UK launch in cohorts · Q3 2026Join UK waitlist
UK MSP Operations Layer · Cohort launch

Stop turning down UK defence work.Productise Cyber Essentials Plus and DCPP.

Stella turns Microsoft 365 into your UK compliance service line. Same operations layer that runs CMMC L2 in the US, with jurisdiction-aware modules for Cyber Essentials Plus, DCPP, UK GDPR, NIS, and DSPT shipping in cohorts through 2026–27. Built for 5–30 tenant UK MSPs without a dedicated security person.

Join the UK waitlist Run a free M365 baseline nowUK module roadmap publishes monthly · M365 baseline ships today
1,800+
M365 settings scanned
110
Controls auto-remediated
6
UK frameworks on roadmap
Q3 '26
First UK cohort
!
Honest scope. The Stella platform delivers M365 control coverage and ~110 auto-remediations today — that's roughly 70% of what Cyber Essentials Plus needs technically. The UK-specific framework modules (CE+ certification pack, DCPP mapping, UK GDPR evidence packs, DSPT domains, NIS duties) are building now and shipping in cohorts. Joining the waitlist gets your shop into the first UK cohort and lets you influence which framework module ships first.
The UK MSP reality

UK compliance is more demanding than US — but the tools UK MSPs have are worse.

Built by an MSP operator. The four problems we kept hitting — none of which a generic scanner solved.

Cyber Essentials Plus assessments are death by a thousand checkboxes

Same M365 settings, audited again every year. We re-screenshot, re-export policies, re-format evidence packs every renewal. The actual work is pre-pack and post-pack admin — not the assessment itself.

DCPP-aligned defence work is leaving the UK MSP channel

Defence primes want a supplier that ships continuous evidence. We can do the technical work but the manual evidence pipeline kills our margin. The bigger consultancies eat the contract.

UK GDPR breach response is still a panic exercise

72-hour ICO notification window and we're still reconstructing what changed in M365 the week before. By the time we've got the evidence together we're already past the deadline.

Compliance is a cost centre, not a service line — same as the US shops

Every CE+ engagement is a one-off. Every DSPT renewal is bespoke. We'd love to productise it but there's no UK-aware tool that lets us.

Modular UK compliance · jurisdiction-aware

One operations layer. UK framework modules that snap in like Lego.

Each framework is a self-contained module: control catalogue, M365 mapping, auto-remediation engine, evidence schema, certification report templates. Add the ones your client base needs; the underlying console + agent + reports stay the same.

CE+Q3 2026
Cyber Essentials Plus
Government-backed baseline required for many public-sector contracts. Stella's M365 control coverage already addresses ~70% of CE+ technical scope; UK module wraps it with the certification-specific evidence pack.
DCPPQ4 2026
Defence Cyber Protection Partnership
UK MoD's framework for defence supply chain. The UK analogue of US CMMC L2. Tied to Cyber Essentials Plus + ISO 27001. Same playbook, UK assessor model.
GDPRQ3 2026
UK GDPR + Data Protection Act 2018
Universal scope for any business processing UK residents' data. Stella maps M365 retention, sharing, DLP, and breach-detection settings to UK GDPR Articles 5/24/32.
NIS2027
NIS Regulations 2018
UK transposition of the EU NIS Directive. Applies to Operators of Essential Services and Relevant Digital Service Providers. Module scope: cyber duties + incident reporting.
DSPTQ4 2026
NHS Data Security & Protection Toolkit
Required annual self-assessment for any organisation handling NHS data. Stella's evidence pipeline maps directly to the 10 DSPT data security standards.
ISOLive (pilot)
ISO/IEC 27001
International standard, deeply adopted in UK enterprise. Stella surfaces controls already covered by M365 settings; the rest stays policy work.
How module priority gets set: we ship in the order UK MSPs ask for. The waitlist captures which framework matters most for your client base — that's how Cyber Essentials Plus + UK GDPR ended up first.
Your week, productised

Triage → Remediate → Comply → Report → Sell.

Same workflow as the US build. UK framework modules slot into step 3 as they ship.

1. Triage
See what changed
Daily delta across all UK client tenants. Drift events linked to the policy that broke. Renewal flags 30 days out for CE+ / DSPT cycles.
2. Remediate
Fix it in one click
M365 controls auto-remediated via Graph API, Exchange Online, and Intune — same engine as the US build. No PowerShell required.
3. Comply
Map to UK frameworks
CE+ + UK GDPR live in pilot Q3 2026; DCPP + DSPT follow Q4. Until then, M365 + ISO 27001 mapping ships today; UK-specific evidence packs are roadmap.
4. Report
Ship branded PDFs
White-label, your branding. Cover letter, executive summary, technical appendix. Designed to satisfy a UK certification body assessor without being decorated.
5. Sell
Turn audits into renewals
The same evidence pipeline that wins the assessment becomes the recurring deliverable that locks the client in.
If you run Microsoft 365 — read this

Default Microsoft 365 isn't secure. Every tenant should run at least Base Hardening.

Microsoft's shared-responsibility model puts the configuration on you. M365, Entra ID, Intune, and Azure all ship with permissive defaults across 1,800+ settings — and Microsoft Secure Score tells you about a small slice of them. Whether you're an MSP, a single-tenant business, a non-profit, or a 5-person law firm: if your data lives in Microsoft's cloud, this is the security floor.

Universal regardless of region — your tenant is judged against the same M365 defaults wherever you are.

99.9%
of compromised M365 accounts didn't have MFA enforced
Microsoft Identity Security Report
1,800+
M365 settings affect security posture; Secure Score covers ~5%
Stella scan baseline (every tenant)
0
controls Microsoft auto-fixes by default — every config is on you
M365 shared-responsibility model
$4.88M
average cost of a data breach (2024) — most start with M365 misconfig
IBM Cost of a Data Breach 2024
Self-check
If any of these is true for your tenant, Base Hardening is for you
MFA isn't enforced for every user (including service accounts and admins)
Legacy authentication protocols (POP3, IMAP, SMTP basic auth) are still allowed
External calendar / mailbox / SharePoint sharing defaults are still 'on'
Anonymous SharePoint or OneDrive sharing links can be created
You can't tell what changed in your tenant's configuration last week
Mailbox forwarding rules aren't monitored for exfiltration patterns
Your Conditional Access policies haven't been audited in 6+ months
Cyber insurance / vendor reviews ask M365 questions you can't answer fast
The cost math
A fraction of the $4.88M average breach cost

Base Hardening costs a fraction of the average breach — and the second tenant onward is cheaper still. Contact us for pricing. There is no realistic ROI calculation in which not running this loses.

What Base Hardening actually does
Continuous scan of 1,800+ M365 settings
Auto-remediates 40–60 core controls
Drift detection + auto-revert
Secure Score uplift dashboard
Monthly white-labeled report
Multi-tenant console
Get Your Free CMMC Audit See pricing tiers No credit card · Read-only Graph access · 30-min first scan
Plans

Land at Base Hardening. Upgrade when compliance bites.

Three tiers, one upgrade path. Run every tenant on Base Hardening — promote individual tenants to MSP or MSP Pro the day a regulated, defence, or government client signs. Contact us for pricing.

Base Hardening

Run on every M365 client tenant. Land here. Upgrade when compliance bites.

1,800+ M365 settings continuously visible
~40–60 core controls auto-remediated
Secure Score uplift dashboard
Drift detection + auto-revert
Multi-tenant MSP console
White-labeled monthly client report
Email + Slack support
Volume discounts available
Contact for Pricing
Most popular
MSP

Upgrade the day a defence, government, or regulated client signs.

Everything in Base Hardening
~110 controls auto-remediated (CMMC L2 / NIST 800-171 full)
All 17 CMMC L2 domains mapped + tracked
Assessor-ready evidence packages on demand
Immutable audit logs (hash-chained)
Quarterly compliance posture reports (white-labeled)
Cyber Essentials Plus + NCSC CAF + DCPP + UK GDPR mappings
Priority support — 4 business hours
Contact for Pricing
MSP Pro · CMMC-as-a-Service

Flagship clients, audit-imminent tenants, concierge onboarding.

Everything in MSP
Concierge onboarding (4 hours included)
Advisory hours — 2 hours/month with the founder
Custom control mapping (sector-specific)
Pre-assessment dry-run with assessor-style scoring
Written assessor-ready explanations per control
Dedicated Slack · 1-business-hour SLA
White-label, custom domain, full API
Contact for Pricing

Start every client on Base Hardening, promote them to MSP or MSP Pro the day a defense / government / regulated client signs. Contact us for pricing details.

UK MSP cohort · pre-launch waitlist

Join the waitlist to: (1) get the first UK module (Cyber Essentials Plus) at launch pricing, (2) influence which framework ships next, and (3) get a free M365 baseline on one client tenant today using the existing cross-jurisdictional control set.

Join UK waitlist Run free M365 baseline
Looking for the US/CMMC version? Switch to the US site →