On 31 March 2026, the NCSC switched off Web Check and Mail Check - two tools that thousands of UK organisations have relied on for up to eight years to monitor their web vulnerabilities and email security configuration.
If you’re reading this, there’s a reasonable chance you were one of them. And if you haven’t already put an alternative in place, you now have a gap in your visibility that needs closing - quickly.
I’ve spent the last few months talking to organisations in exactly this position. Many of them had Web Check running quietly in the background, flagging issues with certificates, TLS configuration, or HTTP headers. Mail Check was doing the same for email authentication - SPF, DKIM, DMARC.
The tools were limited, but they were reliable, free, and familiar.
Now they’re gone. The question isn’t whether you need a replacement - the NCSC has been clear that you do. The question is what good looks like, and how to avoid making a poor decision under time pressure.
Why the NCSC retired these tools
It’s worth understanding the reasoning, because it matters for how you evaluate alternatives.
The NCSC launched Web Check and Mail Check in 2017 as part of its Active Cyber Defence programme. At the time, there weren’t many accessible options for organisations - particularly in the public sector - to get basic visibility of their external security posture. The tools filled a genuine gap.
Eight years later, the commercial market for External Attack Surface Management (EASM) has matured significantly. The NCSC’s position is straightforward: where the market can deliver a better service than government, the government should step back and focus its resources on things only it can do. That’s a sensible position, and it’s consistent with the ACD 2.0 strategy they published last year.
But it does mean that organisations which were relying on these free tools now need to find, evaluate, and procure a commercial replacement. For many - especially smaller public sector teams with limited budgets and no dedicated security function - that’s not a trivial exercise.
What you’re actually replacing
Before you start evaluating tools, it’s worth being precise about what Web Check and Mail Check actually did, because many people used them without fully understanding the scope.
Mail Check monitored your email domain’s DNS configuration. Specifically, it checked whether you had SPF, DKIM, and DMARC records in place and correctly configured. These are the controls that stop attackers sending emails that appear to come from your domain. If someone could impersonate your email domain to send phishing emails to your customers, staff, or partners, these are the records that should prevent it. Mail Check told you whether those defences were working.
Web Check scanned your websites for common vulnerabilities and misconfigurations. It looked at whether TLS certificates were valid and up to date, whether HTTP security headers were properly configured, and whether the software running your websites had known vulnerabilities. In practical terms, it was answering the question: could an attacker exploit something on our website to get in, intercept data, or take control?
Neither tool discovered new assets. Neither told you about services, ports, or infrastructure you didn’t already know about.
They checked what you pointed them at - nothing more.
This is an important distinction, because the category of tool the NCSC is recommending as a replacement - External Attack Surface Management- goes considerably further.
What to look for in a replacement
The NCSC published a buyer’s guide alongside the retirement announcement, and last year they ran a formal trial of ten commercial EASM providers as part of their ACD 2.0 programme.
Hexiosec was one of these ten EASM providers and we worked with the NCSC during the evaluation, contributing feedback to support their findings and guidance. The NCSC’s buyer’s guide is a great resource for anyone evaluating EASM solutions.
Based on what the NCSC assessed, and on what I’ve seen matter most to organisations making this transition, here’s what I’d prioritise.
Automated asset discovery
This is the single biggest upgrade from Web Check. A good EASM platform should take a single top-level domain and automatically discover everything connected to it: subdomains, IP addresses, services, cloud assets, forgotten development servers, legacy infrastructure. You shouldn’t need to tell it where to look. The whole point is that it finds what you didn’t know was there.
This matters because the assets you don’t know about are almost always the ones that get you into trouble. A development server that someone spun up two years ago and forgot about. A subdomain pointing at a cloud resource that’s since been released. An old marketing site running software that hasn’t been patched in years. These are real scenarios - we see them regularly.
Continuous monitoring, not periodic snapshots
Web Check ran periodic scans. The problem with periodic scanning is that your attack surface changes constantly. Cloud instances spin up and down. Certificates expire. New vulnerabilities are disclosed against software you’re already running. A tool that scans daily and alerts you when something changes gives you a fundamentally different level of assurance than one that checks once a week or once a month.
Actionable findings, not just alerts
One of the most common complaints I hear about security tools is that they generate noise - long lists of findings with no context, no prioritisation, and no guidance on what to do about them. The result is alert fatigue: the tool finds things, nobody acts on them, and the organisation is no more secure than it was before.
What you need is a platform that groups related risks into clear, prioritised actions. If updating a single component on a specific server would resolve twelve separate vulnerabilities, you should see that as one action - not twelve separate alerts. And the remediation guidance should be specific enough that your team can actually act on it without needing to research the fix themselves.
Coverage that matches the NCSC’s framework
The NCSC’s buyer’s guide identifies three core capabilities: insight and visibility (discovering what’s there), security analysis (identifying what’s wrong), and supporting functions (making it manageable). Any tool you evaluate should cover all three convincingly.
Specifically, make sure the tool covers the same ground as both Web Check and Mail Check. That means email security configuration (SPF, DKIM, DMARC, MTA-STS) as well as web vulnerabilities (TLS, certificates, HTTP headers, software components). Some EASM platforms focus heavily on one side and neglect the other. You need both.
Clear reporting for different audiences
Your IT team needs technical detail. Your board needs a summary that shows whether risk is going up or down. Your compliance team may need evidence that you’re meeting the requirements of frameworks like Cyber Essentials, the NCSC Cyber Assessment Framework, or sector-specific regulations like DORA or the DSPT.
A good platform should serve all of these audiences without requiring you to manually compile reports from raw data.
What to watch out for
A few things to be cautious about when evaluating alternatives.
Beware tools that only replicate Web Check and Mail Check. The NCSC isn’t recommending you find a like-for-like replacement - they’re recommending you upgrade to a full EASM platform. If a tool only checks websites and certificates, you’re not getting what the NCSC is advising.
Check where the platform is hosted and who owns it. If you’re in the public sector or a regulated industry, data sovereignty may matter. Some platforms are US-hosted or US-owned, which may have implications for how your data is handled and who can access it. It’s worth asking the question.
Don’t confuse a risk score with a security assessment. Some platforms generate a single number that claims to summarise your security posture. That can be useful for benchmarking, but it’s not a substitute for detailed findings that tell you what’s wrong and how to fix it.
If you can’t drill into the detail and understand exactly where a vulnerability exists in your infrastructure, the score isn’t giving you what you need.
Ask about accuracy. False positives waste your team’s time. False negatives leave you exposed. Ask vendors about their approach to accuracy and whether they can demonstrate it with real data, not just marketing claims.
Making the transition
If you haven’t yet put an alternative in place, the priority is to close the visibility gap as quickly as possible. Most EASM platforms - including ours - can be up and running within hours, not weeks. You enter your domain, the platform discovers your assets, runs its checks, and gives you a picture of your current exposure.
If you were relying on Web Check and Mail Check, your first scan will almost certainly reveal things those tools never showed you - simply because EASM platforms look at a much broader surface.
My practical advice: run a scan now, review what it finds, and use that as the basis for a conversation with your team or your board about what needs to happen next. The longer you leave it, the longer you’re flying blind.
Hexiosec ASM was one of ten EASM platforms selected by the NCSC for its ACD 2.0 trial. Built by former UK government and defence intelligence engineers, it gives organisations a continuous, accurate view of their online attack surface - and tells them exactly what to do about the risks it finds.
Start a free scan or book a demo to see your exposure today.
Related Posts
