NCSC Retires Web Check and Mail Check Security Tools
▼ Summary
– The UK’s National Cyber Security Centre will retire its Web Check and Mail Check cybersecurity tools by March 31, 2026.
– These tools have helped organizations scan for web vulnerabilities and implement email security controls since 2017.
– The NCSC is retiring these services to redirect resources toward new initiatives protecting UK cyber infrastructure.
– Current users must find commercial alternatives and can use an NCSC buyer’s guide to evaluate replacement solutions.
– Subscribers to Early Warning and DNS Check services will continue receiving findings through their MyNCSC accounts.
Organizations across the United Kingdom that currently depend on two widely-used external attack surface management tools from a government cybersecurity body must identify and transition to alternative solutions before the upcoming deadline. The National Cyber Security Centre (NCSC) has officially announced it will retire its Web Check and Mail Check services by March 31, 2026. This strategic decision aligns with the agency’s Active Cyber Defence 2.0 roadmap, which emphasizes focusing resources on areas where commercial market offerings are insufficient or where the NCSC’s unique position within GCHQ can significantly enhance nationwide cyber resilience.
A service owner at the NCSC explained that stepping back from these tools will free up capacity for new projects aimed at strengthening the UK’s overall cyber infrastructure. Since their introduction in 2017, Web Check and Mail Check have provided valuable support to British entities in managing external digital risks. Web Check performs automated scans to detect frequent web vulnerabilities and configuration errors, including checks for valid digital certificates and updated content management systems. Meanwhile, Mail Check assists organizations in deploying essential anti-spoofing protocols like SPF, DKIM, and DMARC, while also verifying TLS encryption to ensure communication privacy.
The NCSC is strongly advising all current users of both services to begin evaluating and adopting commercial replacements well ahead of the March 2026 end-of-life. To facilitate this transition, the centre will publish a comprehensive buyer’s guide. This resource is intended to help organizations pinpoint suitable products by focusing on several critical capabilities. Prospective solutions should provide clear visibility into all assets across the entire external attack surface, including DNS configurations, live websites, and digital certificates. They must also deliver thorough security analysis covering identified risks in software, email, and any exposed services. Additionally, the NCSC recommends looking for supporting features such as centralized overview dashboards, downloadable reporting functions, and workflow tools that allow teams to comment on findings or update their status.
As part of their ongoing security efforts, organizations are also encouraged to consider the NCSC’s “Check your cyber security” service, which evaluates email systems for anti-spoofing and privacy protections. It is important to note that subscribers to the NCSC’s Early Warning and DNS Check services will not be immediately affected. These users will continue to receive relevant findings from the retiring Mail Check and Web Check tools directly through their MyNCSC accounts for the time being.
(Source: InfoSecurity Magazine)
