Good morning, everybody. Thank you for joining us here, everybody in the room, and also online, at our Manchester HQ on Friday the thirteenth. I'm very hopeful everybody listened to the excellent health and safety briefing. Let's hope Friday the thirteenth doesn't actually prove to be a terribly tricky day for us. This is a significant milestone for NCC Group. I'm incredibly excited about the fact that we're here today. It has been something that we have been working towards for a very long time, and that is to be able to talk to you today about the direction of our cybersecurity business, which is massively informed and contributed to from our strategic view, which we, as you know, are undertaking.
Following this, we're continuing to speak to colleagues over the coming weeks to share with them the excitement about the vision, where we're going, as we can now talk about NCC Group as that streamlined business rather than the two businesses of old. A much more focused NCC Group. Now, that said, today, obviously, I do want to remind you that we are in an offer period and therefore somewhat constrained by what we, the team, can say on forward forecasts, etcetera. Thank you for joining us. Let me just give you a bit of an overview of the agenda for today. We'll start with a bit of a tour of our journey and the vision for the cybersecurity business. We'll then look at the market dynamics which is shaping demand for cybersecurity services.
From there, we'll bring to life, NCC today, our capabilities, importantly, our clients, and what differentiates us. Then we'll discuss how we'll be scaling the business and how we then think about capital allocation. Now, I absolutely plan to limit my time on stage, so I am very, very pleased to be joined by Guy Ellis, our CFO. We've got Peter Vorley, our Chief Commercial Officer, responsible for all clients and markets, and Damian Child, who leads all of our services and capabilities globally. Great to be joined by the team. I actually can see the rest of the ExCo in the room. We've got Michelle Van de Velde, our CPO, got Richard Shelton, our Chief Transformation Officer. We've got the whole gang here today. A bit about that journey.
We'll share more detail over time, but I think this is an important element to recap. Let me just leave you with, if you were to leave here with five things today, what would they be? I would say we want you to remember that we are now a pure play cybersecurity business. The reset's complete, and we can really now focus all of our attention on that opportunity. There is a large durable market with demand that's subject to strong tailwinds. NCC is able to differentiate itself through, in that market, through the expertise, our IP, and the trust we've got within the market and our clients. We've got a scalable go-to-market model, which is able to drive mix of services, our margin, and importantly, predictability. There is very clear value upside from executing in a rerating.
Those are things I would like to talk more about today and you take away from the session. Before we do that, let me just try and recap a little bit about the journey. I know this will be familiar to many, but it's important to briefly step back and explain how NCC Cyber's business has evolved, because the shape of the business today is very, very different from where it was a few years ago. Now, as I say, this may be familiar to many, but I think it's important to recap because the team has delivered absolutely huge amounts of change to NCC. Historically, the business operated as a set of isolated boutiques. There were independent geographical divisions, duplicated processes in those divisions. There was limited financial visibility.
We had a significant concentration in our large technology clients in the U.S., which many of you will be aware. Over the last few years, we've been very deliberate in reshaping the group. We've simplified the portfolio and focused on areas where we do have differentiation, and where we're seen as a sovereign asset. That's a very, very important point. We are really seen as a jewel in the U.K. crown from a cybersecurity capability. As I said from the beginning, our focus is now very much on that cybersecurity offering. Today, NCC operates as a unified global business. We have absolutely fundamentally changed the way we deliver. We have made huge strides aligning our tech stack, particularly in managed services, giving us the ability to innovate and invest. We've matured our approach to pricing and streamlined our back office processes.
We've focused on developing our core cyber capabilities, capability areas, and indeed, really importantly, built entirely new ones. We've divested non-core activities. The result is we have a simpler, more focused, and scalable operating model that is designed to support consistent execution and sustainable growth. I hope we are demonstrating we are shifting from being the transactional single offering, i.e., the pen test business many of you will be familiar with. To one able to land, expand, to solve complex client problems, and to deliver strategic outcomes for clients. Now, Peter, in a moment, will talk about our 1-4-20 strategy to embed this even further across our markets. Now, I'm not complacent. I think we all know it's been tough. I think it is important to reflect on the amount of change that this team has delivered.
It's not been easy, it's not been a smooth road, but it clearly shows that we are determined and demonstrates our focus on execution, and ultimately our intent to increase value for shareholders. As a result, let me try and take you into our vision for the future. Today we're talking about NCC Group as a pure-play cyber resilience business. We are deliberately focused on being cybersecurity professional services business. Now, just to emphasize, we are not a broad IT services provider or a software business with cyber as one of its many, many offerings. We are absolutely a people-powered and importantly tech-enabled business that combines deep technical expertise with scalable delivery and insight-led services. Now, that focus allows us to support clients across the full cyber life cycle, from understanding risk, to building resilience, to responding when incidents occur.
We have a breadth and depth of technical knowledge that is incredibly difficult and hard to replicate in anything like a short space of time, and that allows us to deliver an end-to-end solution from advice, to design, to implementation, to operate, and then assurance. We talk about that as our flywheel, where we can engage with clients at any part of their cyber risk journey, and this is a crucial point that I made about relevance and strategic and long-term impact to those client engagements and scaling relationships with our clients. Now, we deliver this through a global operating model, which many of you will have heard us talk about, and we have more certified experts within the business than any other pure-play cybersecurity provider globally. Importantly, that depth and breadth of skilled expertise is what underpins focus and trust with our clients.
We are trusted by some of the leading companies and governments because what we do is not peripheral to our strategy, it is our strategy. We are a cyber company. Now, if I take a step back and think about the market, and maybe just share some perspectives and why we believe it is structurally attractive. The first major tailwind that we see is the digital revolution affecting every aspect of our lives, which is seeing the attack surface expand as businesses, governments digitize more of their operations, their supply chains, client and citizen interaction. We all see this, it's all familiar to us. It affects every part of our life. Now, AI is a case in point, and I'll cover this explicitly in a moment. Second, the age of unreliability.
It goes beyond the just uncertainty we've always lived in. The world is changing dramatically now, and the number and sophistication of cyber attacks continues to increase, and the causes of those are numerous. From the geopolitical, we've recently seen a case in point where an attack from an Iranian linked organization focused on medical devices. This is making it harder for organizations to manage risk internally. It's difficult, it's complex. There is the ability for cyber criminals to monetize their crimes. Ransomware is probably the most obvious example of that, and I think it goes without saying, you know, you can look at the examples of Jaguar Land Rover, Marks & Spencer. The ability to commit these nefarious acts are enabled, and can be done globally due to the interconnectivity across our organizations.
Of course, increasing digital activism is a way for organizations and parties to make their point. All of this means operational resilience has become an issue needing greater focus from leadership at every single layer of society, from government right through to boardrooms. As a result of that, there is an increasingly complex regulatory environment and a persistent shortage of skilled cyber professionals, which is pushing organizations toward trusted third-party providers. Put together, all of these factors create a market where demand for security services is structural, and we believe growing, and the data, I hope, will support that suggestion. As I say, we are undertaking a strategic review, and that has been incredibly helpful in helping us define our focus and to build the datasets working with external partners.
That's given us those data insights and independent analysis, some of which we will share today throughout the presentation. But it does give us the view of the market opportunity, how we can win significant share of wallet, and why this is a really exciting opportunity which is ours for the taking. Let me give you a few points. In 2025, the market opportunity is estimated at around GBP 5-6 billion in the U.K.. It's estimated to be EUR 23-25 billion in Europe and $55-60 billion in the US. Now, importantly, only half of this market is currently assessed as being penetrated or shifted to service providers. Therefore, a lot of organizations are doing not enough, or it's been done in-house. This indicates a meaningful white space for providers to grow into.
It's also clear that the opportunity spans all of the capabilities, and as we talk later on in the presentation, we'll talk about why we've actually built and what we have built to capitalize on that. It shows there is a significant addressable market in all industry verticals and market sizes, many of whom are underserved. This is really important in terms of how we then service the client base, which Peter will cover. If I look at the markets in which we operate. Across the U.K., U.S., and Europe, the market is forecast to grow at around 8%-10% per annum over the medium term. That translates into a meaningful market expansion in market size over the time. However, the growth in capabilities does vary, and this is very important to take away.
It underlines why diversity of capability is important and why we are focusing on establishing capabilities not previously in the NCC toolkit. I point specifically to consulting and implementation services, which is growing more quickly than Technical Assurance. This is important to de-risk the dependence on a single proposition. A very colorful slide. I'd also like to emphasize that this is market data from L.E.K.. It's not an NCC forecast, I have to say that. But it is useful to consider as it reflects an underlying demand across both regions and capabilities. It's clear we're in a large, growing, but very fragmented market with a very long tail of providers. To give you an example, NCC is a scale provider in the UK.
We have the most diverse and mature set of capabilities, probably our greatest market penetration of any of the markets we operate. That's why we are a large provider versus the rest of the market. We're probably the largest pure play, to be clear. There is a lot to go after, and we do believe that there is likely to be a degree of market consolidation in the future. In the other geographies we operate where we do not have that level of diversity of capability, so the U.S., as an example, is predominantly Technical Assurance-oriented, or in Europe, which is predominantly Managed Services. I think that gives us a huge degree of excitement about the relative scale of those addressable markets, but also the opportunity that presents for us.
It makes our strategy incredibly clear and underpins it, which is to have those diversity of offerings to bring strategic impact to clients. Guy will talk a little bit more about that in a moment. AI, I know this, I mentioned this and that I said I'd touch on it, and I think it is important. It's a question we're often asked, does AI represent a risk or an opportunity for cyber services businesses like NCC? Now look, we're not complacent, and I've been in the technology industry for a very long time, but technology is always evolving. However, our view is AI is ultimately more of an opportunity than a threat, and I'll try and explain why. It works within our existing model.
It's not against it, and indeed raises some very interesting and exciting opportunities within it. To try and bring that to life, we do believe AI will disrupt commoditized, single point solution, single dimension providers, in the market. Now, that doesn't come as any surprise. It's like every other automation initiative in technology history. I don't think if I said anything else, I'd be particularly credible. However, there are a couple of really important other aspects. Firstly, AI allows us to automate elements that we deliver, such as scanning, analysis, reporting. All of that improves productivity, speed of delivery. The need for assurance doesn't go away, but delivery changes. Humans, however, have to be in the loop, and human-led assurance still matters, particularly where judgment, regulatory interpretation of complex environments is involved.
When we combine AI productivity gains with our global delivery model, we create a structural cost delivery advantage. AI strengthens the economics of our business. It supports outcome-based models like Testing as a Service and reinforces rather than disrupts our core proposition. We've already launched Testing as a Service. This is not something that needs to happen. These are things that we're already doing. Secondly, this again I think is maybe something that is often overlooked. It's clear that it's coming, and it's already being deployed in environments. It's often at pace and without a degree of control. It's also very often in environments where the architecture was not designed for it. As a result, AI creates significant new vulnerabilities, the opportunity for us to provide services which we have already launched.
I would say again, this is not something we're going to do. This is already being done. Currently, automation alone does not replace judgment, and I think there's an important point where regulators are increasingly mandating independent human oversight, again, which plays to our strength, and capabilities. That dynamic plays to our strength as a trusted, people-powered, but tech-enabled cyber partner. Let's be honest, somebody has to write the prompts. Now, I hope that provides a broad context for the market opportunity, and I'm going to now hand over to Guy, to talk through some of the numbers of where our cyber business is today.
Thank you very much indeed, Mike, and good morning to everybody. I'd like to talk about the numbers for NCC and some of the data in a little bit more detail now, before moving on to think about how we think about the economics of the business. The cyber business is now clearer in terms of disclosure and more resilient in terms of financial structure than ever before. These are the key statistics of the cyber business, and it's for the year to the end of September 2025, which is the latest information I can give you due to our offer period constraints and rules at the moment. Our annual revenue was GBP 227 million, with a gross margin of 36.6%.
Managed Services, those recurring revenue that Mike spoke about, now accounts for just over a third of the cyber total in revenue. Consulting and Implementation saw growth in the full year last year of 16.6%, and this momentum has continued. We operate out of 13 offices in 11 countries, servicing over 3,000 clients. Our top 100 clients by revenue value have an average tenure of 10 years. They clearly value the services provided by our 1,800 global colleagues, supported by key vendors such as CrowdStrike, Horizon3.ai, and others. Let's look at our operational footprint. My takeaway here is that, yes, we have a global presence of sales and technical specialists, but it is one which is now operationally interconnected and consistent to support our clients' needs and leverage our global model.
We flexed our property estate to our current global working patterns and our clients' needs. Support functions are now centered around Manchester and Manila with single global processes, and we now have the opportunity to drive further efficiencies inside those processes. I was delighted to be back in Manila a few weeks ago and see for myself the growing team. We now have circa 240 colleagues based in the office there. Damien will talk a little bit more about this, but it's great to see global collaboration at the heart of our business's growth. The team is quickly establishing themselves in Manila, developing and nurturing relationships with local networks such as IBPAP and the British Ambassador and Embassy too. Those are some of the financials and some of the stats. Let's look at the strength of our geography and capability revenue mix now.
The left-hand chart here shows our geographical split. The U.K., as you can see, is our largest, and as you will see shortly, our most developed market in terms of serving multiple capabilities strategically to our clients. It accounts for 56% of our revenue. North America has 25%. The EU, very much Benelux-based, 16%, and Asia Pac, 4%. The right-hand chart shows our split by capability in FY 2025. We are more resilient than ever, with Managed Services now delivering 34% of these revenues, and for the year, Consulting & Implementation was 21%. We have seen a meaningful shift in our mix, which has made us more financially resilient. But Technical Assurance, as you may know, has declined over time. Let's look at where this has manifested itself and give some more detail than you've seen before.
The left-hand chart here shows the development of our revenue globally over the last three years in each of our four capabilities. You can see that technical assurance, in purple, has declined sequentially to GBP 88 million FY 2025 from GBP 126 million in FY 2023. The four markets of North America, the U.K., EU, and Asia Pac are broken down on the right-hand side. There are two trends I would like to pull out explicitly, and then I'll reinforce an opportunity. Firstly, the technical assurance or testing revenue shown in purple is driven by North America in terms of its deterioration and its large tech testing engagements that surged through COVID. Technical assurance is stable across the other markets, indeed back in growth. As Mike showed earlier, there is a growing market for technical assurance in each of our markets, including North America.
Secondly, that the U.K. is the market that sees the most meaningful shift into more managed services and consulting & implementation. That's following investment in these areas and successful cross-selling. There is more balance there. Thirdly, therefore, it's a punchline on this slide that as Mike showed earlier, the addressable market in the EU is 4x the size of the U.K.'s addressable market today. The North American market is 9x the U.K.'s addressable market. These markets have always been much bigger. Now that we have globalized our operator model and created a pure-play cyber business, how are we now going to capitalize on this by selling it better? Peter's gonna talk in detail about the development of our go-to-market, especially in these markets. Replicating the U.K.'s cross-selling success in the EU and North America will transform our revenue performance and valuation.
Let's look at the verticals we operate in and our cross-sell here. Successfully cross-selling solutions across multiple challenges is our goal, and here it is. The doughnut chart on the left shows our revenue by vertical. We are very strong in TMT, financials, and public sector. This is diverse and also presents an untapped opportunity in highly regulated industries such as pharma and critical network infrastructures. These play to our strengths. Excluding technical assurance, revenue per client is climbing as a result of the investment in managed services and consulting and implementation. Indeed, managed services revenues per client have increased by 24% over the last three years. Bigger, better contracts. The blue bar chart shows the rise in managed services mix climb over time.
Our top 100 clients, who have an average tenure of 10 years, take on average 2.74 of our capabilities. This compares to 1.5 across the whole estate. Lifting the number of capabilities per client from 1.5 to 2 across a whole estate would deliver an extra 34% in revenue. That's £79 million from existing clients, and Peter's gonna talk through the 1/4-20 model which will capitalize upon this. Here is a further segmentation of the client concentration and the cross-sell opportunity. Here you can see on the left that our top 20 clients account for 38% of our revenue. On an average, those twenty clients take 3.2 of our four capabilities. These are highly sticky strategic relationships.
The next 10% of revenues, that's in the light blue bar, the first one, comes from the 21st to the 50th ranked client, and on average, they're taking 2.676 capabilities per client. The very obvious opportunity in our client base on this chart is that the more strategic the relationship we develop with a client, the higher the spend, the greater value, the better the retention. In summary, we have a highly resilient revenue base with an enormous opportunity to drive revenue in every market across a premium and diverse client base. Peter's gonna show you our strategy to unlock this. First, I'd like to hand over to Damien, who's gonna now talk about our expertise of our business and our people, which is a the cornerstone of our opportunity.
Good morning. Thank you, Guy. So before I take you through each of our delivery pillars, I wanna set the foundation by answering three core questions. Why clients buy from us, what they buy from us, and who those buyers are. This brings the wheel you've seen in previous slides to life. Let me start with why clients buy from us. Cybersecurity has become too complex, too fast-moving, and too resource-intensive for most organizations to manage alone. Clients don't choose us simply because they need help, they choose us because of what differentiates us. We bring over 25 years of deep cyber heritage, giving us pattern recognition and contextual understanding that very few organizations have. We are a pure cyber business operating across every domain of cybersecurity.
We have world-leading subject matter experts who publish globally recognized research and speak on major conference stages, and we advise governments shaping legislation, regulation, and national cyber frameworks. That gives us cyber thought leadership, credibility, and insight far beyond technical delivery alone. Now, what they buy. Clients buy Technical Assurance, consulting and transformation, Digital Forensics, Incident Response, and Managed Services. Increasingly, they also buy compliance support across UK and global standards, cleared work for government, defense strategic security leadership, such as CISO as a Service. Then who is buying from us? Well, that'll be the government and public sector bodies, automotive and manufacturing, health and financial services, digital-first and cloud-native organizations, critical national infrastructure, and mid-market companies that need scalable expertise. Across all of these sectors, clients choose us for depth, independence, and the ability to deliver at pace and scale.
Our breadth of expertise allows us to solve end-to-end complex problems for clients. Our recent engagement with F5 saw us leverage incident response and code review experts from Technical Assurance to provide a level of assurance few in the market could replicate. We delivered this leveraging our global delivery model with work taking place in North America, Spain, the U.K., and Manila. This consisted of over 75 consultants and over 100 million lines of code. The positive shift in our culture to operate as one global team in service of any client is evidenced in this work. What I'll do next is I'll walk through our four core capability pillars. Not how clients buy from us, but the capabilities that sit behind our client propositions and underpin delivery quality, scale, and economics. I'll start with Technical Assurance.
This is one of the foundations of NCC, and it plays a critical role in why clients trust us. Typical engagements are annual repeat testing and event-driven. Engagements can last anything from 1 to 12 weeks. Historically, this work has been highly transactional or staff augmentation. However, more recently, we've been moving to fixed price deliverables, scaling growth in high demand niche domains, and moving to pen testing as a service. At its core, this capability is about independent validation, helping organizations understand where they are genuinely exposed before those weaknesses are exploited. What's changed over the last few years is the scale and complexity of what needs to be tested. Cloud platforms, software, identity, operational technology, and increasingly AI-enabled systems. To address that, we've deliberately evolved how this capability is delivered.
We now use AI-augmented delivery models that automate the repeatable foundational work, improving consistency and speed, while our specialists focus on high judgment validation and context. That combination allows us to deliver assurance that is faster, more predictable, and increasingly fixed price, which clients value and which improves delivery economics for us. Importantly, this isn't about replacing human expertise. Automation gives us scale and coverage. Our experts provide judgment, insight, and credibility, particularly in regulated and high-risk environments where independent assurance really matters. As technology evolves, this capability evolves with it, including into areas like hardware, complex systems, and AI assurance, but the core role remains the same, trusted, independent validation at scale. This is a foundational capability that underpins many of our client relationships and acts as a gateway into broader, longer-term engagement, which Peter will come on to talk later.
Finally, our investment into specialist growth practices such as hardware, crypto, Red Team and Black Team offerings, and of course, the testing of AI systems not only are resulting in growth, but ensure we are playing a critical role in state-of-the-art emerging capabilities, from testing quantum keys, assuring the latest smartphones, stress testing our clients' security response to live threats, and of course, testing that those AI deployments are safe. The second capability is consulting and implementation. This is where we help clients design and deliver major cyber change by embedding security into how organizations operate. C&I opportunities can be ad hoc projects through to multi-year transformations. We have a rich pedigree in risk and regulatory compliance, which is often a yearly recurring activity. In recent times, our shift to strategic transformational engagements has seen longer engagements with significant pull-through into other capabilities.
Again, Peter will talk more about this in his upcoming section. Consulting & Implementation is where cyber strategy becomes operational reality. Clients engage this capability when they are undertaking significant change, whether that's modernizing identity, securing cloud platforms, strengthening governance, uplifting operational technology, integrating acquisitions, or rebuilding after an incident. Our role is to design and deliver that change securely. We bring security architecture, engineering capability, and program leadership, ensuring that cyber controls aren't theoretical, but embedded into how the organization actually runs. A key strength here is our ability to operate in regulated and high-assurance environments. We work across global regulatory frameworks and sector-specific requirements, giving clients confidence that what they are implementing will stand up to scrutiny from regulators, clients, and boards. As this works scale, we're increasingly using automation and tooling to streamline evidence, map controls across frameworks, and visualize posture, improving consistency, speed, and predictability.
The result is a capability that helps clients move faster with greater confidence and lower execution risk, particularly in complex high-stakes environments. Like Technical Assurance, this is a foundational capability that often sits behind broader client propositions and is the glue that binds together our wider offerings. The third capability is Digital Forensics & Incident Response. This is where NCC is trusted to operate when cyber risk becomes a live business event. This is a business of a combination of ongoing retainers and incident-driven real-time cyberattacks, where we are called in as the cyber emergency service. Typical engagements are for two to six weeks, but can last longer based on complexity or litigation support as required. Digital Forensics & Incident Response is the capability clients rely on when cyber risks becomes a real business event, not a theoretical one.
This is where operational disruption, regulatory scrutiny, and reputational risk all converge. Our role is to provide independent, defensible investigation and response. We help clients contain incidents, understand what's happened, preserve evidence, and support decision-making, whether that's for regulators, insurers, boards, or clients. Independence is what matters here. In many situations, internal teams simply can't investigate their own environments, and regulators and insurers expect an external credible partner who can operate under scrutiny. A key differentiator for NCC is how we integrate threat intelligence directly into our response. That gives our teams better context, faster attribution, and more accurate decision-making, particularly in cloud, hybrid, and operational environments. Importantly, this capability does not sit in isolation. It stabilizes incidents, informs remediation, and often acts as a bridge into broader recovery and resilience work across the organization.
From an investor perspective, DFIR is a high-trust, high-stakes capability and one that reinforces NCC's role as a long-term partner, not just a transactional provider. Our recent work with the Royal Borough of Kensington and Chelsea has seen us support them through a live incident, provide consulting on how to recover, and ultimately led to a full managed service. Finally, let me turn to managed services, our continuous protection capability. This is a core part of the model because it delivers multi-year recurring revenue. For a mid to large enterprise, a typical multi-year contract runs into the millions. Demand here continues to grow for very practical reasons. Clients are dealing with overwhelming volumes of telemetry, a global shortage of skilled cyber talent, and rising regulatory expectations for continuous monitoring and rapid response.
Many simply can't do this effectively on their own. What we provide is continuous threat detection and response across modern environments spanning cloud, identity, SaaS, and hybrid estates, supported by vulnerability management, attack surface visibility, and proactive threat hunting. Our clients range from large enterprises and regulated industries through to government, defense, and high assurance environments, and increasingly, organizations coming to us after experiencing an incident. They choose NCC because they need confidence. True 24/7 coverage, high quality threat-led detection rather than alert noise, predictable protection at a predictable cost, and deep integration with our incident response, assurance, and consulting capabilities. From an operating perspective, we continue to invest heavily in automation and AI augmented analyst workflows. That allows us to deliver higher quality outcomes at scale while strengthening margin discipline.
To give a sense of the scale, today we monitor over 700,000 endpoints and log sources, process more than 6 billion events, and handle close to 1,000 cases every day. This is how we support clients continuously and how we build long-term predictable value in the business. None of this is possible without our technical talent, something that we are very proud of and is our unique selling proposition. One of the defining constraints in cybersecurity is not demand, it's access to deep, trusted expertise. The market is structurally short of experienced cyber specialists, particularly in the areas where clients face the highest risk and complexity. The ability to attract, deploy, and retain that expertise at scale is what separates credible cyber partners from the rest. We've deliberately built our talent model around that reality. We don't compete on volume hiring.
We operate a skills and capability-led workforce model that gives us clear visibility of our most critical technical expertise, where it sits in the organization, and how it's deployed across across clients and geographies. That allows us to do three important things, deploy the right expertise quickly on complex engagements, reduce reliance on an increasingly expensive contractor market, and protect delivery quality as we scale. Retention is just as important as attraction. Our focus on clear career pathways, internal mobility, and targeted investment in future critical skills means we retain specialists by giving them access to meaningful, technically challenging work, not by cycling them through roles or chasing external offers. The result is a more resilient delivery model. We can mobilize scarce skills faster, support global clients consistently, and maintain discipline on cost and margin, even in a highly competitive talent market.
Our ability to attract and retain trusted cyber experts underpins our execution, our client relationships, and our long-term value creation. This, combined with our investment in AI tooling, will ensure that the efficiency and effectiveness of our people continue to drive competitive advantage. With that, I'm going to hand over to Peter Vorley, our Chief Commercial Officer, to talk more on our clients and the work we do and how we are strengthening our go-to-market approach.
Thank you. Okay, thanks, Damian. Good morning, everybody. Thank you for taking time out to visit NCC today. My name is Peter. I've been at NCC now for 10 months, and I'm responsible for the commercial side of the business, working very closely with our Chief Marketing Officer, Angela. I am very excited to be part of the NCC journey and the opportunity which lies ahead of us. Over the next 30 minutes, I'm going to cover three core areas of our front office. Firstly, I'll be covering our clients and the work we do. Secondly, I'll be covering what our differentiation is to the market and our right to win. Then I'll wrap up with probably the most critical part of my section, which is our new go-to-market strategy and how we will grow sustainable, profitable revenue at NCC.
Okay, now for the first part. Please let me cover our clients and the work we do. NCC is unique. We have a pedigree that very, very few cyber services business can match. With decades of experience operating in mission-critical environments, supporting organizations where cyber failure is not an option. That heritage matters in cybersecurity because trust, judgment, and experience are built over time, not acquired overnight. Okay, let me start by talking about why clients choose NCC, who trusts us, and what that says about our role in the market. As you can see, we work with some of the world's largest organizations. Our client base spans global technology leaders, major financial institutions, critical network infrastructure operators, universities, technology companies, government bodies, et cetera. These aren't organizations that take chances when it comes to cyber. Their choice of partner is a statement about trust and capability.
This isn't just about scale, it's about quality of demand. These organizations operate in highly regulated, high stakes environments where cyber failure is simply not an option. They look for partners with deep technical expertise, domain understanding, and the ability to operate with precision under pressure. Long-term relationships are a core differentiator. What also stands out here is not just who we work with, but for how long. Many of these relationships span years, in some cases more than a decade. That reflects repeat demand, expanding scopes of work, and high switching costs, all indicators of sustainable, resilient revenue. Why do these clients choose NCC?
It's primarily because of deep technical heritage and world-leading cyber expertise, ability to operate across complex global environments, our proven track record in sensitive and mission-critical work, our independence, trusted judgment, particularly where regulators or governments are involved, and finally, a portfolio that supports them across the full cyber life cycle. This slide anchors the point that NCC isn't a small, niche, or peripheral player. We are deeply embedded with organizations where cyber resiliency is essential to operations, reputation, and regulatory obligations. Working with these clients requires a level of expertise, assurance, and trust that only a handful of providers globally can meet. These relationships show not just who we serve, but the strategic role that we play. It is a powerful signal of our right to win and a foundation for driving deeper, broader, and more recurring engagement over time.
I'd close this slide by highlighting that some of these logos are a great example of where they have been breached under a previous supplier and have come to NCC to help with recovery and move to our highly acclaimed Managed Services. Earlier, we heard Damien talk about, and in fact, Mike and Guy talk about the flywheel. What we're building here is the evolution of that in terms of the way that client buys services. This is what you're gonna be seeing and what I'll be talking through in the next few minutes. The key message to take away here is that cyber risk no longer sits in neat silos. Clients are dealing with AI adoption, cloud change, identity risk, continuous threat monitoring, third-party exposure, and operational technology, often at the same time. Clients are not looking for a collection of point solutions.
They're looking for outcomes, the ability to operate securely, meet regulatory expectations, and build resilience that holds up when incidents happen. It's for that reason we have structured our portfolio to address it. You can see it here. These are the eight offers. Securing AI with governance and independent assurance, detecting and responding faster, enabling secure multi-cloud transformation, providing governance and tech-enabled assurance to accelerate compliance, reducing ecosystem risk across suppliers and partners, for example, Marks & Spencer, Jaguar Land Rover, that sort of work, strengthening control in operational environments, securing both human and machine identities, and continuously validating defenses using intelligence-led insight. Two things matter about this framing. Firstly, it maps directly to what clients are buying today, not our internal service labels.
Secondly, it shows how our capabilities work together across the entire life cycle, which is what supports deeper, longer-term relationships as clients' needs expand. NCC is one of a small group that can provide this end-to-end, full-spectrum capability. In summary, this is our portfolio in action, aligned to real problems clients are trying to solve for right now. That leads into a conversation now where I'll talk about the type of work we do for our clients. This example is a powerful illustration of the scale, complexity, and strategic importance of the work that NCC delivers for one of the most scrutinized and highly regulated digital platforms. In summary, NCC assures and audits that European client data does not leave the European Union, and only specific elements of this data can be seen by authorized users.
This secures data for over 200 million TikTok users and demonstrates our ability not just to work at scale, but at hyperscale. This relationship started as a focused engagement and rapidly expanded as TikTok recognized the depth of our technical expertise, our ability to operate at their pace, and the trustworthiness required to support a program of this sensitivity. Project Clover was TikTok's major initiative to address trust, sovereignty, and regulatory concerns around European user data. They needed a partner who could combine deep subject matter expertise with independence, agility, and the ability to solve novel technical problems. NCC was selected for exactly these reasons. This combination of capabilities, architecture, compliance, engineering, and forensics demonstrates the breadth and depth that only a true pure-play cyber specialist can provide. Why did TikTok select NCC? During their provider evaluation, TikTok prioritized three things: agility, customizability, and deep expertise.
Our ability to mirror their engineering pace, act as a flexible and collaborative partner, and bring diverse domain expertise to the table made NCC the clear choice. This isn't just a successful project, it's now one of NCC's largest client relationships. TikTok uses almost every major service we offer, and they've publicly expressed that they expect their spend with NCC to continue increasing, driven by the quality of our delivery and our ability to adapt to their needs. What this case study really shows is NCC at its best. Trusted judgment, deep expertise, multidisciplinary capability, and the ability to operate effectively in high-pressure, highly scrutinized environments. It's a perfect example of the long-term strategic relationships we're building. Relationships grounded in trust, capability, and proven execution. Okay, this takes us on to the second section. Having shown the market opportunity and our credentials, the next question is differentiation.
The cyber market is a crowded market, but not all providers are differentiated in ways that are sustainable over time. What we want to show here is that NCC's differentiation is structural, built over years through talent, proprietary insight, and delivery experience, rather than dependent on pricing or short-term advantage. Let me just very quickly remind you of some of the key points already covered. This is what sets NCC apart in the cyber services market compared to our competition. Taken as a whole, we believe NCC has a defensible, sustainable differentiation in the cyber market. These advantages aren't superficial. They are built over decades and are very hard for competitors to replicate. It is this combination of depth and breadth that sets us apart. Very few providers have this.
We have delivered critical cyber services for some of the most demanding organizations on the planet, as well as world-famous brands. We are not a generalist consultancy with a cyber arm, nor a niche boutique that can only deliver part of the picture. We offer full spectrum capability. This breadth, combined with deep specialism, means we can support clients across their entire cyber life cycle, something only a handful of providers globally can do. Okay, why does this matter to you? This differentiation isn't abstract. It shows up in how clients buy from us because they trust us with sensitive environments, expand their spend with us over time, increase capabilities across the portfolio, engage on complex, high-impact programs, and rely on our insight, not just our delivery. These are attributes of a partner, not a transactional supplier. In short, NCC's differentiation is structural.
One, deep expertise, two, proprietary IP, and three, a strong proven track record, all with full-spectrum capability. It is the combination of these elements that gives us the credibility, allows us to build long-term strategic relationships, and underpins our right to win in the market. On this slide, what you can see in front of you is a framing of the competitive landscape, and the key point it communicates is simple. NCC competes across the entire spectrum of cybersecurity providers. As I mentioned earlier, the market is crowded, but most players are confined to a single archetype. Global consulting firms, strong in strategy and advisory, but typically reliant on third parties for deep technical execution. Systems integrators and telcos, strong in engineering and managed security operations, but often lack high-end advisory and compliance capability.
Local pure-play specialists, highly technical but limited in scale, geographic reach, or ability to support complex enterprise demand. Software-led and MDR-led multinationals, anchored in platform tools and platforms, but not built for independent human-led assurance or complex transformation. NCC is one of the very few organizations that operates across all these dimensions. We combine the depth of a specialist pure play, the scale of a multinational, the credibility of an advisory partner, and the operational capability of a managed service provider. This unique blend is what differentiates us. It means we can compete directly and effectively with global consultancies, cloud and software vendors, telcos, systems integrators, and specialist boutiques. Few can match that range, and it aligns precisely with how clients now want to buy. A single partner with the breadth to support their entire cyber life cycle and the depth to be trusted with their most sensitive, highest impact work.
This positioning underpins our right to win. We're not a niche provider. We are not a generalist. We sit at the intersection of capability, scale, and independence, which is exactly where demand is moving. This takes me on to my final part of my section. Whilst all that's great, market opportunity and differentiation only matters if our business can consistently convert this into revenue and margin. We've talked about the market, our capabilities, and why we believe we are differentiated in the market. The go-to-market strategy is what determines whether this translates into sustainable growth in practice through who we target, how we sell, how we effectively scale relationships over time. This section is about how we structure our go-to-market and how we approach our clients to upsell and cross-sell and win bigger.
This is an important slide, and I want to take a few minutes to ensure that we do this justice as it forms the basis of our front office restructure. This go-to-market model is how we introduce our flywheel of capabilities to our clients. Our aim is straightforward. We want to build stronger, longer-lasting relationships with the clients who are most likely to buy multiple capabilities from us while managing the rest of the long tail more efficiently. When we make this pivot, we reduce our cost of sale and make it much easier for clients to work with us. Right now, our account managers are spread too thin. They look after major organizations and small transactional accounts in the same way. This means that they have too little time to focus on the clients who genuinely move the needle for us. We know what actually drives growth.
It's spending time understanding a client's cyber priorities, then helping them match those priorities to the right capabilities, justifying the value of what we deliver, and linking it clearly to the only three things that people really care about, including in this room, making money, saving money, and managing risk. It's simple, and it's a model that works. We are reshaping through our sales transformation right now, our go-to-market model to line up behind it. At the top of the pyramid, tier one, this is our most important clients, and we've introduced a new program called NCC Select. This formalizes the white glove approach that has proved so successful with TikTok and a handful of other clients. Each of these clients has a dedicated team, a client executive, a solution architect, and a client services manager.
They get clearer points of contact, faster access to the right expertise, and a single route into our delivery teams. The ambition of NCC Select is very clear. This team should understand the client's cyber environment better than the client does themselves. This is the top tier. Next tier, which is effectively the 500 clients where Guy was talking earlier about the largest upside. We're gonna grow top, and we're gonna have a focus in the middle. The next tier down, they are still gonna get enormous attention, but we are reducing the number of accounts each account manager is responsible for. This allows them to build real familiarity with the client rather than simply reacting to inbound requests. It's a shift back to what the role is meant to be, managing the account.
The clue is in the title of account manager, not just responding to problems, to problem-solving requests. In other words, we are making the news and not reading the news. For smaller, more transactional clients, we're expanding our UK inside sales capability and digital channels to move globally. This protects revenue, keeps the wheels on the bus, improves the experience for those clients, and removes a lot of the day-to-day burden from the account managers. Taken together, this gives us a much clearer and more focused model, more attention on the clients with the greatest growth potential, more time for account managers to build proper relationships, and more efficient handling of the day-to-day activity in the long tail. All of this improves the client experience and supports more predictable commercial performance. Now, I've discussed this part, and I'm just gonna cover the section to the right of the slide.
Alongside this structural change, we're also shifting what we expect from account managers. They will no longer be generalist cyber sellers. Their job is to stay close to the client, understand their business, and bring in the right NCC specialists at the right time. They become the switch or, to use an Americanism, the quarterback calling the play and activating the very best of NCC around the client's priorities. This matters because specialists can tell the story of our offers technically and commercially far better than a cyber generalist. It allows us to compete toe-to-toe with all of the different supplier archetypes we discussed earlier, and this moves us towards outcome-based selling rather than day rate time and materials work. This shift is important for two reasons. First, day rate work quickly becomes a race to the bottom and rarely delivers value for the client.
Second, outcome-based work means we take accountability for solving a client's problem, which is exactly what they want. Now to the most important strategic point behind all of this. Guy showed the scale of the market opportunity earlier. EU should be 4x The size of our U.K. business, and North America should be 9x the size. Today it isn't. Why is this? It's because the current book of businesses in those regions is unbalanced. In the EU, our account managers have tended to be managed service experts, not client experts. In North America, they've tended to be technical assurance experts, again, not client experts. By rebalancing our model, account managers who know the client, supported by specialists who know the capability, we bring these two things together. That's when everything starts to click.
Clearer understanding of client need, better alignment of our offer, and real potential to grow in the markets that should be far bigger than us. This is the foundation for the next growth, and it's this approach which provides the foundation to deliver our 1/4-20 program. The 1/4-20 program, you've heard about it and this is what is going to fuel our growth. What you can see in this slide is the commercial logic behind our 1/4-20 go-to-market model. Specifically, how we intentionally move clrients from commodity transactional work to high-value strategic partnerships. Pillar one, establish. Solving the immediate problem right now. Pillar two, elevate. Increasing value and footprint across the portfolio. Pillar three, embed. Become a strategic partner and part of the company's core DNA. What do we mean by this, and what is the path to growth?
First, establish. Transactional compliance-driven work. In other words, 1x our revenue. Most clients first meet NCC through a single assurance engagement, typically a pen test. These engagements are commoditized, hard to differentiate, often bought on price and availability, often at short notice, and typical one-off in nature. That work is absolutely important as an entry point, but it doesn't create long-term value for either us or the client. Second, elevate. Solving broader, more meaningful problems. 4x revenue. This pillar shows the path to expand from that initial 1x engagement. Instead of stopping at a test and then selling the next test, we move to helping clients fix what we found, providing broader assurance, attack path mapping, readiness reviews, offering recurring incident response retainers, strengthening identity and governance foundations, embedding ourselves in their ongoing security posture. This is consultative selling.
We stop selling hours and start helping solving real risk and resilience problems that our clients have today. Third, embed. Strategic long-term partnership takes us to 20x revenue. At the highest level of maturity, NCC becomes part of how the client runs their business. This includes multi-year managed services, continuous testing, managed identity and integration into M&A, and defining their cyber transformation programs. These engagements are recurring, predictable, and significantly higher value with deep trust and high switching barriers. Why does this pathway matter? Not all revenue is equal. We are intentionally shifting the mix towards recurring multi-capability, higher margin work. The economics improve dramatically as clients move along this pathway, and the model creates sustainability for clients and for NCC. This shift is already happening, and it's a core driver of the growth and margin improvement we've been discussing. The takeaway here is simple.
Our go-to-market model isn't just about winning more clients. It's about maturing the relationship, increasing value on both sides, and positioning NCC as a long-term strategic partner rather than a transactional supplier. Before I hand back to Guy, I want to quickly summarize what we have covered in this section. NCC's advantage is structural, built over decades through deep expertise, proprietary insight, proven delivery, and end-to-end capability. We operate where resiliency truly matters, and our clients trust us because we demonstrate judgment, reliability, and technical excellence every day. Our positioning is clear, our differentiation is real, and our go-to-market model now gives us a scalable way to convert all of this into predictable, high-quality growth. We have a strong foundation, a growing set of long-term partnerships, and a clear right to win in the part of the cyber market where demand is rising fast.
With that, I'm going to hand back to Guy.
Thank you very much indeed, Peter. I'm gonna start here, talking about our low valuation. I think I'm allowed to call it that. I think I'm allowed to say that. In cyber and some of the historic drags that have been attached to that generated it. Okay? We believe we have a tremendously undervalued business compared to similar businesses in our peer group with healthy EBITDA margins. As you can see from the current slide, there's some charts on the left that gives an implied current valuation based on last night's close, of cyber of circa 0.53x the FY 2025 annual revenues. We all know this valuation has historically suffered from drag from a number of items. Cyber being reported within a wider group, including Escode. Complicated disclosures, one-offs and impairments. Multiple disposals in the accounts.
Change in the year-end and inconsistent revenue performance. A historically fragmented operating model and an over-reliance on project-based transactional pen testing. Some balance sheet leverage and weakness. We have delivered corrective action against these things. Performance of the cyber business, that will now be very clear following our disposals. Revenue returns growth in Q4, as we've said and continued in Q1. The operating model has been globalized and standardized. Our revenue base and our client base is diverse. 34% of the revenue now coming from multi-year managed services contracts. Finally, we'll have an unleveraged balance sheet. We have a clean, focused and resilient business to move forward with, and to which valuation should fairly reflect. This slide is gonna show how we'll successfully measure the delivery of the strategy that Mike, Peter and Damien have talked through and described.
It is a development of the financial framework I've previously spoken through in each set of results presentations since I became CFO. We'd heard Mike and Peter talk at length about our opportunity and the action to scale the business's revenue and strengthen it by increasing recurring revenues and driving our share of voice, our colleague engagement. By the way, we're very proud to have been named the 84th best place to work, best employer this week. We will simplify the business, leveraging the global delivery model we now have in place and the opportunities AI gives in our cost base to drive gross margins up and reduce our overheads to the next phase of process efficiencies available to us. Plus, we will obviously eliminate any stranded costs following the disposal of Escode. On to value creation.
Delivering scale, simplify and strengthen will drive our EBITDA towards peer levels on the percentage. I am not allowed to present and give you a management guidance or a forecast beyond what we've already said. Okay? I can, though, three years into being CFO in this business pretty much now, talk to you about how I think about the business and its profit conversion. If you're new to the NCC story, hopefully that will be helpful. We have a largely fixed overhead, and historically, when we've delivered revenue growth, there has been a sequential improvement in our gross margin. We saw this in the second half of FY 2024, for example. With overheads fixed, this has flowed through from a revenue point of view into our EBITDA. AI is an operational cost tailwind.
We will continue to target strong cash conversion and sustain appropriate liquidity and debt facilities. We'll maintain disciplined capital allocation and be alert to bolt-on M&A opportunities which accelerate value creation. This is a fragmented market, as Mike pointed out, and in time we expect there to be some market consolidation and we'd want to be able to capitalize upon that. This is a great time to be NCC. There is a great value creation opportunity. Let's then return to the valuation. Comparable IT services on the left are currently trading at 1.4x annual revenues. Cyber software businesses in the other three columns are trading at between 4x and 11x annual revenues. NCC today is just 0.53x.
I hope it is therefore clear that delivering on the key initiatives that we have presented today, the values of the business should be 2x, 3x, 4x what it is today. That's what I think it's worth, and with Mike and the management team, we're gonna deliver this change. Mike.
Thanks, Guy. You can probably tell that Guy and I stand on the left, because this is the taller person's podium. Thanks, Guy. So we've covered a lot today, and I hope you found it a helpful update on the cyber strategy. We're not deviating massively, but we are now really clearly set on the direction. It's been great to hear from the team on the financials, our capabilities, our massively important go-to-market initiatives. I'd like to remind you of that vision. We do have a very clear vision to be the pure play cyber services provider in the market, the globally leading cyber services provider.
We have a strategy to capitalize on the hard work the team have done over the last three years, and that really plays to our strengths. All of the building blocks are in place. We've got amazingly talented colleagues. Absolutely, and if you do the tour later on, you'll meet some of them. Amazingly capable individuals with a breadth and depth of skills. We have a plan to execute that scales, strengthen, simplifies, to Guy's point, our business to drive the shareholder value that we believe this business offers. I started at the very beginning and said there were a number of takeaways, and I just wanted to come back to those takeaways. We are now that focused, pure play cybersecurity business. The reset's complete, and we can really now focus on the opportunity that we believe is at hand.
We've hopefully highlighted that there's a large, durable market with demand that is subject to strong tailwinds. NCC is able to differentiate itself in that market through its expertise, its IP, its trust. We have a scalable go-to-market model which is able to drive a change of mix, margin and therefore predictability of revenue. We're clear that there is upside in our execution for a re-rating and value creation. I'll just finish with a couple of thank yous. Firstly, to the whole team. It's been an absolute pleasure to work with the team to pull this together. All of the ExCo represented here. We've got, you know, Guy, Peter, Damien, Angela. Where's Angela? Angela, our CMO, Michelle, and Richard, and of course, Yvonne Harley, our investor relations lead.
Absolutely clear, amazing. We've got to be able to say this to our colleagues and really talk to them about a great opportunity ahead. With that, I'll conclude and say thank you. Very happy to take any questions.
The way that we're going to run questions, if I'm gonna try and make sure I summarize this correctly. I think Peter and Damien are gonna come and join Mike on one of the breakfast chairs here. In an alarming departure, I've been put in charge of this. I think we're gonna take questions in the room first. If you were to raise your hand, and when Danielle comes to you if you could state your name and where you come from, loosely, obviously. Not full life story please, Andrew. Then once we've done questions in the room, what we'll do is we'll take questions which have been submitted from people who've joined virtually via the portal, which I will read out.
In all cases I will try and when we've got the question, I will give the difficult ones to Mike, and then the other three of us will try and pick up the rest. Okay. Andrew.
Good to go. Thanks for the presentation and inviting us to Manchester today. It's appreciated. Sort of two part to one really for both you and Mike. Just on assurance to sort of kick off with. You put up a slide, Guy, in your deck that showed there'd been a quite big decline in assurance revenue the last couple of years or from 2023 to 2025. Are you confident that you've got to a bottom in terms of the assurance revenue base? Then more importantly, looking forward, Mike, you talked about AI and automation in your part of the presentation. What does the increasing use of automation in assurance mean for the revenue gross margin mix going forward? Thanks.
Okay.
If we take Mike, the first question, Andrew's question, which is have we reached the quote-unquote bottom in terms of technical assurance service? If I try and kind of sort of iterate some of the numbers, and I think you'll then want to talk about some of the things going on underneath. We saw growth in Q4, right? I think I can say that. It's historical. I don't think I'll land myself in trouble there. We've seen strong performance in Q1. As we showed on the charts there, I described TAS as stable, technical assurance as stable inside the U.K. And Asia Pac and the EU.
North America, I'll probably hand over to Mike to kind of, you know, to talk about it because I think it's about in the mix. We're confident there is a market. That is doing a lot of the work that we've done over the last 12 months. It is the market. Do we have a right to win?
Yeah. I think that's the key thing. The scale of the market in the U.S. is very clear. That concentration risk is still a challenge. We believe from an assurance perspective that there remains the demand, but it may be in other clients rather than all about the clients we've historically supported. That's why I'm always very circumspect about saying, will there be any changes? Because let's face it, we're in that age of uncertainty now or age of unreliability. Something could happen again and there'll be a cut in spending, et cetera.
I think we're very confident that where we are we're now at a point where growth is the path to growth is very clear. It may be a different mix. I do think this is a really important piece. It might not be just assurance that grows in North America. It might be some of the other domains. That's where I think the mix is more important than actually it's just about assurance.
Okay. The second part of the question then was.
Was AI.
Yeah.
Maybe I'll hand over to Damien in a second. Look, I said it. AI to us is, I think, very exciting. We've got a huge amount of technical resource. We just can't wait to play with AI. We're seeing it being used in every single aspect of what we do from a delivery point of view. What is very interesting is if you go back five, 10 years, a lot of what we did was incredibly manual. Then scanning tools came along, now AI is coming along. It's a natural evolution to a lot of that. We see it as an AI enhancing opportunity for us.
I think the main thing is also that what it does need to go hand in hand is a shift to how we price. It becomes more outcome based rather than a pure time and materials, heads, day rate equals revenue. Actually, what we're trying to say is there is a significant market there where AI plays a part and is delivering it, which we believe we can capture from both the revenue, but the GM% is actually a greater upside. Damien, please.
I think you've covered most of it, Mike. I mean, the thing I would say is we've got AI companies coming to us wanting to work with us to make sure that we can put our expertise into the development of the tooling and how it all comes together. And that's about confidence in kind of the credibility we bring to this. We're working with some North American partners right now where we're really seeing that come through in the GM% in terms of what we're driving here. Assurance is complicated, so it's not one thing, it's kind of a thousand things that we do, so it's gonna come in at different times over the coming years. I think it's fair to say that we're embracing it, and we really think it'll have a positive impact on the business.
Yeah. I'd just add actually that I think that's the key point is assurance is a broad area. The work that we do is high-end and specialist. That's not replicable really in AI. It's the more mundane run rate, which is typically offshore to India anyway, I think they're the ones which are gonna be impacted by AI certainly in the short term. I think also Mike nailed it. It's the conversion and move away into higher growth areas. It's a very, very important part, and as we showed as 1/4-20, it becomes your entry for expansion. AI clearly is, I think it's something that the team have articulated well.
Sorry, just very quickly. If you look at the mix of what you're doing in TAS today in terms of, you know, what was manual and what could be automated, I think, Mike, you mentioned things like scanning of infrastructure, you know, when you get the job. How much of the sort of the manual stuff could be automated from here? Is it possible to sort of bring that to life for us?
It's probably difficult to put numbers around it, but I think it's probably worth talking about infrastructure testing, which is a great example where we probably have this has been embraced and really embedded.
Yeah. Well, we can talk about that. I'll come to that in one second. I guess what I would say is as well, there's the parallel of how the bad guys using AI actually expands the attack surface. As you simplify and automate the easier stuff, the bad guys are then going to the top-end stuff, so you're kind of in a tech race against them all the time. From a i f I talk about the network stuff that we've done, we've been able to automate significant chunks of that, you know. We the lower end of the activities, you know, as much as 50%-60% has been able to be simplified, is how I would describe that.
What that really means is now that you've opened up new threat vectors, that you need proper experts to be at the top end analyzing to make sure that we can add the real value that the clients need.
Thanks.
Thank you.
Thank you. It's Julian from Investec. A couple of questions. Just following on from the outcome-based pricing, could you talk a little bit about how sophisticated your buyers are? Because if you strike the pricing in a very opportune manner, you could actually maybe get a marginal benefit from that. Or conversely, if you've got a sophisticated buyer, you could put yourself in a bit of a tricky position. Clearly, you're probably more knowledgeable than the buyer, but it'd be interesting just the thought process in terms of how that might feed through to the model. And the second one is on the account managers. Sort of mentioned that account managers are serving too many clients, so you reduce the number of clients.
Does that number of account managers per client, does that mean you need to hire more account managers to cover those clients? Just trying to understand the investment versus the rationalization, dynamic of that.
Okay.
Go to market.
Do you want me to take this?
Yeah. Please do.
Yeah, yeah.
Okay. One of the key challenges that NCC or the journey we're going on is moving us up to closer to, as I said earlier, making the news. At the moment, we are kind of moved down the stack where we're working with procurement who are driving a race to the bottom, which I described. That is very much a T&M outcome. What's happened there is somebody else has always defined the strategy, which we are reading the news. They've made the news, we read the news. What we need to do to become more relevant, as we can do with our full spectrum capability, is to move into the true buyer. Not procurement who's acting on behalf of the buyer, but actually what the business problem is that we're trying to solve. At that level, you know what it's like.
You've got a budget, you want to make change. If somebody could come along to you and say, "I will assure that outcome for a fixed price," and it aligns to the objectives that you're trying to retire, you would very likely, if you trust them to deliver, procure with them. So that's what we mean by shifting from a problem solver, which is a request from procurement, to really understanding the business, and that's the change that we're doing with our go-to-market front of house with the account managers moving. The second question is that actually it's more of a structural change in driving the right focus on effectively the three types of sellers that we have within our business, which are client-facing or own the customer. Well, no, it's not really the bottom end.
That's not fair. The long tail is managed by inside sales. Inside sellers are generally early in career or offshored, therefore, their cost of transacting that business is a lot lower. You could probably put around 3,000 customers into your inside sales team. That means now that you've got your top tier with your top 500, which has the 34% growth, which Guy alluded to in terms of that opportunity. The account managers now don't have hundreds of accounts, they have tens of accounts, so the focus becomes much clearer. That's how they're gonna understand what the client is trying to drive, enable them to move into a more strategic buying center versus being at the tail end or the recovery from procurement. That's really the key changes.
Broadly speaking, the actual changes that we're making within that side fits within the existing cost envelope. It's just a different focus. It's just about moving some of the pieces around with structured training endorsement and also bringing in some external talent, of course, to demonstrate the sort of level of capability that we'd like to operate at.
Thank you.
Thank you. Any more questions in the room? Damien.
Damindu, please.
Damindu Jayaweera from Peel Hunt. Guy, you talked to the top 100 clients, some of whom have been trading with you for 10-odd years, and obviously you are talking about the 1/4-20 strategy. Are there any examples in there, I guess TikTok falls under one of those, where customers have already kind of gone through that journey?
Yes
you gained wallet share? Is the differentiator they are better account management, or is the differentiator they are with those clients, the clients behave slightly more sophisticated?
Yeah.
Okay, do you want me to go first?
Do you want me to go first, Mike?
Well, I mean, there are a number of accounts that sort of would sit. I mean, when you've got a great account manager, these kind of things happen. There's certainly a government department who we went through lockdown in Test and Trace. Sorry, Test and Trace, I've probably given it away. We a testing environment project. We went through a complete build and transformation, and we're running another. A number one, which I think was mentioned specifically, was the Royal Borough of Kensington and Chelsea. Again, this is public knowledge, so I'm not betraying anything. Where they had a major cyber breach. They had providers already in, however we were providing the incident response.
We took them through the crisis management. We started the remediation, and we replaced an incumbent that they had for Managed Services. That is probably a very good example of it in action. It can be a mixture if you can have a superb client manager, or you can have an action where actually the best of NCC turns up, and they naturally start to take more services.
Could I? I'll answer your question directly. You'll be pleased to know that we didn't make up the 1/4-20. There is actually some science behind it. What we did is we actually looked at our top clients, the ones which were really successful, and what we realized is that they are all going on very similar journeys. They all start with the one, and we know the ones which have gone to the 4x revenue from where they started historically have gone on this journey. We know exactly what services they want to buy, what to position, and that's why we're putting in the strategic overlays to enable customers to more easily go on that journey.
When they go from the four, we then know that they then typically go on another path, which takes them to 20x revenue from where they were originally, and we have countless examples of where we've done that. What we didn't have was a go-to-market structured model which has aligned us to take that journey, and that's the changes that we're making, which allows the client executives and the account managers to be much more aligned with the client in order to guide them and drive them on that journey.
If I try and dissect another little bit of Damindu's question here, which is, right, so we've done it with those top 20. Is there anything structurally in the nature of the clients in the next 80 or the next 200 which would preclude them from going on that journey?
No, there's nothing different at all. They've all got the same problems. They're all trying to solve the same issues. They've all got the same threats. You know, I think obviously there's a regulatory difference between markets, but also what sets you apart or creates similarity is the markets you operate in. In so much your geographic location, the spread of estate, whether you're in cloud, whether you've got OT, journey of digital transformation. There's nothing, there's no difference between the top accounts who've been on the journey, really the top 500. You've seen the logos. They've all got similar requirements. No, there's nothing to stop us doing it.
Just a quick follow-up. Mike sort of answered it already. I just wanted to understand whether that account management, the kind of the idealized account management, so it's the superstar account manager. Are you always find that's harder to train or at least form or.
Okay.
Yeah.
Can I talk about this? Yeah, absolutely. I've been here 10 months. One of the things that we've put in place is accurate reporting of the skills and capability of our sellers. I now know from the market leaders down to IC exactly what their performance is. How much they've sold, what they've sold, and how much they're predicting they're gonna sell. You can appreciate now there is a lot of focus on people that haven't sold and don't have pipeline about how we can help them drive that work. We also look at the top. That's where our top talent is. That's the functions that we need to retain, and we need to make sure that we foster that capability of what good looks like and gets that across the organization.
Make no mistake, I have a history of running high-performance sales teams, and this sales team is gonna be no different. I hold people to a high bar, and we'll drive that.
Spot on. I think, I don't think we've probably emphasized enough the shift in culture. We've got an incredibly keen workforce. Once they see what good look like, they want to get there, and we are putting in training and development as part of that.
Absolutely.
Culturally, and I think this is, you know, I think we've got a culture where people absolutely believe in what we're trying to do. They believe in the purpose of the business, and they wanna deliver that, the right outcome for clients. I think you put all of that together with a structured approach, then I think it's a very exciting opportunity.
Just last one I promise. Therefore, if you took some of the existing customers that let's call it under contract managed for the time being.
Yeah
If those are better account managed without needing to win new customers, without needing to displace competition, you can potentially actually grow a bit faster with the existing set of customers.
Totally, yeah.
by just servicing them better than you do now.
100%.
You know, this isn't a giving forecast moment, but we expect more of our sequential growth over the next three to four years to come from that. We do plan to win new logos, and we do plan to drive sequential organic growth in what we might call our kind of more developing markets. Iberia.
Some of the adjacent markets to our home markets at the moment, or maybe DACH, but our greatest opportunity lies within the phenomenal logos that we have.
I'd also build on that. I think many who talked to me previously, I've used the line we're one of the best-kept secrets in cybersecurity. We don't wanna be the best-kept secret in cybersecurity, and I've said that repeatedly. Actually, what I think now is, given some of the logos we talked about, some of the analysts, and by that I mean some of the industry analyst recognition. You know, we're now on Forrester Wave, where we are in the top five. The other ones are those major systems integrators and Big Four type organizations. We're getting famous, so people wanna work with the famous outfits.
We're starting to get those, that recognition, which brings work to you as well, which is, again, a massive shift from where we were a few years ago.
Yeah. We do have a focus on new logo acquisition, of course we do.
Yeah.
The greater opportunity is.
No doubt.
Increasing our share of wallet within the clients that we've got. When I mentioned earlier about moving up the buyer base, you know, if you look at some of the larger logos that we have that are buying assurance services, that's a very, very small part.
Yeah.
of that organization. If you look at actually what they're spending, if you go on that 1/4-20 strategy, your ability to expand your wallet share of those customers is significant.
Yeah.
That's the focus we've got. Mike importantly made a very, very key point. We've gone through our sales kickoffs. The account teams and the sales teams are very engaged in this process. They're very frustrated or have been about the admin burden of managing all those accounts. That's now been removed, so they have a lot more time to focus on hunting within those accounts and scaling out. They're very engaged with us, and I think that's what gives us the opportunity to drive it forward.
Thank you. Okay.
Thank you. John Gould at Kelso. A question for Damien, if I may. You mentioned the Red Team offerings. I wonder, could you just expand on this and how material it is, and is it growing, and whether the testing of the incumbent is becoming more part of life.
I can. I can reference last year's numbers.
Yes.
Just what Red Team is, first of all, for everybody. Red Team is essentially where we send in our experts, and they will actually actively, with permission of the customer, hack and get in there and, like, act as an adversary to get in. It's different from testing, which is more structured. This is literally we would go and we would attack them and find a way to break down their defenses. We grew this part of our business 25% last year, is what we grew. Black Team is essentially the equivalent, but very physical. Can you get into buildings and data centers and all that sort of stuff? We see massive scale in this space. We think that, we've seen, regulatory signals as well that it's gonna have to increase and move forward for us.
It's a great pathway to more business on the back end of it as well. Often, we always find something, is what I would say, when this happens. We always find a way to get in. We've worked with boards, we've gone to the boards, and on the back of that, we've provided managed services as a consequence of the activity that's there. It's a growing part of the business. It's a critical part of the industry, and we've got a real niche capability and that we can scale really fast. We've done quite a lot of training to take our kind of business as usual pen testers and turn them into Red Team people. Over the last year, we grew the size of the team by about 35 people through training. It was probably 25 to start with.
This is a real opportunity for us to do something, special in that space. Does that answer your question?
Great.
Okay. Any more questions in the room? Okay, I have a couple of questions online. We did have one from Nigel Yates, AXA, which has dropped off, so he may have dropped off the call, but I'm not asking.
It's been answered.
It's been answered. Okay, fine. We have a couple of questions from Vishal Bhatia at J O Hambro Capital Management, which I think I will take speaking with and people can lean in. Vishal's first question he's got two, is on cyber, what would the team term as industry-leading gross margins? Currently, the group is at 36%, but peers have a varying mix. What does good look like on that front, please? I'm going to not talk about forecasts obviously now, but I think I'm gonna talk about how we see the kind of medium-term aspirations of the business. If we think about the medium-term aspirations of the business being a mid-teens EBITDA business, gross margins should be beginning broadly with the 40, right? And north of there.
That is, you know, part of our strategy is obviously how we build towards that. I can't comment on how quickly we expect to get there, but that's absolutely what we'd expect to be normal to underpin a mid-teens EBITDA and driving that valuation to be 2x, 3x, 4x what we are today. Vishal's second question is, pre-pandemic, the cyber business delivered approximately GBP 30 million of profits. Looking at stats from then, looks like globally NCC roughly had similar number of FTEs to where the company is today, approximately 1,800. To get back to historic profitability, is it more about getting the top line moving or fundamentally doing more with less?
If I start on that one, I think if I think back about the medium term, we expect the gross margins to get better, and that is about being more efficient in the things that we do, and there is clearly a number of whether it's tooling and leveraging the global model we now have in place. I referenced Manila earlier, as well as Cainta. We've spoken in the past about our Cainta scheduling system. Two, three years ago, we didn't have those things. We might have had delivery people everywhere. We didn't have globalized scheduling decisions. We didn't have globalized resourcing decisions on where we recruited. Things were done locally. Now that is all done, we have a huge opportunity to leverage that. That opportunity going forward which will drive efficiencies there.
From an enablement perspective in terms of our overhead, we have now gone to standardized processes. I talked about the fact that we now in fact are almost entirely kind of running our standard enablement processes through here and through Manila. There is the opportunity to make some of those processes more efficient over time now that we've gone to standardized processes too. It's definitely about profitability, but it is also about the revenue. I think, you know, doing those two things in harmony is what we are planning to execute. Anything to add on that?
No. That's spot on.
Okay. I think correct saying there's no more online questions?
No.
Oh, please.
Hi. Seb from Kestrel Partners. I was looking back to my notes of your last Managed Services CMD about two years ago. That was coming off the back of a very strong period of growth, which plateaued slightly in 2025. One of the KPIs I suppose which I think surprised people a little bit was the retention ratios within Managed Services were actually quite low. I think the management team talked about net retention of sub 80%, which they felt was normal in the industry. You know, could you just talk about that a little bit, whether you think that's the case, what you could get that to, and how that plays into the sort of customer retention and expansion story you're talking about when-
Yeah. Yeah, absolutely, yeah.
Customers appear likely to move around?
Who, yeah, you want to take that?
Damian.
Okay.
Yeah. I can't give you the stats, I'm afraid. I don't have the stats to hand. Our retention is actually quite good in managed services. There is churn. There's always gonna be that in that space for us. I think that one thing I can talk about is what we do around our NPS and how we get our kind of customer feedback from that. Incredibly high by industry standards. We are above 55, +55, which is great in that space for us. I don't think I would go as far to say we have a retention problem. Of course there's room for improvement. Peter, maybe you wanna add on some of the things that we're doing around that as well.
There's kind of two or three key activities that we're doing. One of the things is that we are totally refreshing our quarterly business reviews that we do with clients. That's about the way that we demonstrate value, problems that we have solved through that managed service. 4x a year we will go through that with them and articulate the benefit they get. The second thing is that we've done a lot of work on refreshing our systems internally, so the sales teams are aware of when those renewals events are, and they will work back to ensure that they are fully engaged with the client across that journey. The third thing is that we talked about the customer success managers and the pivot of change.
They now front all of the services which are delivered to that client, and so the articulation of that, escalations of issues, resolution of that, demonstration of the benefits of our platform all now have become effectively muscle memory for the way that we show up between delivery and sales together in front of the client. That will drive benefit. The other area is clear articulation of the roadmap that we're developing with the Managed Services. That demonstrates how when it comes to renewal, it's not about just renewing the same for less. It's about actually renewing, moving on to an expanded platform, what the benefits that means in terms of making money, saving money, and also managing risk. Particularly in those ways, the retention will get better, but it's already very strong.
There's also the opportunity to start to cross-sell with those clients as well.
Do you think it's possible to cross-sell that product into the States when you mentioned your large eight has there?
That's the focus. The challenge that we have with North America, as I mentioned earlier, is that we have a sales team which is very good at selling Technical Assurance services but doesn't really have the skill set to sell Managed Services. North America as a Managed Services market represents about 50% of the overall global addressable market. It's a huge growth for us. It is absolutely translating to that, and we do have Managed Services clients there. What we're doing is we're putting in the right structure to enable us to have the right conversations with North American clients in order to also move them onto our Managed Services.
Super. Thank you. Thank you, Peter. Well, thank you very much indeed, everyone. Thank you for your undivided attention for the last one and three quarter hours. For those of you who are joining online, I think the meeting will now close. For those of you who are here, we've got two tours and lunch laid on. A tour might sound a little. It's not an Ashes tour in terms of a few weeks, but we have got some demonstrations in the SOC, the Security Operations Center, which Damian's team has set up, and also in our hardware lab where we're mimicking the.
We're gonna show you a nuclear reactor and how we would test that.
Yes
Should be interesting for people.
I suspect in terms of how we will just organize that, I suspect people will want a short comfort break, so we'll run the tours. We're very keen for people. Thank you for making the effort for coming today to go on the tours, and then there'll be lunch following that. Yvonne, are we going to have a short five-minute recess and ask people to get back in here?
No. We'll go towards the boardroom. Everybody come out this morning, and then we'll get you guys, we'll show you where the restrooms are and then continue.
Splendid. Okay. Thank you very much indeed.
Brilliant.
Thank you very much to the team for putting it all together, so.
Thank you.
Thank you.
Okay. Thanks, everyone.