Free for UK healthcare, biotech and NHS suppliers

UK GDPR + NHS DSP Toolkit AWS readiness scan

Cambrian is a free command-line scanner that produces a UK GDPR + NHS DSP Toolkit readiness report for your AWS account. Read-only, runs locally in minutes. Designed to prepare you for the formal DSPT audit, not replace it. Built for Cambridge healthtech.

Free download See what it checks
4.9★ Clutch ISO 27001
In 24 CHECKS
You'll Have

Know which of 24 AWS controls you Meet, Don't Meet, or need to review - in minutes, not weeks

Hand your DPO real evidence today, not another action item

Hit the 30 June 2026 DSPT deadline without a last-minute scramble

Save the £5k-£15k a UK consultancy charges for the same evidence

< 5 min
typical scan time
~£10k
saved vs consultancy
30 Jun
DSPT deadline ready
What changes for your team

Four things you can do on Monday that you cannot do today

Cambrian exists for the moments when your DPO, NHS sponsor, board, or auditor asks "where are we?" and the honest answer is "we are not sure." These are the four outcomes Cambridge healthtech and biotech teams use it for.

Hit the 30 June 2026 DSPT deadline without scrambling

Walk into your independent DSPT audit with the technical evidence already gathered, prioritised, and mapped. The assessor confirms what you already know - they are not the first person to find your gaps.

Unblock the NHS contract waiting on your security review

Hand your NHS sponsor a single report that answers the technical half of supplier due diligence. Sales stops chasing security; security stops chasing sales. The deal moves.

Stop paying £5,000-£15,000 for a UK readiness PowerPoint

Replace the consultancy deck with a live readiness report. Every finding cites the exact UK GDPR article and NDG standard your DPO and assessor will ask about, so you walk into the formal audit with the technical groundwork already done.

Brief your board with counts, not a feeling

Open the report in your next board meeting. Met / Not Met / Partial counts against 24 named AWS controls, every Not Met with the UK GDPR article and NDG standard behind it, every Partial with the reason it is not a hard failure. Replaces the vague 'we are working on compliance' update with something the chair can act on.

CLI output

One command, one local report

Cambrian prints progress per check, writes a single self-contained HTML report to disk, and ends with a count: Met / Not Met / Partial / Unable to verify. Every Not Met carries a UK GDPR Article 32 citation, the NDG standard behind it, and a copy-paste remediation step. It is a readiness report, not a compliance certification or audit determination.

cambrian · eu-west-2 
$ docker run --rm -v ~/.aws:/root/.aws cambrian \
    --redact --region eu-west-2 --dashboard report.html

  ____                _          _
 / ___|__ _ _ __ ___ | |__  _ __(_) __ _ _ __
| |   / _` | '_ ` _ \| '_ \| '__| |/ _` | '_ \
| |__| (_| | | | | | | |_) | |  | | (_| | | | |
 \____\__,_|_| |_| |_|_.__/|_|  |_|\__,_|_| |_|

  cambrian 0.1.0
  UK GDPR + NHS DSP Toolkit AWS readiness scanner

REDACTED OUTPUT (account IDs, ARNs, resource IDs and emails are masked.)
Checkpoint: /tmp/cambrian-XXXXXXXXXXXX-eu-west-2.ckpt
» Scanning account XXXXXXXXXXXX in eu-west-2
   Root account has MFA enabled (2.4s)
   IAM password policy meets baseline requirements (1.0s)
   S3 buckets have default encryption enabled (84.3s)
   EBS encryption by default is enabled (0.9s)
   EC2 instances require IMDSv2 (1.2s)
   RDS instances have storage encryption enabled (1.1s)
   A multi-region CloudTrail is active with log validation (1.1s)
  ... (24 of 24)
   24/24 checks complete · 81 findings · 4m 53s

Dashboard written to ./report.html

================================================================
  Findings against checked items
  Met 46  Not Met 31  Partial 4  Unable to verify 0  ·  Total 81
================================================================

  MET      Root account has no active access keys
  NOT MET  IAM password policy meets baseline requirements
           UK GDPR: Art 32(1)(b) - Confidentiality of processing
           DSPT:    NDG Std 4 - Strong authentication (assertion 4.5)
           Fix:     IAM > Account settings > Password policy
  PARTIAL  Root account has MFA enabled
           Note: managed at organisation level (member account)
           UK GDPR: Art 32(1)(b)
           DSPT:    NDG Std 4

Need help closing these gaps? Email cambrian-support@tasrieit.com
The report

A client-ready assessment report, not a dashboard

Cambrian writes a single self-contained HTML file in the format your DSPT assessor, DPO, or NHS sponsor expects. Letterhead, executive summary, status definitions, full findings table, methodology. Prints cleanly to PDF, no external assets, ready to attach to your DSPT evidence pack.

T
Cambrian
CONFIDENTIAL
Technical Assessment Report

UK GDPR & NHS DSP Toolkit Readiness

Point-in-time review of AWS technical configuration against UK GDPR Article 32 and the NDG Data Security Standards.

Account
XXXXXXXXXXXX
Region
eu-west-2
Generated
09 Jun 2026
Report ID
CAM-DFFC5E
1. Executive Summary
46
Met
31
Not Met
4
Partial
0
Unable to verify
81
Total
3. Findings (sample)
Ref.
Status
Control
IAM-01
Met
Root has no active access keys
IAM-04
Not Met
Password policy meets baseline
IAM-01
Partial
Root MFA (org-managed)
Need help? cambrian-support@tasrieit.com

How Cambrian scans your AWS account in under 5 minutes

Three steps. A few minutes end to end on most AWS accounts.

01

Request access

Use the form below. We send pull instructions for the Cambrian Docker image, the read-only IAM policy you will need, and a one-page UK GDPR Article 32 + NDG standard mapping reference. Usually within one UK working day.

02

Run it from your terminal

One Docker command, read-only AWS permissions, your existing AWS profile mounted into the container. Defaults to eu-west-2 (London). Under 90 seconds on a small account; a few minutes on accounts with hundreds of S3 buckets or EC2 instances.

03

Open the local report

A single static HTML file with Met / Not Met / Partial / Unable to verify counts, every finding mapped to UK GDPR Article 32 and the NDG standard behind it, and a copy-paste remediation step for every Not Met. Open it in your browser, share it with your DPO, attach it to your DSPT evidence pack.

24 checks across 9 AWS services

Every check maps to both UK GDPR Article 32 and an NHS Data Security and Protection Toolkit NDG standard. One scan, two recognised references your DPO and your DSPT assessor can both quote.

6 checks

IAM

  • · Root MFA
  • · No root access keys
  • · User MFA
  • · Password policy
  • · Key rotation 90d
  • · No wildcard admin
UK GDPR
Art 32(1)(b)
DSPT
NDG Std 4
4 checks

S3

  • · Account public access block
  • · Default encryption
  • · Versioning
  • · Server access logging
UK GDPR
Art 32(1)(a)(b)(c)
DSPT
NDG Std 1, 7, 9
4 checks

EC2

  • · Open security groups
  • · EBS encryption default
  • · IMDSv2 required
  • · Public snapshots
UK GDPR
Art 32(1)(a)(b)
DSPT
NDG Std 1, 9
4 checks

RDS

  • · Public access
  • · Storage encryption
  • · Backup retention 7d+
  • · Deletion protection
UK GDPR
Art 32(1)(a)(b)(c)
DSPT
NDG Std 1, 7
1 check

CloudTrail

  • · Multi-region trail with log validation
UK GDPR
Art 5(2) / 32
DSPT
NDG Std 9
1 check

CloudWatch

  • · Root account usage alarm
UK GDPR
Art 5(2) / 32
DSPT
NDG Std 6
1 check

KMS

  • · Customer-managed key rotation
UK GDPR
Art 32(1)(a)
DSPT
NDG Std 1
1 check

VPC

  • · VPC flow logs enabled
UK GDPR
Art 5(2) / 32
DSPT
NDG Std 9
1 check

GuardDuty

  • · Threat detection enabled
UK GDPR
Art 32(1)(b)
DSPT
NDG Std 6
1 check

Global

  • · UK data residency signal (eu-west-2)
UK GDPR
Chapter V
DSPT
IG geography
What makes Cambrian different

Six things Cambrian does that a generic AWS scanner does not

Prowler, Security Hub, and AWS Config tell you something is wrong. They do not tell you which UK GDPR article and which NDG standard your DSPT assessor will ask about, and they do not handle the awkward edges (member accounts, large estates, demos with real account IDs). Cambrian does.

Redaction mode for safe demos

Run with --redact and Cambrian masks account IDs, ARNs, resource IDs, organisation IDs, and email addresses in the CLI and HTML output. Share the report with a regulator, screen-record a walkthrough, or hand it to a vendor without leaking sensitive identifiers.

Organisation-aware root checks

Member accounts in AWS Organizations correctly downgrade root MFA findings from Not Met to Partial, with an explicit note that the control is managed at the management account or via Centralized Root Access. Cuts the false-positive root-MFA finding that ruins trust in every other scanner.

Checkpoint and resume

Stop a scan mid-flight, lose the network, or terminate the session. Re-run the command and Cambrian picks up from the last completed check via a local checkpoint file. Useful on estates with hundreds of S3 buckets or EC2 instances where a single check can run for minutes.

JSON output for re-scans

Pass --output json --output-file scan.json and Cambrian writes structured findings to disk. Diff month-over-month, push into your SIEM, or ingest as DSPT evidence in another tool. The HTML report is the default; JSON is for engineers.

DSPT-aligned vocabulary

Cambrian uses MET / NOT MET / PARTIAL / UNABLE TO VERIFY, the same language as DSPT evidence-item attestations. Your DSPT assessor reads the report without translation. Severity bands, percentages, and arbitrary readiness scores stay out of the report entirely - there is no such thing as a "DSPT score".

Self-contained HTML report

A single HTML file, no external assets, no fonts loaded from a CDN, no tracking. Email it as one attachment to your DPO, your assessor, or your NHS sponsor. Every finding includes the Article 32 citation, the NDG standard, the remediation step, and a support email (cambrian-support@tasrieit.com) if you get stuck.

Often confused, very different

The NHS DSP Toolkit and Cambrian are not the same thing

The official NHS Data Security and Protection Toolkit (DSPT) is the annual self-assessment you submit to the NHS. Cambrian is an independent free tool that produces the technical AWS evidence you attach to it. One does not replace the other - they belong together.

Official, mandatory

NHS DSP Toolkit

The annual self-assessment portal run by NHS England at dsptoolkit.nhs.uk. Mandatory for NHS organisations and qualifying IT suppliers.

  • ·A questionnaire, not a scanner. Your team answers assertions and attaches evidence documents.
  • ·Covers all 10 NDG standards: people, policies, training, governance, business continuity, and technical controls.
  • ·Annual cycle. v8 deadline for IT suppliers is 30 June 2026.
  • ·Publishes a score on the NHS website tied to your organisation.
  • ·Independent audit required for IT suppliers above the NHS audit threshold.

Run by NHS England. We have no affiliation.

Independent, complementary

Cambrian (this tool)

A free command-line scanner you run on your laptop against your AWS account. Produces a readiness report you attach as evidence to the DSPT assertions about AWS configuration.

  • ·A scanner, not a questionnaire. Automatic detection across your AWS account.
  • ·Covers AWS configuration only: the technical sub-set of NDG Standards 1, 4, 6, 7, and 9.
  • ·Runs on-demand in minutes (under 90 seconds on a small account, a few minutes on large estates). Re-run as often as you change AWS.
  • ·Produces a local HTML readiness report. Nothing published, nothing uploaded.
  • ·Independent of NHS England. Built by Tasrie IT Services. Not endorsed by NHS.

Built by Tasrie IT Services. Independent.

How they fit together in practice

You still submit the official NHS DSP Toolkit at dsptoolkit.nhs.uk - nothing replaces that. When the DSPT asks you to provide evidence for NDG Standard 1 ("data not exposed to unauthorised parties"), NDG Standard 4 ("MFA on access"), NDG Standard 7 ("backup and recovery"), or NDG Standard 9 ("audit logging"), you attach the relevant section of your Cambrian readiness report and the per-finding remediation evidence behind it. Cambrian does the technical heavy lifting; the DSPT remains your single, audited declaration to NHS England.

Cambrian is not an official NHS tool, not affiliated with NHS England, and does not produce or replace your DSPT submission. References to NDG standards and assertion numbers are based on the published DSPT v8 (2025-26) framework and should be verified against the official Assertions and Evidence spreadsheet before submission.

What you save

A DSPT readiness check should not cost £15,000

Cambrian does not replace the formal DSPT audit. It does replace the £5k-£15k "readiness PowerPoint" most healthtech and biotech teams pay for before they get there. The technical evidence is the same. The price is not.

Path to AWS readiness evidence Typical cost Time to first report UK GDPR + DSPT cited
Big Four DSPT readiness engagement £15,000 - £50,000 6 - 12 weeks Yes
Small UK security consultancy £5,000 - £10,000 3 - 6 weeks Usually
In-house senior engineer + open-source tools £1,500 - £2,500 internal time 2 - 3 days of focused work You map them yourself
Cambrian (this tool) £0 forever ~90 sec to a few minutes Yes, automatically

Cambrian produces a readiness report, not a compliance certification or an audit determination. It is a focused technical scan that gives you the AWS configuration findings you would otherwise spend weeks or thousands of pounds gathering. Cost ranges based on UK SMB rates for DSPT v8 readiness work in 2025-26.

Built for

  • ✓ NHS digital-health and clinical-software vendors approaching the 30 June 2026 DSPT deadline
  • ✓ Cambridge biotech and genomics teams handling identifiable patient or participant data on AWS
  • ✓ Clinical-research SaaS startups preparing for their first ISO 27001, Cyber Essentials Plus, or DSPT audit
  • ✓ CTOs and DPOs who need to brief a board on AWS security posture without paying for a Big Four readiness scan

What Cambrian does not do

This is a technical configuration scan only. It will not, by itself, satisfy any of the following.

  • - Policies, training records, governance documents, or business continuity plans
  • - The independent DSP Toolkit audit itself (mandatory for IT suppliers in 2025-26 / v8)
  • - A formal UK GDPR compliance determination - that is your DPO or supervisory authority
  • - Continuous monitoring or drift detection - this is a point-in-time scan

Use it for gap analysis and readiness, then engage a qualified assessor for formal submission.

Optional

Cambrian pricing: free tool, optional paid help

You run it. We run it. Or we run it monthly.

The Docker image stays free forever, no licence key, no usage cap. The two paid options are for teams who want us to run the scan once, or to run it every month with a support inbox. Remediation work is a separate engagement under our AWS managed services.

Self-serve

You run it

£0 / no licence, no cap

Answers this afternoon, not a quote next quarter.

  • Pull the Docker image, run on any AWS account, local, or on-prem
  • DSPT readiness against 24 controls, in under an hour
  • Skip the £5k-£15k consultancy bill
  • Read-only, local, nothing uploaded
  • You install, run, and remediate yourself
Request the free download
Scan-as-a-service

We run it

£495 / one-off, GBP

Skip a day of Docker and IAM setup. Report this week.

  • Readiness report on your desk by Friday
  • 60-min session with a senior engineer on your AWS
  • Top 5 fixes ranked by effort vs risk
  • Runs on your machine, report stays on your disk
  • No vendor cloud, no copy held after the session
Book your Friday slot
Most popular
Ongoing

We run it monthly + support

£395 / month

or £3,995 / year · 2 months free

For teams shipping AWS changes every sprint. Monthly scan plus someone to ping.

  • Monthly scan in your environment, on your schedule
  • Reports stay on your servers, no vendor cloud
  • Catch misconfigurations in weeks, not at audit time
  • 1-day SLA support inbox for findings and tuning
  • New checks and CVE updates ship to you first
Discuss a care plan
Free download · UK only

Request free access to Cambrian

Tell us about your AWS environment and your NHS / UK GDPR exposure. A senior engineer from our team replies within one working day with pull instructions for the Cambrian Docker image, the read-only IAM policy, and a one-page UK GDPR Article 32 + NDG standard mapping reference.

  • Sent to your work email only

    We do not share or sell your details. Privacy policy applies.

  • Optional 20-min onboarding call

    A senior engineer walks you through your first scan. Skip it if you would rather just read the docs.

  • Includes UK GDPR / DSPT mapping reference

    A one-page reference of every check, its Article 32 citation and its NDG standard. Drop it straight into your DPIA.

By submitting, you agree to our Privacy Policy and Terms. We reply from a real human inbox, within one UK working day.

Questions UK healthcare and biotech teams ask before requesting Cambrian

If your question is not here, mention it in the form above and we will answer it in the reply.

Is this an official NHS or ICO tool?

No. Cambrian is an independent free utility built by Tasrie IT Services, distributed as a Docker image on request. It maps your AWS configuration to the UK GDPR Article 32 technical requirements and the NHS Data Security and Protection Toolkit v8 NDG standards, but it is not the formal DSPT submission or audit and not a UK GDPR compliance determination. Use it for gap analysis, then engage a qualified assessor for formal submission.

Why is it free? What is the catch?

There is no catch. We built Cambrian because the Cambridge healthtech and biotech teams we work with kept paying £5,000-£15,000 for a 'readiness scan' that was just a Prowler run with a UK-flavoured PDF on top. We wanted a UK-specific tool with the right references baked in. If you later need help fixing the gaps it surfaces, that work is a separate engagement under our AWS managed services. If not, keep the tool and move on.

What AWS access do you need for the £495 scan-as-a-service?

None of your credentials. We share a screen, you keep the keyboard, Cambrian runs from your laptop under your existing AWS profile. We see the output as you see it. After the session ends we hold no credentials, no access, and no copy of your account state. The same applies on the care plan - you run the monthly scan, you share what you want to share.

If the tool is free, what are the £495 and £395 prices on the pricing block for?

Two levels of our time, not the tool. Cambrian itself is free, unlicensed, and uncapped - pull the Docker image and run it forever without paying us a penny. The £495 scan-as-a-service is for teams who would rather not spend an afternoon on Docker and IAM setup: we share a 60-min session, run the scan with you on your AWS, and you walk away with the readiness report by Friday. The £395/month retainer is for teams who want us to run the monthly scan and have a support inbox to ping when something changes. Remediation work is a separate engagement under our AWS managed services. Most teams use the tool for free and never speak to us; that is fine.

What AWS permissions does it need?

Read-only. AWS managed ReadOnlyAccess is sufficient. We never recommend granting more. The scan never writes to your account, never assumes a role outside the one you give it, and never makes network calls outside the AWS APIs.

Does any of my data leave my laptop?

No. Cambrian runs locally inside a Docker container, calls the AWS API under the profile you mount into it, and renders a local HTML file on your disk. There is no telemetry, no cloud back-end, no licence key check. You can inspect the image and read every line of source before you run it.

How is this different from AWS Security Hub, Prowler, or Inspector?

Security Hub and Prowler are general-purpose, multi-framework tools and Inspector is workload vulnerability scanning. Cambrian is a focused 24-check baseline where every result already cites the exact UK GDPR article and the NDG standard your DPO or assessor will ask about. If you are running Prowler too, brilliant - Cambrian is the UK-specific lens on top.

We are a Cambridge biotech with one AWS account and an NHS research contract. Is this overkill?

It is the opposite of overkill. The 24 checks are the technical floor you should be able to evidence the moment an NHS sponsor, ethics committee, or funder asks. Most early-stage healthtech teams discover three to five of them are missing the first time they run it.

What happens after I submit the request form?

A senior engineer from our team replies with the download link, a one-page UK GDPR / DSPT mapping reference, and an optional 20-minute call to walk through your first scan. You can ignore the call invitation - the tool works on its own.

Can you actually fix the failures it finds?

Yes, but as a separate engagement. Cambrian is the scanner and the report. Remediation work (encrypting EBS, enabling GuardDuty, fixing IMDSv2, locking down security groups, configuring CloudTrail, etc.) is delivered under our AWS managed services as a fixed-scope engagement. Most early-stage healthtech teams need 1-2 weeks of work to close everything Cambrian surfaces. We keep the scanner and the remediation work cleanly separated so you can take the report to any vendor, not just us.

How do I get help if a check confuses me or fails to run?

Every report ends with a support address: cambrian-support@tasrieit.com. Email the redacted finding (use the --redact flag on your scan) and a senior engineer will reply with the cause and the fix. No support contract required.

What this tool is, and isn't

Cambrian produces a readiness report - a point-in-time technical view of your AWS configuration against the controls behind UK GDPR Article 32 and the NHS Data Security and Protection Toolkit v8 NDG standards. It is not a compliance certification, a UK GDPR compliance determination, the formal DSPT submission, or the independent DSPT audit. Those remain the responsibility of your DPO, your supervisory authority, and a qualified DSPT assessor.

Use Cambrian for gap analysis and readiness preparation, then engage a qualified assessor for formal submission. The output of Cambrian and any related scan-as-a-service or care plan engagement is informational and does not constitute legal advice.

Not sure which option fits?

20-minute fit call. We look at your AWS environment and your DSPT / UK GDPR deadline, then tell you honestly whether the free tool is enough or whether the scan-as-a-service is the right next step. No pitch.

Book a 20-minute fit call
Chat with real humans
Chat on WhatsApp