Cybersecurity

CAF: How to go from ‘not achieved’ to ‘achieved’ in security monitoring

Table of Contents

Let’s face it. Getting your monitoring capabilities to a level where you can confidently detect and respond to cyber threats is no small task.

If your organisation is aligning with the NCSC’s Cyber Assessment Framework (CAF), you’re probably familiar with C1.a – Monitoring Coverage.

(That’s ‘objective c’, ‘principle 1’ and ‘contributing outcome a’ for those who really know your stuff).

This contributing outcome is all about ensuring that your organisation has robust, comprehensive and reliable monitoring in place to detect potential security incidents.

For many organisations, monitoring is one of the trickiest areas to get right. Whether it’s because of limited resources, fragmented tools or an incomplete understanding of what needs to be monitored, it’s easy to fall short.

But that’s where Managed Extended Detection and Response (XDR) services can make all the difference.

I’m going to break down what it means to achieve monitoring coverage under C1.a, why it matters and how a managed XDR service like CloudGuard’s can help you move from ‘not achieved’ to the gold standard of ‘achieved.’

By the end, you’ll have a clear understanding of what steps to take and why investing in Managed XDR could be the game-changer your organisation needs.

What does C1.a – Monitoring Coverage mean?

The CAF defines C1.a as the need for monitoring coverage that is comprehensive enough to reliably detect security incidents affecting your essential functions.

This means putting systems and processes in place to collect, analyse and act on data from across your organisation.

But what exactly does that look like?

diagram showing the structure of C1a of Cyber Assessment Framework

You can learn more how CAF is structured here.

Now, let’s look at the three status levels or the ‘Indicators of Good Practice’ (IGPs) in a bit more detail.

Not achieved

If your organisation is in the ‘not achieved’ category for C1.a, you’ve got some work to do.

Here’s what this looks like:

  • No data collection: Security and operational data about your essential functions aren’t being collected at all. Without data, there’s no way to detect threats or understand what’s happening in your environment.
  • No IoC detection: Indicators of Compromise (IoCs)—such as malicious command and control signatures—aren’t being identified. This leaves you unable to detect threats that could already be active within your network.
  • No user monitoring: There’s no ability to audit user activities or detect suspicious behaviour related to your essential functions.
  • No network traffic monitoring: You’re not capturing traffic at your network boundary, even at a basic level (e.g., IP connections).

In short, you’re operating without visibility, which makes it impossible to respond to potential security incidents effectively.

Partially achieved

Moving to ‘partially achieved’ status means you’ve made some progress, but you’re not quite where you need to be.

Here’s what this looks like:

  • Partial data collection: You’re collecting some security and operational data but the coverage is inconsistent or incomplete.
  • Basic IoC detection: You can detect IoCs but the process may not be reliable or comprehensive.
  • Limited user monitoring: You’re monitoring user activity but only for a narrow set of behaviours or policy violations.
  • Basic network traffic monitoring: You’ve started monitoring traffic at your network boundary but the coverage isn’t extensive.

At this stage, you’ve got the foundation in place, but you need to expand and deepen your capabilities to reach full compliance with C1.a.

Achieved

To reach ‘achieved’ status, your organisation needs to have robust and proactive monitoring in place.

Here’s what that looks like:

  • Informed monitoring: Your monitoring is guided by a clear understanding of your networks, common attack methods, and the specific threats that could disrupt your essential functions.
  • Detailed data collection: You’re gathering data that’s granular enough to reliably detect incidents and policy violations.
  • Comprehensive IoC detection: Detecting IoCs is straightforward, reliable, and effective.
  • Extensive user monitoring: You’re monitoring user activity comprehensively, with clear policies and tools to identify undesirable behaviours.
  • Complete coverage: Your monitoring includes host-based monitoring, network gateways, and integration of new systems as they come online.

This is where you want to be—your monitoring capabilities are proactive, resilient, and capable of responding to evolving threats.

Why does monitoring coverage matter?

Reaching the ‘achieved’ level for C1.a isn’t just about ticking a box. It’s about ensuring that your organisation can detect and respond to threats before they escalate into full-blown incidents.

Without adequate monitoring, threats can go unnoticed for weeks, months or even years. This puts your essential functions at risk.

Good monitoring also supports other aspects of your cybersecurity strategy.

For example, it provides the visibility you need to conduct thorough investigations, improve your response processes, and continuously enhance your security posture.

How Managed XDR can take you from ‘not achieved’ to ‘achieved’

So, how can a Managed XDR service help?

I’m going to break it down step by step.

1. Comprehensive data collection

One of the biggest barriers to achieving C1.a is the lack of comprehensive data collection.

Managed XDR services solve this problem by aggregating data from a wide range of sources, including endpoints, network traffic, cloud platforms and user activity.

With Managed XDR, you’re not just collecting data. You’re centralising it in a way that makes it easier to analyse and act on.

This gives you the foundation you need to detect threats reliably.

2. Advanced IoC detection

Managed XDR platforms come equipped with advanced tools for detecting Indicators of Compromise (IoC).

Using AI, machine learning and up-to-date threat intelligence, these services can identify malicious activities like command and control traffic, ransomware or phishing attempts.

This aligns perfectly with the CAF’s requirements for ‘achieved’ status, where IoC detection is both reliable and proactive.

3. Robust user activity monitoring

User activity monitoring is critical for detecting insider threats, policy violations and other risks.

Managed XDR services often include behavioural analytics that can flag unusual or suspicious user actions.

This helps you move beyond basic monitoring to a more comprehensive approach, covering an agreed list of undesirable behaviours and potential policy breaches.

4. Network traffic visibility

Monitoring network traffic is another area where Managed XDR shines.

These services can capture and analyse traffic crossing your network boundary, as well as activity within your network.

For ‘achieved’ status, you need both host-based monitoring and gateway-level visibility.

Managed XDR provides this level of coverage, ensuring that you’re not missing any critical data points.

5. Proactive integration and scalability

Achieving ‘achieved’ status requires you to consider new systems and data sources as part of your monitoring strategy.

Managed XDR services are inherently scalable, allowing you to integrate new technologies and adapt to changing requirements.

This ensures that your monitoring remains comprehensive and effective over time, even as your organisation evolves.

Beyond the technology

While Managed XDR can give you the tools you need, it’s important to remember that reaching ‘achieved’ status for C1.a isn’t just about technology.

Here are a few additional considerations:

  • Make sure your monitoring strategy aligns with your organisation’s overall risk management approach.
  • Customise the XDR solution to focus on your essential functions and business priorities.
  • Ensure your team is equipped to interpret alerts, respond effectively and maximise the value of the XDR platform.

Final thoughts

Reaching ‘achieved’ status for C1.a is about more than just compliance. It’s about building a monitoring strategy that protects your organisation’s most critical functions.

A Managed XDR service like CloudGuard PROTECT can play a key role in helping you get there. It can do this by addressing gaps in your data collection, IoC detection, user activity monitoring and network traffic visibility.

The journey from ‘not achieved’ to ‘achieved’ isn’t always easy, but with the right tools, support and mindset, it’s absolutely within your reach.

If you’re ready to take the next step, a Managed XDR service could be the partner you need to make it happen.

Remember, cybersecurity is a continuous process. Not a one-off project. By investing in the right capabilities today, you’re setting your organisation up for long-term success and resilience.

Author: Thomas Shelton
Share:
Author: Thomas Shelton
Share:

Related Resources

two men talking on a podcast posted on linkedin with a red arrow pointing towards a deepfake
Why Social Engineering Always Works: How Hackers Use Phishing & Deepfakes
We’ve all done the training, so why are attackers still getting through? Attackers no longer rely on bad spelling or suspicious links, they use AI-generated deepfakes and psychological profiling to manipulate people with astonishing precision. By exploiting the brain’s emergency response system, they trigger fear, urgency, or authority to override...
Dark purple background with claude logo and words pro, team and enterprise.
Claude Business Security: Choosing the Right Account for SMBs
When I shared my last article, a few people got in touch asking for a more practical follow-up, specifically around how small teams can use Claude Pro without putting business data at risk. This piece goes step by step through exactly that. Understand what you’re actually adopting Claude Pro is...
Two analysts looking surprised. Purple cyber background with phishing hook.
What Happens After a Phishing Attack? A Real Microsoft 365 Incident Walkthrough
If your organisation thinks a password reset or MFA alone are enough, think again. In this phishing attack breakdown by CloudGuard’s SOC team, Conor and Jon reveal the reality behind an actual breach involving a UK law firm, exposing how hackers use four methods to regain access long after initial...
purple background with computer that says threat from the field in cartoon like design
Cyber Threat Trends Q1 2026: Data Theft, AI Attacks and Emerging Risks
Executive Summary Every 90 days, we review the latest cyber threat trends to identify what IT leaders should learn, where resilience gaps are widening, and what practical actions organisations should take next.  The first quarter of 2026 has been intense. The UK threat picture is not defined by one single...
Microsoft Defender for Cloud
Microsoft Defender for Cloud Cloud environments change fast. New workloads, new services and new risks appear daily, often without full visibility or clear ownership. Microsoft Defender for Cloud provides continuous assessment across Azure, hybrid and multi-cloud environments to help organisations understand and reduce cloud security risk. CloudGuard ensures your cloud...
Woman looking at tablet with cyber imagery across the top.
The Limitations of External Penetration Testing (And What to Do About Them)
Core argument  Traditional internal penetration tests gives executives false confidence because it’s typically scope-limited, scheduled, doesn’t reflect real attacker behaviour and ignores the AI threats with user access. Would you feel comfortable boarding a plane if the pilot had practised emergency landings but had never actually simulated an engine failure?  So, why do businesses specifically exclude their...
CloudGuard logo and Stonewater Housing logo on a pastel purple background
Stonewater Housing Achieves 24/7 Security Monitoring Without Expanding Its IT Team
Image of man with half blue face on left and half red face on right. £20 notes falling in the background.
Date | Time: 24/03/2026 | 12:00 pm
[On Demand] The AI-Enabled Insider Threat: When Trusted Access Becomes Competitive Advantage
Your most trusted employees can now distil years of institutional knowledge in days, sometimes without realising the risk they’re creating. Insider risk has fundamentally changed. We’re past the days of someone copying files onto a USB stick. Today, trusted employees are using AI tools to summarise reports, analyse strategy documents,...
Continuous Security Validation: How to Prove Your Cybersecurity Controls Actually Work
Core argument CISOs are increasingly measured not by the security they implement, but by the breaches they fail to prevent. Most cybersecurity investments create a false sense of protection because they’re never truly tested under realistic conditions.  Zero trust applied new controls but the new wave of Agentic AI solutions will fundamentally...
Get In Touch

Our Cybersecurity Services Can Instantly Improve Your Business’ Security Posture

Complete the form to find out more about any of our one-off or managed cybersecurity services. Not seeing what you’re looking for? Our cybersecurity consultants and MXDR experts are always on-hand to provide the guidance and support you need.