Skip to main content
Vantyris

For UK accountants, bookkeepers & tax advisers

Evidence for the engagement letter, the PI renewal form, and the client questionnaire.

Vantyris scans your firm's externally-visible posture — email authentication, client portal exposure, WordPress hardening, privacy compliance — and returns a plain-English report plus four PDF layouts including a compliance pack sized for your insurer or auditor. From £10. No contracts. UK-based.

The reality

What we hear from accounting partners

01

Your engagement letter mentions security in vague terms because nobody actually checks.

02

A larger client added a 'cyber hygiene scan in the past 12 months' line to their supplier questionnaire and you have no evidence to send.

03

Your PI renewal form added cyber questions this year. The answers are written; you don't have proof.

04

Tax season is now and you've heard a peer firm got phished — and you can't say with confidence the same path is closed on yours.

What a typical accountant scan surfaces

One finding, shown in plain English.

Every finding in your Vantyris report is shaped the same way: what it means for your business, how to fix it, who to ask, and the technical evidence one tap below.

medium

Some of your outgoing emails are silently landing in client spam folders

Your SPF record exceeds the RFC 7208 ten-lookup limit, which means receiving mail servers PermError and treat ALL your authenticated mail as failed — even from properly-authorised senders. The practical effect: emails from your firm to Gmail / Outlook recipients can land in spam silently, with no bounce. Client never sees the message; you never know it didn't arrive.

How to fix it

Flatten the SPF record by inlining one or two of the highest-cost includes. The report names the exact change and the tools that automate the flattening (autoSPF, Dmarcly SPF flattener). About an hour of work. Re-test by sending to a Gmail account and checking the 'Show original' header for `dkim=pass spf=pass dmarc=pass`.

Why accountants buy Vantyris

Documented hygiene, four PDF layouts including a compliance pack

The same scan downloads as a full editorial report, a single-page executive summary for the partner's board pack, a single-issue work order to forward to your IT contractor, or a compliance pack sized for an auditor or insurer with the Cyber Essentials A1-A5 grid front and centre. All four carry an audit-trail footer with the scan ID, date, and methodology version — the kind of evidence a professional indemnity insurer reviews.

An Executive Summary the partner can actually read

Every verified report opens with a one-page executive summary aimed at non-technical readers: headline grade, top three biggest wins, projected post-fix score, plus a 'Business impact in plain English' table mapping each finding to its commercial risk. The partner reads page two; the IT contractor reads from page seven onward. No translation between the two.

A Fix Roadmap that the partner can hand to the IT contractor

Every finding lands in a Today / This Week / Later bucket, grouped within by owner (web host, developer, DNS admin, email provider). The IT contractor opens the work-order PDF and sees their one list of fixes; the partner sees the high-level plan. Items that need confirmation rather than action sit in an Acknowledged bucket so the urgent list stays urgent. Less back-and-forth, faster close-out, cleaner audit trail.

Forward a link, not a PDF

A time-limited share link lets your auditor or insurer view the report directly in their browser. Optional watermark with their name and date. Revoke any time. View count is visible to you — useful when a partner asks whether the insurer actually opened the file.

A public trust page for your firm's website

Turn on /trust/<your-firm-slug>. It shows your current grade and the controls Vantyris has verified. Put the URL in your engagement letter, your PI renewal form, or your supplier questionnaire response. The insurer / client reads it themselves; you don't email them a stale PDF every twelve months.

Pay per scan, no annual seat licence

£25 covers fifteen verified scans. Enough for one firm's annual baseline plus a handful of re-scans after fixes. No subscription, no quote call, no contract. Top up when you need it.

We have no accountant testimonials to publish until real customers consent to being case-studied. Until then, we'd rather ship nothing than ship something fake.

Long read

15-minute read

The 12 cyber questions on your PI renewal, decoded.

Plain-English playbook for accountants, written by the Vantyris editorial team. Specific, opinionated, not a generic checklist.

Read the full playbook →

FAQ for accountants

Common questions from accounting firms

Does this count for Cyber Essentials certification?

Vantyris is not a certifying body. Every verified report includes a Cyber Essentials A1-A5 alignment section that maps each finding to the five NCSC control areas, so you can see which CE questions an external scan can speak to and which need internal evidence (endpoint posture, user-access control, patching cadence). It produces the starting checklist for a CE submission, not the certificate itself.

Will my client see anything?

No. Vantyris scans your firm's externally-visible attack surface — DNS records, response headers, exposed paths. Your client's data isn't visible to a Vantyris scan unless your firm exposes it on the public internet, which itself would be a finding (and one you'd want to know about immediately).

Can I scan a client's site on their behalf?

Yes, with their written authorisation. The client puts the verification token (DNS TXT, file, or meta tag) in place — that's the documented authorisation, and what the UK Computer Misuse Act 1990 requires. Email us for a template authorisation letter if you want a paper trail before they configure verification.

What if our IT contractor disagrees with a finding?

Every finding has its technical evidence in the report (raw header values, observed DNS records) and a workflow status. If the contractor has a justified reason — 'WAF rule blocks this path after three attempts' — set the finding to 'Accepted as known risk' with the written reason. The suppression auto-expires after 90 days so it isn't silently forgotten, and the audit history records who decided what, when, and why.

What about findings the scanner can't fully verify from outside?

Some findings (login pages being reachable, the absence of server-side rate-limiting) sit on the boundary of what a passive external scan can prove. Vantyris labels these Medium confidence with an explicit 'caveats' line in the evidence pack: it can confirm what's externally visible but cannot prove the absence of server-side controls. If you already enforce those controls, Accept the finding with a written reason.

Can my PI insurer just check our posture themselves?

Yes. Enable a public trust page at /trust/<your-firm-slug> showing your current grade and the controls Vantyris has verified. Put the URL on the renewal form. The insurer reads it themselves; you don't email them a stale PDF every twelve months. The trust page is a live view — re-scans update it automatically.

More questions? Full FAQ.

Ready when you are.