For UK accountants, bookkeepers & tax advisers
Evidence for the engagement letter, the PI renewal form, and the client questionnaire.
Vantyris scans your firm's externally-visible posture — email authentication, client portal exposure, WordPress hardening, privacy compliance — and returns a plain-English report plus four PDF layouts including a compliance pack sized for your insurer or auditor. From £10. No contracts. UK-based.
The reality
What we hear from accounting partners
Your engagement letter mentions security in vague terms because nobody actually checks.
A larger client added a 'cyber hygiene scan in the past 12 months' line to their supplier questionnaire and you have no evidence to send.
Your PI renewal form added cyber questions this year. The answers are written; you don't have proof.
Tax season is now and you've heard a peer firm got phished — and you can't say with confidence the same path is closed on yours.
What a typical accountant scan surfaces
One finding, shown in plain English.
Every finding in your Vantyris report is shaped the same way: what it means for your business, how to fix it, who to ask, and the technical evidence one tap below.
Some of your outgoing emails are silently landing in client spam folders
Your SPF record exceeds the RFC 7208 ten-lookup limit, which means receiving mail servers PermError and treat ALL your authenticated mail as failed — even from properly-authorised senders. The practical effect: emails from your firm to Gmail / Outlook recipients can land in spam silently, with no bounce. Client never sees the message; you never know it didn't arrive.
How to fix it
Flatten the SPF record by inlining one or two of the highest-cost includes. The report names the exact change and the tools that automate the flattening (autoSPF, Dmarcly SPF flattener). About an hour of work. Re-test by sending to a Gmail account and checking the 'Show original' header for `dkim=pass spf=pass dmarc=pass`.
Why accountants buy Vantyris
Documented hygiene, four PDF layouts including a compliance pack
An Executive Summary the partner can actually read
A Fix Roadmap that the partner can hand to the IT contractor
Forward a link, not a PDF
A public trust page for your firm's website
Pay per scan, no annual seat licence
We have no accountant testimonials to publish until real customers consent to being case-studied. Until then, we'd rather ship nothing than ship something fake.
Long read
15-minute read
The 12 cyber questions on your PI renewal, decoded.
Plain-English playbook for accountants, written by the Vantyris editorial team. Specific, opinionated, not a generic checklist.
Read the full playbook →FAQ for accountants
Common questions from accounting firms
Does this count for Cyber Essentials certification?
Vantyris is not a certifying body. Every verified report includes a Cyber Essentials A1-A5 alignment section that maps each finding to the five NCSC control areas, so you can see which CE questions an external scan can speak to and which need internal evidence (endpoint posture, user-access control, patching cadence). It produces the starting checklist for a CE submission, not the certificate itself.
Will my client see anything?
No. Vantyris scans your firm's externally-visible attack surface — DNS records, response headers, exposed paths. Your client's data isn't visible to a Vantyris scan unless your firm exposes it on the public internet, which itself would be a finding (and one you'd want to know about immediately).
Can I scan a client's site on their behalf?
Yes, with their written authorisation. The client puts the verification token (DNS TXT, file, or meta tag) in place — that's the documented authorisation, and what the UK Computer Misuse Act 1990 requires. Email us for a template authorisation letter if you want a paper trail before they configure verification.
What if our IT contractor disagrees with a finding?
Every finding has its technical evidence in the report (raw header values, observed DNS records) and a workflow status. If the contractor has a justified reason — 'WAF rule blocks this path after three attempts' — set the finding to 'Accepted as known risk' with the written reason. The suppression auto-expires after 90 days so it isn't silently forgotten, and the audit history records who decided what, when, and why.
What about findings the scanner can't fully verify from outside?
Some findings (login pages being reachable, the absence of server-side rate-limiting) sit on the boundary of what a passive external scan can prove. Vantyris labels these Medium confidence with an explicit 'caveats' line in the evidence pack: it can confirm what's externally visible but cannot prove the absence of server-side controls. If you already enforce those controls, Accept the finding with a written reason.
Can my PI insurer just check our posture themselves?
Yes. Enable a public trust page at /trust/<your-firm-slug> showing your current grade and the controls Vantyris has verified. Put the URL on the renewal form. The insurer reads it themselves; you don't email them a stale PDF every twelve months. The trust page is a live view — re-scans update it automatically.
More questions? Full FAQ.