UK SME Cyber Questionnaire Assistant
Security Questionnaires, Answered by Lunch
Executive Summary
In a nutshell
A £29/mo AI assistant that ingests the cyber security questionnaires enterprise buyers send to UK SMEs (SIG Lite, CAIQ, bespoke Word docs), maps each question to the SME’s existing evidence — or flags the gap — and drafts a compliant answer. It sits alongside an evidence vault for policies, MFA proofs, backup tests and pen-test summaries. The Cyber Security and Resilience Bill 2026 is pulling MSPs and “critical suppliers” into NIS scope for the first time, and enterprise procurement now routinely demands Vanta-grade answers from £500k-turnover suppliers. Vanta, Drata, Conveyor and SafeBase all exist — they all start at $4,800–$15,000 a year and are built for Series B scale-ups, not the plumber-with-an-IT-department. There is a fat £29–£99/mo gap at the bottom.
The Story
Meet the user
Jordan runs a nine-person MSP in Reading — £700k turnover, three engineers, a part-time bookkeeper and a dog called Biscuit. Last Tuesday a new client — a mid-sized housing association — emailed over a 180-question SIG Lite spreadsheet and asked for it back by Friday. Jordan has a Cyber Essentials Plus certificate, an ISO 27001-aligned policy pack he wrote himself, MFA on everything and a pen-test report from April. He just has no earthly idea how to map that evidence to questions like “Does the organisation maintain a documented cryptographic key management procedure including rotation frequency?” He spends two evenings copy-pasting from a policy Word doc, googles five acronyms, and still has 60 questions to go at 11pm on Thursday.
Then a mate in a WhatsApp group mentions AssurePilot — he pastes the SIG Lite in, connects his Google Drive full of policies, and by breakfast Friday has 140 draft answers with citations to his own evidence, a red-flag list of 14 genuine gaps (including that cryptographic key procedure he never got round to writing), and a one-page exec summary for the housing association. He ships it by lunchtime, closes the contract on Monday, and cancels his 1am Thursday slot for good.
Scores
How does this idea stack up?
7.3/10
Large UK SME compliance market with a genuine price gap — Vanta/Drata don’t serve the £500k-turnover tier.
Documented: SIG Core takes 15–30 hours of founder/CTO time; questionnaires stall enterprise deals for weeks.
Standard LLM + RAG over a small evidence vault — solo-buildable in 4–6 weeks with off-the-shelf APIs.
Cyber Security and Resilience Bill 2026 pulls MSPs + critical suppliers into NIS scope — a textbook ‘before/after’ regulatory moment.
Security questionnaire fatigue is structural and growing; 5–7 year window minimum, risk is incumbents squeezing down.
Standard stack, <£1k launch budget, but GTM needs content + partnerships, not pure self-serve.
Strongest
Timing
The Cyber Security and Resilience Bill 2026 is a rare, quantifiable regulatory tailwind pulling UK MSPs and critical suppliers formally into NIS scope for the first time.
Watch out
GTM execution
Incumbents have heaps of cash. The win is channel (MSP partnerships) and brand (‘built for UK SMEs’), not feature parity.
Pain Point
The problem
“Manually completing a SIG Core typically takes 15 to 30 hours of internal effort. The people best qualified to answer them — CISOs, security engineers and compliance teams — are the most expensive and least available resources.”
— TrustCloud / HyperComply industry writeup
Enterprise procurement teams — especially in healthcare, housing, finance, local government and critical infrastructure — now attach a security questionnaire to every supplier onboarding. SIG Lite runs to 150 questions, CAIQ v4 to 261, and bespoke procurement docs from the NHS, housing associations and the MoD often stretch to 300+ bespoke questions across a 20-page Word file.
For a nine-person MSP or a 15-person SaaS, this is an asymmetric tax: the CTO spends three nights a month translating their own half-written policies into compliance-speak, and the company either ships sloppy answers (and loses the deal), delays by a fortnight (and loses momentum), or stalls the pipeline entirely.
Meanwhile the existing automation market — Vanta, Drata, Conveyor, SafeBase — starts at $4,800/year on the Professional tier (Conveyor) and $7,000–$15,000/year for Drata/Vanta, which is priced for Series B scale-ups, not a £500k-turnover supplier.
Want reports like this every Thursday?
One validated UK business opportunity per week. Free.