area of risk. Again, what they found really valuable was the wrap that we then gave, is saying: "Right, which ones are important? Which ones do we prioritize? Which should you take action with when, and which can you effectively discard?" So that was great. Couple of examples to bring this area to life. Of the pilot customers, we had a hotel chain in there, a health organization, so again, all sorts.
So it's quite an exciting evolution. In terms of MXDR, so that managed detection and response, it's similar, it's a collection of different products and services. Again, our clients can take the choice of which they need and which is appropriate to them. This involves anything from endpoint, this endpoint software, putting software on your laptops, into your network. We can set honey traps, those types of things. And similarly, what we do here is we help to prioritize the alerts, and we help them to respond to the threats. I guess all of these things, we need three key ingredients in order to deliver them. So I'm now gonna take you through each of them in turn. And this is the slide that Doug's been waiting for. This is back to our Unified Cyber Platform.
So we talked you through a little bit of the journey. So 18 months ago, we had a look at where we were. We were lucky at that time because the technology was, you know, has been advancing at pace, and so suddenly, we did have lots of good modern software options available to us. We, at that point, had something like 5 different platforms and slightly different experience in each geography, so inconsistent client experience across the piece, and obviously, it's complex. Having done the analysis and set the strategy, I'm glad to say that it went live in February. So with that brings the cost saving, the additional margin, the better client experience, more consistency....
For me, you know, I'm product manager, so for me, the great thing is we can start to add new features, new functionality really quickly, which is great. Really exciting, so that really helps that evolution. As Doug has often said, the technology's finally caught up with our people. How does this look in portfolio terms? So this illustrates how that Unified Cyber Platform joins up managed services. So the two halves of the sort of portfolio that I introduced earlier, what we do is we take all of the alerts from across our managed services and actually, in fact, across our group as if, if appropriate as well. So we take that all into the Unified Cyber Platform, and then we add in external threat intelligence, but also our own.
So as an example, if we've just done some testing, penetration testing, pen testing is one of the biggies, so we might take that data in and add that in, and that would be hugely complicated, 'cause obviously suddenly you've got lots of alerts. But what the Unified Cyber Platform does is it enriches all of that, it cross-correlates all of that, so that the view to our agents, to our team, is much more simple, and ultimately, for our clients, that gives them that quicker and more accurate response. You know, that, that's the key. And for our clients also, they get that same portal that you can see, the same as our agents are seeing, comes back to our transparency point. So bringing this to life with a couple of examples, the first of which sort of falls under the migration.
Now, as a product manager, that just fills somebody with dread to have to do a client migration. Actually, thankfully, it's not, it's not been too bad at all. In fact, we proactively received quite a bit of good feedback. One of our clients who's, let's call them a tech firm, they're quite involved in the internet in the U.K. They were one of the ones that proactively emailed and thanked us for that really seamless migration experience. But they went a step further, and they so rather than using their own tooling, they've decided to move and use our portal exclusively. So they've sort of seen the value of the tooling that we provided and changed their strategy on the back of it. So kind of feels like we've made that simple and transparent, which is great.
I think another example is perhaps it was one that we had, was an early adopter onto our platform, but for a different reason, actually. They had. Again, it's a tech firm. They're more in the device manufacturing world, but their important piece was they had a really strong requirement around their presentation, the portal presentation. So for us, with our old technology, that would've been an absolute nightmare, really difficult to do. But we can tailor at scale. We can tailor quickly and simply. So we moved them. They were one of our early adopters. We moved them straight onto our new platform, and they were happy with the portal they got. So kind of gives you those real-world examples. So that's the second ingredient that I mentioned, was the partners. So we've covered the technology, the partners.
So we use a number of different partners, and our strategy is to select the best from the market. We try and look for four things. So we're looking for the fact that they solve a problem and deliver an outcome that our client wants. We want them to be leaders in their area, in their specific area, or innovators, or both is great. We like to see current demand and confidence of future demand, and that's because some of our clients have a really strong opinion of the technology that they either want to use or that they don't want to use. So we try and make sure that we've always got a choice to allow for that. Some of our clients are really quite happy just to take our recommendations, so both exist.
And then we also look for kind of there's a relationship piece around that partner. We're looking for that win-win mentality in that partnership. And I guess a more practical aspect is most of our managed services partners bring us prospects. That's the reality. And back to that example of the External Attack Surface Management that I talked about, CyCognito, we partnered with. We had those 5 pilot customers. By the time we were on the pilot, they'd already brought us a new client, a new logo to talk to about when we were launching our service. So, you know, it's just an example of how that works, and when it works, it works really well.
What they bring to us is they bring the technology, so they bring that great tech, all of the research that they do, all that investment that they do to that particular challenge, and when we layer on our expertise, our managed wrap, and our own IP. Again, just to bring this to life, I'll just highlight a couple of kind of awards and accomplishments. So Microsoft, we're MISA, which means that we're approved as their managed XDR solution provider. Now, that is not easy to get as an accreditation. There is an awful lot of tech accreditation to get to that, so we're really proud of that. A lot of our clients ask for that in RFP, so that's really important.
We've also been added to their, what they call their elite partnership, which means that we get access to their technical features in advance, and we get to give feedback on those. So again, that's really helpful. And with Splunk, we'll probably touch on this again, but we won last week in Las Vegas, their Global Services Provider Award, which was their top award, which was pretty exciting, and we're also on their advisory board as well, so we get to have a say in their strategy. But we couldn't do all of this without that Unified Cyber Platform, which is why we're so keen on it, because what it does is it allows us to give that choice and that flexibility, but it still gives both us and our clients all the advantages that you'd get from the single platform.
Again, coming back to the product manager in me, you know, we also get to evolve it as the market evolves, so we can really quickly and easily add in additional partnerships. So they were two of the ingredients. I'm gonna hand you to Kevin, who's gonna talk about how we interact with clients and that third ingredient, the people.
Thank you, Natalie. And good afternoon. Happy to bring yet another foreign accent to the mix. Let me lift the hood a bit on how we deliver our services in practice, and, and let me start by saying why this platform is so important for me and, and the operations team I lead. We receive hundreds of millions of security alerts on an annual basis from our clients, and what the technology alone does is filter that down to only 0.1% of that, that needs human inspection. So that's a huge amount of work that's already taken off our plate by technology. But obviously, just reducing the numbers is not what counts. It's how we make those alerts actionable for our clients.
So the next few slides, I want to talk you through what our great people do to make those security alerts meaningful within the context of our clients' businesses. I'll briefly pause at UCP one more time, and then we'll talk about people. But UCP is very important for another reason, and that's to tailor our service to every client's need. 'Cause as an MSP, especially in that mid-market that we focus on, we see a large variety in the cyber maturity that our clients have. So some will have no internal security teams, others will have huge internal security teams and know what they're talking about. So we need to tailor our service, and that starts and ends with the Unified Cyber Platform. It's our single hub for client interactions. It's where we can look at...
Our analysts look at the incidents, but also where our clients look at that same stuff, where they can see the service performance, and basically, where we have a single source of truth, and this links into that transparency that we've mentioned a few times already. So to bring that to life, on the lower end of cyber maturity, you might have, let's say, a smaller municipality, we have quite a few of those as clients, where there's a handful of IT personnel that also is in charge of dealing with security incidents.
Now, they might only log into that platform after they received a call from us to check out what's up and see if they can add a few more—a little bit more business context to what we're seeing, and then we'll help them remediate and take action on that, on that incident. On the other side, you might have your really high mature clients, maybe the heavily regulated one, like in finance. So an example would be a pension fund that we have that has gone as far as integrating our platform into their own IT ticketing system, which means that their internal security team can work seamlessly with our security operations center and our experts to share the workload, basically.
So you can see how that platform plays a key role in delivering a tailored service to our client. Now, however important that technology is, you heard Mike say in the beginning, people are still at the heart of our business. And I can only attest to that. So let's explore the four key roles that we have in our organization, that allow us to bring a tailored service, but also allow us to scale. At the top is the most important piece of what we do. It's our security operations center. It's 24/7, around the globe, analysts looking at the alerts that pop up in our platforms. They triage, they figure out if this might be an actual, you know, a true breach going on or the first steps of that.
They'll call the client, and they make sure that the right action is taken, or we can even take it for them. So that's very operational, but key to what we do. Then you've heard, I think Doug mentioned already, that we care a lot about the last mile to the client, which is adding a personalized touch. Anyone with the right technology could basically do that twenty-four/seven. What we care about is that middle layer a lot as well, where we have service delivery managers and technical account managers sitting in the region close to the client, understanding the local context, the local culture, speaking the right language, literally even, and ensuring that through the service delivery managers, we track service performance, we can do changes to the service, things like that.
But I think the key thing here is the technical account managers, and, as we often call them, they're a window into our security operations center. So the SOC, they need to do the 24/7 thing, quickly handling alert after alert after alert. Whereas the technical account manager is the person that will take the client through the more tactical and strategic topics, like, what do all these incidents in a row tell you? What could you do better in your security posture? And then finally, we have our service improvement group, which is a key team that we set up over the last year, which runs our client advisory board, but also takes on internal feedback to constantly improve our service, which has hugely, hugely increased the agility with which we develop.
Now, these are all humans doing this work, and obviously, you've heard Doug say at the beginning that AI is everywhere. So we're also jumping on the opportunity to apply GenAI, especially into what we do here. We're not gonna replace these people anytime soon by AI. It's just too complex for that, but we definitely believe that we can bolster what they do a lot. It will provide extra speed, new insight, and context, and it will help us maintain and further improve our quality on an ongoing basis. And a good example of the GenAI is when Microsoft invited us onto their early preview of the Security Copilot platform, which is their GenAI tool for security.
We gave that to our detection engineers, the people who build our detection logic, and within a matter of days, they found a way to offload a lot of the testing they do of new detection logic to that AI, and it ultimately will save them around 10% of that team's time, in not having to do that manually anymore. So I think you can imagine the scale at which we think we can take this in the future. Now, this operating model is built for scale, as I said before, and we've scaled it to hundreds of clients already, but it's also scaled for quality and that personal touch, which, as a result, you can see in our client satisfaction score, which is at 86% at the moment.
As a final step, let's take a peek into the future and why I believe we can take this much further than where we are today. Our model, our operating model, is as global as possible, but as local as needed, which has to do with providing scale, but also that personal touch. We're currently working from five operating centers around the globe, so we can provide true follow-the-sun operations. There's always somebody awake, and somebody's office hours. But we do the last mile in the region with those service delivery managers and technical account managers. And we can even do a full regional delivery for clients where data sovereignty really matters, like governments, finance, and some parts of high tech.
Regardless of whether we do global or regional, it's all delivered by that same single Unified Cyber Platform, which means that if we add a feature or technology there, it's available everywhere instantly. It will also allow us to scale effectively and efficiently. As I said, we have five operating centers, with the most recent one being Manila, that we opened, which means that we have five great pools of talent that we can recruit from and attract from, which will help us build the teams and the people that we need to scale to many, many more clients. At the same time, our operating model is built to plug in new services if we want over time. So I think you've seen from Natalie's story that the platform allows to plug in new partners and new technology. We can do the same with expertise.
We just put the new expertise into the security operations center, and all the other client-supporting roles, they just do what they do today for that last-mile delivery. So you can see, I think, how we can scale in size, but also the breadth of our service. And with that, I'd like to hand back over to the other Kevin for vision on the markets.
Thanks, Kevin. Okay, before I, we're gonna change track and get into what does it look like from a go-to-market strategy? But before I get into that, I just wanna come back to something that Natalie said, and that was about the award that we received last year, last week, and actually the significance of it. Now, Splunk, for those that don't know Splunk, they're a mainly a software-based cybersecurity provider. They were acquired by Cisco recently, around sort of $28 billion, so they're significant in size. As you can imagine, a global software provider, they've got thousands of partners across the world, but actually it was us, NCC Group, who won the Global Services Partner of the Year. And what that means is it gives us a massive uplift when it comes to actually going to market.
Because we've got the sellers, we've got the Splunk sellers, who, like our own sellers, they wanna cash a check, they wanna close a deal, so they're gonna go to the partner that is recognized globally. So it's quite a significant moment for us and recognition of the work that we've put in from that perspective. So as we look at our sort of go-to-market strategy, I'm gonna take you through where we've come from, but more importantly, where we head to. Now, let's just go back to the data that we saw earlier from IDC, obviously our technology analyst partner, who provide sort of an overview of the market. And as Doug said, every sector is pretty hot.
But when we overlay actually our NCC managed service revenue, what you can see straight away is we're successfully selling into all of those sectors. And while this is a global view, actually our go-to-market strategy is a lot more regional-focused for all the reasons that we've already heard, whether it's data sovereignty, whether it's certain requirements in a, in a country. So it really is tailored in, and, and recognizing that actually, while we can look at the globe and the numbers, it's not a one-size-fits-all world when it comes to it. But in addition to looking at the larger organizations, I think it's fair to say that we've also been successful in selling into the mid-market. Now, the mid-market, many people struggle with that, because in the mid-market, it's build once, sell many times, easy-to-consume services, easy-to-consume sales process as well.
We've had some great wins there, and we're seeing that constant growth coming because actually, if you're in a mid-market, your world has got a whole lot more complex now with multi-cloud, with supply chains. So gone are the days you sell in the mid-market and think, "Oh, those nation states, those criminals, they're not gonna attack us." I'm sorry to say it, they're coming for you. But as we look at our market approach as well, I think it's important to recognize, again, we're not selling net new all the time. So when we're selling managed service, we're always looking to take advantage of the current installed base that we have, where we've sold other cybersecurity capabilities into a client. And what this means actually is we leverage that cross-sell motion, leading to faster deal velocity and a lower cost of sale.
It's a unique advantage in this space. Now, if I just bring the vertical to life a little bit, we've heard about mid-market, we've heard about enterprise. So, in the mid-market, we've got a great example of a client, we refer to them as SURF. They're a consortium in Northern Europe, where we've successfully sold into that consortium. And we've been successful 'cause we've had a really easy-to-consume managed service offering. We've built it once, and we've sold it already over 60 times to 60 different organizations, and that's resulting in a considerable annual revenue, which is where we wanna be heading to. But continuing in public sector, you take the other end, and as we heard from Natalie, a university. Sometimes you think of universities, are they really that complex? Well, unfortunately, they are. They're large in scale.
They've got many different risks attached to it. Sometimes you've got some high-risk users that are trying to access the system. And where we've been successful, sadly, on too many occasions, is we've started with our digital forensics and incident response. There's been an incident, but we very quickly leveraged our cross-sell motion to bring our managed services closer to the client. Again, speed, lower cost of sale. When I look at the market and the trends, and I'm sure most of us open an email each day and think: "Well, do I trust this? Do I click on it?" So when we're looking through the criminal's eyes, they're pretty relentless. At times, they're not focused on a particular sector, they're just here to hit any sector.
But really, one that is, we see a lot, a lot of priority coming now is around manufacturing industrials and the operational technology. For those that have have sort of looked at operational technology, I'd probably best. describe it as being the much-loved, unloved member of the family that hasn't been invested, that has just been left there. It would never be internet-facing, it would never have the vulnerabilities. Well, most of this operational technology, it could be autonomous vehicles, it could be robotics, they're being attacked. Nation states know that's the quick route in. And guess what? Regulation is catching up fast. So we've got some great activities taking place there.
Now, as we start to look at the globe and our share of revenue, it's important to reflect, where did our managed security service journey began? And that was really two acquisitions around 2015, one in the U.K., one in the Netherlands, and that gave us a strong footprint to take the managed security service that we had acquired, start to cross-sell our other capabilities into that. And then, when we start to look at actually what's our distribution of managed service revenue across the globe, it sort of paints a similar picture where you'd expect strong penetration in the U.K. and in Europe, but identifies two areas where we've got great opportunities: APAC, North America. But let me just touch on the U.K. and indeed Europe.
These are areas where we've got a great install base. These are areas where our brand is already trusted. In the U.K., NCC, and in, for example, in the Netherlands, we've got our Fox-IT brand, both strong brands, seen as thought leaders, well regarded by governments. And, for those that had the opportunity, you would have seen some of our literature that we've produced, some of our thought leadership around the up-and-coming elections, and that's the type that draws clients in, is that trust. In these regions, we've got established go-to-market motions, so we recognize different motions between an enterprise and a mid-market. And we've been able to embed our operating model, where we've got our full capability, to cross-sell, upsell with the right incentivization.
Again, U.K., Europe, because of our penetration, we've been able to really get into the, the vertical focus, been able to talk about our UCP platform in the context of finance or in the context of retail, and we continue to build out our use cases. Then we got onto Asia-Pacific. For NCC, it's a small, it's a smaller footprint, it's a smaller market, and therefore, it's extreme focus and discipline that we adopt for that market. It's one where we're leveraging existing relationships that we've invested in. Now, that could be where actually we've invested in getting to a point where we've got a master services agreement with a financial institution. For anybody in this room that has gone through the enjoyment, should we say, of getting a master services agreement, could be six months' worth of work, but actually, you've got to use it.
And likewise, where we've got existing client relationships, or we've already invested in capability, it's about how do we leverage that footprint to cross-sell, upsell? And as Kevin alluded to, our global model means that actually we can service our tailor, tailor our service to, for example, clients in Australia, and this is a model where many other organizations really struggle to address, but I think we've got a strong model there. Let me just bring this to life with a, with a client, actually, in Asia Pac, where we have the existing contractual relationship. It's one that we've worked with through other capabilities for a number of years. We've built up that trust. We can understand the demand that they would that they would need, and as a client, they're government financial.
They've got about AUD 140 billion under assets under management. But we were able to look at understanding the risks, looking at actually how we could take them to a journey to a managed service, and ultimately, we ended up selling them a three-year deal. Again, leveraging that cross-sell. The reason why they chose NCC, it was our high quality of threat management and our ability to help them resolve challenges incident far quicker. And then come back to North America. We look at North America, and naturally, I think it's fair to say we're disappointed with where we are, as a business. 10% managed service in a massive market, but what a great opportunity. It is ripe for expansion.
If we overlaid NCC's footprint here of our global revenue, actually, it'd be about 40% of NCC's revenue comes from North America. So if we apply just some quick basis there, at the moment, we're doing around GBP 6 million of managed service revenue. Even getting to a point of matching our footprint of around GBP 26 million, that would be a massive jump forward. So what we're looking at doing there is, and you've heard, Mike Maddison talk about this on a few occasions, around how do we diversify away from perhaps the traditional services that we've sold in North America? But let's make sure we're leveraging those relationships on the way so that it's not all about net new. As you've probably heard a couple of times, a lot of managed security service providers have to win every client new all the time. We don't. Upsell, cross-sell.
It means that actually we're faster to convert, lower cost of sale. So how are we approaching that? To start off with, it's around brand amplification, making sure that actually we are a brand in the market that is known for managed services, not perhaps just the assurance part of the business. We're leveraging our digital channels to make sure that actually brand exposure takes place, and also outbound sellers to increase our top-of-funnel activity, so we can then start to qualify a lot more. We've got a dedicated mid-market focus and a team focused on nothing else but that mid-market. And at the same time, we're really looking at the skills that we have across our sellers to make sure actually they're representative of what we need in the market.
Doug will touch on this shortly, but we're also looking at, at other opportunities to grow quicker there. And finally, I'm just gonna bring this to life. Now, we've talked quite a bit about client stories, but sadly, more often than not, for good reasons, clients don't wanna be named. But I'm gonna name one, because this is one that really brings to life what we've been talking about so far. Now, Glory Global, I have to say that slowly, but they're a global leader when it comes to cash technology solutions. Now, Glory were coming to market for a managed XDR solution, and it's fair to say, like most organizations, they start a path of a normal standard procurement activity, probably takes about 12 months.
We were able to recognize that actually there were some quite early signs of financial headwinds, again, not too dissimilar in the market. We looked to take an alternative approach here and leverage the capabilities that we have across NCC Group. On this occasion, we built the relationship with the key stakeholders, not just the CISO, but the economic buyer, the customer champion, to get that really rounded view, which identified the need to help the client with their business case. We started an initial engagement with quite a low-level threat assessment to help them with that business case. But actually, whilst we started at fairly low level, it became apparent within a very short space of time that there was a live incident that we'd come across. I'm not gonna go into the details of the incident.
It's out in the public domain for you to read about. Thus, to say we deployed the full force of our digital forensic incident response team to really deal with the incident and then really help the client really quick get into remediation, but more importantly, that path to maintaining and establishing control of the network. But what that did do, overnight, switching from a threat assessment to a live incident, we built trust, and that trust is something that we took on that journey. That journey took us to a point of deploying early managed service capability, and ultimately, that client signing a three-year deal for a managed service with us, which we've expanded considerably already. Why is this important? Early client trust. We're the global partner to Glory Global.
If we look at it, we took a sales cycle that was gonna take over a year down to 3 months, and that's the capability we have. Doug, over to you.
Thanks, Kevin. I'm back. I'm back with my accent. Now, I've been told there's a soccer game tonight. And it, it is a soccer game, right? That's what we call it? There's a football match on, so we are going to... I'm just gonna wrap this up and talk about our future growth and why we feel confident in the next stage of our journey. Now, if I only had one slide to share, I'd debate whether to do the UCP, we've used a lot of acronyms today, by the way, I caught you guys, and I just did it myself, Unified Cyber Platform slide, or this one. It's really this one. This is where we're at. So in 2024, we delivered GBP 67 million-ish in annual revenue. 88% of that revenue is true recurring revenue.
That gives us lots and lots of confidence in what we think could be next year. Additionally, our average term for our contracts are three years, so I could've, happily, Guy wouldn't let me, keep, keep going here and shown confidence for future years, too, because the revenue is durable, it's resilient, it's highly predictable. We're experiencing a lot of growth. We grew 20% over the, over the, these most recent three years, and he stole my thunder this morning, but we also grew this previous year, 36%. It's been a really good year. Now, I will say also, importantly, the reason why we have confidence about next year is our final month, May, of this previous year, we delivered 60% more monthly recurring revenue than we did in the first month of that same year. Okay? Really good arc.
So we have a lot of confidence in our growth, and it really comes down to, I think, these four categories. Wanna build from our amazing base of clients. Now, I've been in this business a long time, and I can tell you net retention at 77% isn't good enough. It frankly isn't good enough, and there's opportunity for improvement. There's lots of reasons why it looks that way. You heard a lot about how we've pivoted our strategy. We think the changes that we're making are gonna change that number. But to put that in perspective, if that was 90% for last year, we would've been GBP 5 million better last year than we had been. So think of the opportunity if we can execute better in that category, and that's despite a really high client satisfaction rate and a pretty good win rate.
Next, growing the market through increased demand. We're really well known in some categories. Our testing services, we're really well known. Incident response, really well known. Managed services, we're getting the brand out there, but we're closing at a pretty good rate. 37%, I would say, is market, maybe slightly better than market. If we can drum up more opportunity, there's lots of opportunity in brand-new customer acquisition.... The Unified Cyber Platform has put us in a position to do cool new stuff. Talked about the pilot on the attack surface management capability. That is gonna deliver revenue in 2025. We talked a little bit about operational technology, that is really just starting to explode as we speak. It's a huge opportunity we can deliver in that category now. Identity is another example. The point is, we've built a platform to go expand into, into new things.
It's gonna. Our customers, our clients, are telling us they have these needs. We're not just rolling out of bed and saying, "We should go do these things." We know if we do them, we do them right, we can expand our footprint with them. And then lastly, there's clearly an inorganic opportunity, and we are in a really good position to take advantage of an inorganic opportunity. We've built a global delivery model. It's consistent in the way that we do things. We now have a single architecture that's built on a modern way of doing things. We can absorb a transaction, and we can take on that transaction and benefit from it. We know the geographies that are appealing to us. We know the client segment that's appealing to us. This is truly a really good opportunity for us, and we're ready for it.
So I do, I do get stuck with this story. I do this all the time. But I would say we've had awesome people. We've always had awesome people, and they've really, they've really carried the water for us through all these years. But now, we've built a foundation, we're ready to grow into the future, and the technology has really caught up to where we can go. And we're just, we're just on the tip of the iceberg on things like Gen AI, and it is gonna be transformative. So Kevin kicked off, and he said, you know, some key things, and I wanna come back to them, and, and I hope that you heard them today. I certainly feel strongly about them. We are, we believe, strongly in a high-growth market. We are reacting to the market with demand from our clients.
We are aligned to the market demand. I think there's evidence that we're good at what we do. There's opportunity for improvement, and we've taken the feedback from our clients and made decisions based on that. We're in a really good financial position to go forward and feel confident about the future. All those things together make us think that we can continue to grow on the arc that we're on today. So that's it for us. With that, I will hand over to Guy, and he will run us through any potential Q&A.
Thank you . Thanks to the team. For those of you who don't know, I think I'm Guy Ellis , CFO. Mike would have loved to be here today, but-
You need to go to hang with Mike.
In his absence, I'm gonna stand there, they need someone with some pizzazz. Unfortunately, Rishi and Keir are otherwise engaged. They went to the CFO of Decidueye, so I'll try, trying to live up to the quality of their presentation that's been so far. The team are gonna join us here. Two bits of housekeeping. I guess the elephant in the room is, we obviously did our post-close announcement this morning. I'm not gonna take Q&A on the broader business today. We've got a full presentation on the first of August, when we'll give our strategic update.
If people want to talk to me one-to-one afterwards in terms of any specific questions on the year-end results of the overall group, very happy to do so, but I don't want to kind of starve this team of some oxygen to talk about what we're here to do today, talk about in terms of MS. When we come to you in terms of Q&A, if you could, particularly for the benefit of the people who are online, state your name and company, that would be very helpful, and give the question, and then we'll do our best to answer it. Oh, sorry. Can we go to Julian first? How many questions, Julian first? Remember last time.
Three. Three with multiple parts. Two quick ones. Acquisitions, could you sort of outline the areas that you think you are missing, in the pack that could, I guess, open you to better growth prospects going forward? Do you need them, or are they sort of just options? And, last question, margins. Lots of talk about revenue growth, but nothing about profitability. Are you happy with profitability? Should we be seeing a 10% sort of managed services margin, kinda as per the industry? Any comment on that would be helpful.
So I'll answer the question about margins, and then maybe we'll come to Kevin in a second to talk about the acquisitions point. So we are, as people will have seen this morning, our cyber margin for the second half of the year was around about 38%. That was actually probably a record level of gross margin. We see greater level of variability of gross margin within our client base and between our four capabilities. If that makes sense. So I am steering away from giving what the direct gross margins of each of the capabilities are, other than to say, managed services is in line, absolutely in line with that overall gross margin and doesn't dilute as managed services grow, outgrows our overall cyber gross margin.
So my roundabout way of saying it's broadly in line with the average gross, you know, with average gross margins as things stand.
Could I ask that question a different way? With the unified platform, should we be assuming expansion possibility from where it is at the moment? Does the model operate like that?
Well, that's for Doug. Do you want to answer that bit?
Yeah, just say that last bit again.
I think the question-
With the Unified Cyber Platform, UCP, that you've got, does that give more scale advantages and hence margin expansion from where-
Yeah
... the business is at the moment, or are you happy with where it is at the moment in terms of a profitability?
No, no, we're on a journey, right? You can't just migrate hundreds of customers overnight into that platform. And there is some legacy technology. There won't be legacy technology very soon in the future, and so obviously, as a result of that, we'll be much more nimble, we'll be efficient, we'll be at one way of doing things. You'd expect I'd be in big trouble if gross margin didn't improve.
Thanks.
I think, let me just add a further bit to that as well. I think that what our Unified Cyber Platform does, it unlocks our global opportunity of how we serve clients. So traditionally, because it was alluded to, we had, like, five stacks that we were serving clients. So if you were in Australia, you could only be served by the Australia stack, so everybody had to be there.
The Unified Cyber Platform means that actually there is a lot of activities that we can deliver from more effective and efficient locations tailored to the last mile. So it really does unlock that. And then I think coming back to the acquisition, I think it's a great strategy. Mike has spoken a couple of times to say that actually we're if we find capability that's right in terms of market, that is right in terms of the client type that we're looking for and would be a good strategic fit into NCC, it's one that we are gonna push forward. Obviously, we've looked at some of the revenue share at the moment, where we've got strengths, where we've got opportunities.
North America is one where absolutely we, I think it's one where strategically we've got options to accelerate our growth there.
Tech holes?
Sorry?
Tech holes within the service, within your suite, anything glaring?
No, I think it's more about penetration. We're always gonna be looking at new technology, and I think as we've already heard with our Unified Cyber Platform, actually, we've built a core platform to better serve our clients, which means that actually we can integrate other technologies quicker. So I think we've got a robust strategy around the technology, the offerings that we provide to clients. We're always gonna look to add to that, but we're gonna do it in a very focused and disciplined way.
Thank you.
Obviously a big market-
Sorry, sorry. Could we do name and company?
Sorry. Max Royde from Kestrel Partners, shareholder. Obviously, it's a very big market. You haven't talked today about competition really at all. You know, when you get down to the last two or three of an RFP, who are... You know, who do you really worry about?
Okay. Doug, do you want to take that?
Yeah, yeah, I can give that a go. Boy, that's a tricky one, because it'll vary by, it'll vary by geography, it'll vary by customer type. We had the one slide where I whizzed through. So if you're a large, complex opportunity, you might see an Accenture. If you're talking about a mid-market organization who's very cost conscious and needs a comprehensive end-to-end solution, you might more likely see a BlueVoyant. And then you also have lots of boutiques, have, you know, a foothold, and they're quite good at what they do. And so it's, it's hard to say. This is one of those ones where it's hard to say, those are, it's them, because it will vary by opportunity. But I will say that there will be competition on virtually every deal. There's no doubt.
It's a very hot space, and competition and other organizations are invested in it as well.
Hi, it's Charlie Brennan from Jefferies. Just three relatively quick ones, actually. Firstly, just a clarification on the numbers. What's the difference between the net retention rate at 77% and the recurring revenues in the 80s? I would've thought the recurring revenue would've been the net retention rate.
Yeah, so they're... I'll give it a go. They're two separate things altogether. Recurring revenue is what is the true recurring revenue, so a contractually committed monthly recurring revenue that you can count on over some period of time. So of all of our revenue, the GBP 70-odd million or GBP 67 million, whatever, whatever that was, 88% of that revenue is not one-time revenue, it's recurring revenue. Net retention is, we had this many customers spending this amount of money at the start of the year, at the end of the year, they were spending that amount of money.
So that is out of every 100 clients, 77 we'll retain come the end of the year, 13 might have come to the end of their contract and either stop the service-
Yes, but you're talking, but we're doing it on revenue, so we're being very clear. It's, you know, you could have...
Yes. So retention is how much of those folks spend today versus what they spent at the start of the year. That's what net retention is.
23% churning every year feels like a big number. Like, what's the biggest cause of that churn?
I'll just keep going, I guess. Yeah, I mean, I think it's competitive. I mean, renewals also go out to bid pretty much every time, so even a renewal often feels like a net new opportunity. But I think for us, as we hopefully made somewhat clear, we had an inconsistent solution suite that wasn't necessarily meeting the client outcome, which is why we said, "Hold on, what are we doing really well, and what should we do well in the future and take advantage of?" And that's what drove the Unified Cyber Platform, that's what drove our global operating model, that's where we're looking at common consistency, and you're starting to see that come through in the customer sat numbers. So we expect that to improve based on the decisions we're making.
And some of that, again, and apologies, you tell me if I'm putting words in your mouth here which aren't right. But if we come back to the slide in terms of the multiple solutions available, if we were to look at this business two, three years ago, we didn't have multiple solutions available to a client. We would be pushing a solution-
Correct
... which sometimes suited us rather than the client.
Yeah.
So that's why we're very confident in seeing an improvement-
Absolutely
... in that retention rate, because actually we're more client centric. You're leaning on Mike's words that you've spoken about in the past, about providing the right solution for that client at that moment in time.
Let me just sort of bring this to life, actually. It was, and I know we've had lots of discussions about this one, Doug, but I guess a client that I sort of first encountered when I joined NCC, was on the verge of leaving us. They wanted a global model. We could only service them locally. Actually, the technology that they wanted, we actually had to do it in a totally different time zone. So you're sat there as a client, you've brought a managed service, but actually I can't speak to my local SOC because they're not on board with that technology. So that, coming back to those strategic investments, that service improvement, actually we can unlock our global capability. So if you're a client, let's say in Australia-
... actually, you can have the right technology delivered locally through our global model. And that was a client we actually saved in the end by changing to a global mode.
Maybe I'll keep going. Some more questions. The next one is: does this cannibalize any of the other revenues within cyber? So if I'm a managed services client, do I need less technical assurance, or should we think about them as being totally separate?
Kevin, do you want to take that?
Yeah, I think so, so first of all, I think this is additive all the time. Coming back to our, our capabilities, how do we grow our share of wallet across our clients? I think managed service takes us to a new level, level, and it gives us also a different revenue stream in terms of a client. So it's, it's not, it's, it's not the unpredictability or the volatility that may come with, Am I gonna have some consultancy or I need some servicing? I think, one of the reasons why we've, we've launched our attack surface management is to make sure actually we're recognizing client needs. And when we look at perhaps how clients used to test, historically, it was more perhaps a point in time of anything inter- sort of internet-facing. Now we've got technology that's gonna be able to do it.
So I think over time, there'll be a natural transition, which we're, I think, ahead of the curve of, in terms of using the right technologies to provide the right level of service based upon the client needs.
It's just coincidental that you're growing strongly and technical assurance isn't?
Yes, I think that's fair. We're not seeing clients saying, "Oh, I want less pen testing or all that-
Yeah.
because I'm delivering that solution a different way.
And then the last one, promise. Like, loads of people can go and buy technology from Splunk and Microsoft and Rapid7, and build a platform. That doesn't feel uniquely difficult. Can you just talk a little bit more about the intellectual property that knits this together? And I think you said 40% of the threats that you catch are from your own intellectual property. Can you just put some more flesh on that for that?
Who wants to take that? Are you gonna take that, Natalie?
Yeah.
Great, thank you.
I was hoping others can chip in. So, yes, in a way they can. It's very difficult to do that if you've got that choice of technology. They would be more restricted to kind of one flavor, if you like, and then having to select that. So there's a number of different parts to it. One is that effectively, then we can layer in those different solutions, which you would be restricted to, to do today. I think it isn't easy to do. It does take expertise. For those that can, obviously, we bring the economies of scale because we're doing that across a number of different clients, so that's a different aspect. But as you say, we layer on top a number of different things, and it does vary depending on the actual service that we're offering.
But you take the technology, most of our clients will take multiple... I mean, the average is tens. It's almost in the hundreds, depending on the client. So they are not picking one or two technologies, so it is difficult to knit together. We layer on there a few different things. So one is that 24/7, so that monitoring it all the time, which you've got to be fairly sizable to be able to do that efficiently yourself. You mentioned that IP, so we do that in lots of different places. So partly that, the threat intel that we bring in. So we've got teams that do this specifically today. They'll do that on a sector basis, so that's very kind of easy for our clients to consume. And then you mentioned that, our detection engineers, so they actually code...
You called them our detection engineering team. I refer to them with that 40% figure. So it's the same group of people, and effectively, they're a bunch of engineers who we pay to code software, to test software, and that finds more threats. So if you take it out of the box, you're using whatever it is that supplier had designed at the start of their cycle. We're doing that continuously all the time, and we're deploying it. So you're slightly ahead of the curve all the time because we're doing it ourselves. So the important thing there is that speed to response, but also the quality, 'cause what you don't want with all of the alerts that Kev had on his slide, is you don't want false positives. So it is quite easy to get those false positives.
You spend time looking at those. You've been distracted from what actually the real problem is. Because we've got all of that IP and all that enriched data, we get very, very few false positives, so when we're talking to a client, we have that greater confidence. So it's absolutely true to say you can do this yourself, but it's difficult to do it as efficiently as it is for us to do it at scale. That's ultimately why lots of people use a managed service provider. You know, then why the market is so competitive.
Yeah, I would just say that's underpinning the whole Unified Cyber Platform strategy, which is everything from, we found a thing, some piece of data that you care about, that we can actually tell you what if it's meaningful to you, through to we can protect it in real time, and if something happens, we can help you defend it in real time. And storing all of that in one place with the context of all the sources from the client that we have and the data that brings to bear, that we can weave that story together to make it relevant to them, so that we know we're taking the right action.
Plus all the other information we have in the world from our testing services and our threat intelligence, and all of that will tell us, "Actually, that's a thing," or we could say, "Actually, it's not a thing." Which if you go back to Kevin Jonkers 's slide, that's how you get down to, well, geez, there's, there's hundreds of millions of alerts, but actually, the customer is only seeing 0.001% or something. And that's ultimately where the value comes from. And you can't get there by just managing technology.
Thank you. On the other side.
Thank you very much. Melwin Mehta from Sterling Investments, shareholder. Over the last 12 months, really very happy to see Mike give some new energy to the team and really realize how sloppy the previous management was.
But, basically, coming back to the panel, who have really managed to show very well and made a very good presentations. On one hand, I'm totally, totally convinced of basically, really, you're pushing an open door. You know, no CFO or under cost-cutting disguise can say, "I don't need cyber." On the other hand, we've got NCC who understands basically this space like nobody, nobody better than the market. And I was kind of, I would expect kind of more organic growth without acquisitions. So why are we not able to grow organically? Is the market getting very price-conscious, and we've got a particular pricing below which we don't quote? Are clients trying to kind of do it themselves? I know, I'm sure there are multiple reasons-
So-
but probably the one line an
Let me try and answer part of that question.
Please.
So I think one of the statistics we talked about for the first time at the half-year results is the fact that 76% of our clients who spend more than GBP 250,000 a year take multiple services. So there has been quite a... and you probably expect me as CFO to kind of say it. We have focused, quite understandably, on cross-selling all of our services to our existing client base, and that has been enormously successful in the U.K. and in Europe from a managed services point of view. The thing we talked about earlier, there's clearly an opportunity to improve our sales cadence in North America, and that's very much a focus for us.
As we kind of, I wouldn't say we have utilized all that opportunity of our existing client base, might switch to margins , but it becomes harder and harder as you sell more to the existing client base. So we have to actually improve our overall go-to-market and probably drive more top-of-funnel through our website and through top-line marketing activity. That has not been our priority to this point. I think that's fair to say, isn't it, Kevin? We spend, you know, no one's asked the question, but from a pure marketing spend on top-of-funnel, we probably spend less than 1% of managed services revenue on pure marketing for top-of-funnel right now.
It's clearly a great investment to start looking at improving that, improving that number and starting now that we've made the most of the existing client base, to turning that dial, that number, to create effectively to get more, as it were, greenfield clients, which is what we will focus on now that we've gone through a pretty hefty year of transformation in terms of not just... You know, this team have brought together managed services as the first true, probably the most globalized capability that we have inside the four, the kind of the flywheel of four that we talked about earlier on. This is, I think these guys are leading the field in that sense internally. So now we start moving to the next stage.
So I think it's about how quickly we can go and being focused in our execution, given everything that's gone on. So there's maybe a little bit of an internal dynamic there as well.
Yeah, and I think just to add to that, I think that we're at a point where we've got a fantastic, solid foundation now. So I think it would be remiss of us if we didn't consider strategic options to accelerate that growth. If we were 12 months back and we've still got sort of spaghetti of how we're serving clients, I think quite rightly, people would say: "Well, why are you even bothering? It's a distraction." But actually, we've got that foundation. You've heard we've got solid operating models, we've got fantastic roadmaps, and actually, we can consume something that would help accelerate that growth even further.
But what we're not doing is we're not gonna sit and think, "Well, that's our only way to grow." As we've spoken about, like North America, absolute relentless focus now to continue to grow that organically whilst we look at strategic options. So I think it's a really exciting time for us.
How have you strengthened your sales team? Can you share some?
Yeah, absolutely. This is a journey because actually, this is not a point-and-shoot market. We're selling trust long before we ever get to talking about the offerings that we have. So it's about investment in those client relationships. Traditionally, in North America, it's been quite transactional. We've dealt with a lot of the large tech companies where it has been, "We want a service, fire it off." So there's been a change in some of our sort of field sales, the skills, the requirements, the methodology. Like, we're just timing, starting to take our sales team through what we call a MEDDIC methodology. It's a proven sales methodology as opposed to more of a transactional.
But let's not forget the role of our consultancy team in this as well, is making sure that actually our consultants are engaged far earlier in any sales cycle because we can get a consultant engaged. Actually, they can start to build a roadmap with the client. Actually, if we can get the client to a point where we don't need RFPs, it's cost the client a lot of money. If we can demonstrate that early value, it means that we're on that roadmap already. So I think the journey of our sales colleagues is one that we're into it, we're transforming. We're gonna have different sales motions, depending whether it's a mid-market, whether it's an enterprise client, and again, great opportunity for us.
Is it worth just adding-
Okay
... what we do in managed services specifically? 'Cause we've bolstered that by realigning our solution architects team to the sales team, so they start to build a relationship. But it's the same thing, we bring them in just that bit earlier 'cause we know once they're talking directly to the clients and they really understand the solution, then we stand a much higher chance of closing it. So we've removed a few internal barriers just to bring them in much earlier in the sales cycle, which works really nicely for us in managed services.
Got it. Thank you. Any more questions? Who has the next question?
Hi. Hi, hello. Seb, also from Kestrel Partners. I suppose the way you describe onboarding customers, you make it sound quite simple sometimes, where you, you download a piece of software and then, you know, monitor it, and then, then you sell them a managed service. And the way you refer to the customer, you know, Glory Global, again, it was quite a rapid sales cycle and a rapid onboarding process. You know, compared to other IT services, which is often open-heart surgery, it, it feels like the polar opposite. But, but, and maybe that plays into the reason that the customer retention numbers are quite low. Is it quite easy just to, because you're not heavily integrated, for people just to pick off bits of business and experiment and, and, you know, steal customers from you?
Can you talk around how that might change a little bit over time?
Yeah. I'll let Doug take this.
I'll take, I'll take the last bit. I think that was very-- that was a very astute observation you made. And it, it is true that it's slicker to implement clients than it's ever been before 'cause the technology's become more powerful. And so the old days of a client saying, "I'm just gonna renew, and I'll be there for 15 years," it's not, it's not quite true any longer. So it's that much more important that we're delivering value through the process. I do think you're absolutely right, that does affect net retention.
Yeah, there's one thing, this sort of links to an earlier question. I think if you look at a lot of the RFPs we're getting now that the market is growing but also maturing at the same time, is that clients also start to figure out that, "Hey, I could buy the technology or a vendor that just brings me that technology with a bit of service." But they start to ask more and more specific questions, even in their RFPs, around: What do you do for service improvements continuously? How do I make sure that if I enter a 5-year contract with you, you're not still doing exactly the same thing in 5-year time, but it's up with the market trends at that point? And I think it's...
So the reasons we sell or are selected by our clients are changing from, "Oh, it's this technology," or, "It's the best-in-class thing that you can deliver," to more: What is it that you do as part of that service that is a differentiator for them?
Can I just add an extra piece? I mean, yes, I mean, obviously, we've tried to describe it as simple software, and it's perhaps less so. But we again, it's the ethos. So partly, we provide a service delivery manager to work directly with our clients. There's a fair bit of prep that goes on to make sure that we fully understand their estate, and we'll often use that during the sales cycle, actually, to start pre-planning. But I guess crucially, we also try to get to value quickly, and it's value for them, not for us. So it's that 80/20 rule.
You can often do 80% of the deployment and start to provide quite a bit of protection for them at that point, and then there's that really thorny 20% that we'll then do over time. So your open heart surgery is bumped to the back end, if you like, but you're already seeing value, and you're already seeing sort of that element of protection. So it's an ordering thing, which is not linear. It's about getting to value for them sooner.
Okay, thank you, Natalie . Just to wrap that up very quickly, we talk a lot across NCC about client centricity, and client centricity is that continuous relationship demonstrating business value all the time, and that's the key to us improving our retention. Okay, I think we've got time for-
We've got a written- If you want, one written question, and then we'll draw things to a close, and we'll be available in the room next door for more Q&A, and the public affairs team will also be here to talk about what we do in that space as well, for people who want to chat with them, are able to have a chat with them. So online question, please.
Perfect. Okay, so we've got an online question from Vishal Bhatia from J.O. Hambro . He says: Could you see NCC going into managed services RFPs as the specialist cyber partner with any of the Big Four audit firms, given they seem to have more communication channels open at the board level?
So I'll touch on that one briefly. And look, I think you're—it comes back to actually what are the service, 'cause we can offer that true strength of global capability, and I think what we see and what we hear client feedback is sometimes you look at the Big Four, and you say, "Yes, global organization." But actually, when you get into it, there is a risk they can't operate globally. There is a risk that actually they come up against conflicts of an audit. But it comes back to really what that client demand is, and as Doug alluded to, there's lots of people who want to operate in this space, who will be competitive in some of those bids.
I think it's more about going to the strengths that we have of NCC, really getting into understanding the client requirements, and if we get into a blind shootout on an RFP, then it's not an RFP we should have been in. It really is around getting up front, understanding those client requirements, and really playing to our strengths. Doug, I don't know if there's anything else you want to add?
No, I think that's exactly right. Nothing to add.
Okay. I'm conscious it's now exactly 4:30, which is when we planned to wrap up. So I would like to say thank you very much indeed to the team on the stage for doing a great job of presenting today and taking your questions. Thank you all. And the people behind the scenes as well, most notably Yvonne, who's been with the team, supporting them through this process, too. So thank you very much indeed to Yvonne. And thank you, everybody, for making the time today to come and listen to what the team have had to say. Hopefully, we've done a fantastic job about articulating what clients want from managed services, what it is, why we're good at it, and why there's a very, very compelling case for this growing long into the future with NCC. Thank you very much indeed.