Construction Supply Chain

IT & Cyber Defensibility · For M&E contractors, subcontractors, and specialist trades · UK

Your insurance is in place.
Your MSP says you're covered.
Your PQQs are filed.

So why can't you prove any of it?

The crisis hitting UK subcontractors right now is not about being non-compliant. It's about being non-provable. You have the policies. You have the tools. You have the certificates. But when a main contractor, an insurer, a framework auditor, or a board asks you to prove what was true and who owned what — the pack isn't there.

This is an IT problem wearing a compliance costume. The evidence gaps live inside your Microsoft tenant, your backup system, your MSP's tooling, and your endpoint estate. That is Axulu's domain — not health and safety, not ISO certification, not CDM. IT and cyber defensibility, applied to the commercial pressures that subcontractors actually face.

Axulu closes that gap. We start with a fixed-price review that tells you exactly where your evidence breaks — and what it would cost you commercially if scrutiny landed today.

Book the Framework-Ready Review — £950See how it works →

Fixed price · Results in 5 working days · Board-ready output included · Refund if no meaningful proof gaps found

We know your world

Does any of this sound familiar?

If you've come from our outreach, you may be wondering whether we actually understand construction. Here's what we know already — without asking.

Axulu's scopeIT & cyber evidence  ·  MSP contract gaps  ·  CAS Sections 16–17  ·  Cyber insurance proof  ·  Microsoft 365 / endpoint  ·  Board-level IT governanceNot: H&S · CDM · ISO 9001 · Environmental · HR

Your last PQQ rejection wasn't because you're non-compliant. It was because a certificate was three weeks out of date, or a policy wasn't counter-signed, or your ISO document carried a previous company name. Constructionline doesn't negotiate. It just rejects.

Your MSP told you you're covered. Verbally. When you asked for the backup restore log, the MFA enforcement report, or the patching schedule your insurer is going to ask for at renewal — they said they'd send it over. That was a while ago.

Your site teams use WhatsApp. It works. Photos go where they're needed. But when the main contractor's QS starts questioning Practical Completion, or when a Building Regulations inspector asks for the golden thread records — the photos are on someone's phone, compressed, with no geotag and no timestamp that survives a dispute.

Payment is being held because someone is querying the snagging evidence. You know the work was done. Your project manager knows. The site photos exist somewhere. But pulling them into a coherent, timestamped, dispute-ready pack is three days of archaeology you don't have time for with two other projects live.

Your cyber insurance renewal is coming. The broker is asking more questions than last year. They want evidence of MFA, backup restore tests, patching policy, and a named incident response plan. You have all of it — in theory. Gathering the proof from the MSP, the IT admin, and three years of email threads is another matter.

Your compliance lead is the human glue. They're the one who chases the MSP, chases the insurers, chases the project team, rebuilds the PQQ evidence pack from scratch every tender window, and holds most of the institutional knowledge in their head. One sick leave and that knowledge leaves the building with them.

The real problem

It's not your MSP.
It's not your insurer.
It's not your compliance manager.

All three are doing what they were contracted to do. The problem is what sits in the gaps between them.

The gap between what you've declared and what you can prove.

Your insurer has your declaration. Your PQQ portal has your certificates. Your MSP has a ticketing system full of reassurance. But nobody has the joined-up, on-demand evidence pack — the one that survives hostile questioning from a loss adjuster, a main contractor's procurement team, a CAS auditor, or a board demanding to know what the directors actually knew.

That gap is not a technology failure. It's not a compliance failure. It's a proof-ownership failure. Nobody was ever contracted to own it, maintain it, and produce it under pressure. So nobody does.

And the proof lives in one place: your IT environment. Your Microsoft 365 tenant holds the MFA logs. Your backup platform holds the restore evidence. Your RMM or MSP tooling holds the patching records. Your IT contract — or more precisely, the gaps in it — determines who is responsible for producing all of it. This is not a health and safety problem. It is not a CDM or ISO problem. It is an IT and cyber evidence problem. That is Axulu's lane.

Until the scrutiny starts. And then it's too late to build it.

“Most firms are not non-compliant. They are non-provable. The difference costs them tenders, claims, and sleep.”

The pressure map · 2026

Five walls closing in simultaneously.

Each of these is a real, live commercial risk for any M&E or specialist subcontractor trading above £10m. The unusual thing about 2026 is that all five are arriving at once.

1 in 4UK cyber insurance claims currently denied for lack of evidenced controls
43%of UK businesses experienced a cyber attack last year — construction is an active target
£300mBuckingham Group collapse — the reminder of what retention non-recovery looks like
01

Cyber insurers have stopped taking your word for it

Cyber Essentials Plus v3.3 now makes MFA on cloud services an automatic failure point. Every personal device used for work is in scope. At renewal, and increasingly at claim time, your insurer is asking for evidence: restore test logs, MFA enforcement reports, patching records, a signed incident response plan. Verbal reassurance from your MSP is not evidence. One in four claims is already being denied on exactly this basis.

Critical
02

The retention ban has moved the payment battle forward

The government's March 2026 announcement banning cash retentions sounds like good news. It is — until you understand what's replaced it. Main contractors and Contract Administrators, stripped of retention leverage, are now gatekeeping Practical Completion far more aggressively. Timestamped digital evidence of completed works is becoming a precondition for payment certification. Subcontractors who can't produce it cleanly are finding their cash flow blocked at the active build phase rather than the DLP. For a £20m-turnover firm, 5% retention trapped across a portfolio is £1m in working capital.

Critical
03

CAS V4 / Constructionline Gold is rejecting firms on paperwork administration, not substance

CAS V4 divides risk management across 13 sections. Questions have complex dependencies — headcount figures must match across financial and governance disclosures, policies must be signed and dated, insurance certificates must be current. Simple clerical discrepancies trigger automated rejections during live tender windows. Firms that passed last year are being locked out of frameworks this year on the same substance with updated documentation gaps.

High
04

The Building Safety Act's golden thread obligation is not optional or delegable

The BSA 2022 places a strict, non-delegable duty on principal contractors to maintain digital records of every safety-critical decision throughout a building's lifecycle. For M&E and building services contractors, this means commissioning records, system specifications, fire alarm and access control installations, and HVAC certificates — all structured, timestamped, and defenceable. WhatsApp photos with stripped metadata do not meet this bar. Failure is not a fine. It is up to two years' imprisonment for the individuals involved.

High
05

The Procurement Act 2023 means one bad contract can follow you for five years

The new Act creates a central debarment list. Exclusion grounds now explicitly extend to subcontractors and connected persons. A single public contract performance failure, made visible through mandatory Section 71 performance notices, can exclude your firm from all public sector work for up to five years. “Professional misconduct” grounds include failure of compliance governance — meaning poor controls, inadequate due-diligence processes, or the absence of a genuine compliance function are all in scope.

New · 2026

What you've already tried

Four things that almost close the gap.

None of these are bad choices. They're just not designed to own the joined-up evidence problem. That's the gap Axulu fills.

Your IT / MSP

“Our MSP handles security.”

They handle uptime, tickets, and reactive support. Most MSP contracts explicitly exclude producing audit-ready evidence mapped to your insurer's declarations, your PQQ obligations, or your BSA golden thread requirements. They're not hiding it — it's simply not in scope. The contract says so. Read it.

Your broker / insurer

“Our broker handles insurance.”

Your broker placed the policy. They are not responsible for whether you can evidence the declarations you signed. At renewal, they'll pass on the insurer's questions. At claim time, the loss adjuster asks them independently. The broker's job ends at placement. The evidence gap is yours.

Your compliance manager

“We have someone who handles this.”

They are working extraordinarily hard. They are also, in most firms, the single point of failure for an evidence process that is entirely in their head. One person, no system, no handover pack, no audit trail of what was submitted, when, to whom, and with what evidence.

Your field software

“We use Procore / SymTerra / Field View.”

Good tools. They capture site data. But they were not designed to connect that site data to your cyber insurance declarations, your CAS Section 16 evidence, your BSA golden thread obligations, or your board-level risk governance. The workflow from site record to scrutiny-ready evidence pack still requires someone to own it. Nobody does.

The ownership map

Who actually owns your evidence gaps?

In more than 95% of IT and compliance arrangements, the following defaults to you — not because anyone is negligent, but because no contract ever required otherwise.

On you — uncontractedAssumed — not verifiedAxulu — contracted, evidenced
Evidence obligationYou nowYour MSPAxulu
MFA enforcement report (insurer-ready)On youAssumedWe own it
Backup restore test log (90-day currency)On youAssumedWe own it
Patching schedule + evidence of exceptionsOn youAssumedWe own it
Incident response plan (exercised, current)On youUncontractedWe own it
CAS V4 / Constructionline evidence registerOn youOut of scopeWe own it
Certificate and policy expiry trackerOn youOut of scopeWe own it
Board-level cyber risk evidence summaryOn youOut of scopeWe own it
Practical Completion evidence packOn youOut of scopeWe own it

What defensible looks like

The version of your firm where scrutiny is never a problem.

The Proof-Ready Subcontractor:
Every control, certificate, cyber obligation, site record, and commercial decision — evidenced, current, and ready the moment scrutiny starts.

  • Walk into the next PQQ window with your CAS evidence register already organised. No last-minute chasing. No document archaeology. No rejected submissions on a technicality you've fixed three times before.
  • Open your cyber insurance renewal and hand over the evidence pack before the broker finishes asking. MFA report, restore log, patching schedule, incident plan — all current, all signed, all yours to keep.
  • Certify Practical Completion without a snagging standoff. Your works records are timestamped, structured, and dispute-ready. The QS can't hold payment because the evidence is already better than the objection.
  • Sit in the board meeting and tell your FD what is controlled, what is known, what is deferred, and why — with a signed log behind each decision. No vague reassurances. No “I think we're covered.” Proof.
  • Win frameworks where your competitors lose — not on price, but because your evidence pack makes you the lower-risk choice. The tier-1 procurement team can see the controls. They trust what they can verify.
  • Respond to a cyber incident and hand over a complete, coherent evidence file on day one. Not scrambling to reconstruct what was in place. Already built, already signed, already credible.

Who's behind this

Someone who has been inside
both sides of this problem.

Matthew White — Principal & Founder, Axulu
TOGAF certified9 yrs IT MSP CEOConstruction IT clientsMicrosoft 365 · AzurevCIO · 40+ estatesCyber policy interpretationM&A IT integrationEnterprise architectureBarclays · Ashurst · IBM · TCS

Matthew White — Principal & Founder

Before Axulu, Matthew spent nine years as CEO of an IT managed services company — one whose client base included construction firms. He has been on the other side of the desk. He knows exactly what an MSP is contracted to do, what the contract explicitly excludes, and where the evidence obligations fall by default onto the customer. He has managed the helpdesk, written the contracts, and had the renewal conversations. The verbal “yes, you're covered” is something he has said himself — and he knows precisely what it does and doesn't mean when the insurer's loss adjuster opens the file.

“I've sat in the room where an MSP account manager tells a subcontractor's FD they're fully protected. I know what the contract actually says. The gap between those two things is what Axulu closes.”

That's not a criticism of managed service providers. It's an observation about what they were contracted to do. Evidence readiness was never in scope. That scope gap — between IT support and commercial-grade proof — is what thirty years of enterprise architecture, regulated-sector advisory, M&A integration, and vCIO work prepared Matthew to close.

When your insurer's loss adjuster starts asking hostile questions, you need someone who has built the evidence file before — not a script, not a checklist template downloaded from a consultancy's website, and not a junior in a suit reading from a methodology slide.

Every Axulu engagement is senior-led. That is not a marketing claim. It is a structural decision about how the company operates.

What you're thinking right now

The objections worth answering honestly.

We already have Constructionline Gold. We passed last year.

Congratulations — last year. CAS V4 requirements were updated. The evidence bar has moved. Passing once doesn't mean your evidence is current, organised, and producible on demand today. The question is not whether you passed. The question is whether you could pass tomorrow, if the renewal window opened with 48 hours' notice. Most firms can't — not because they're non-compliant, but because the documents are scattered across email threads, SharePoint folders, the compliance manager's desktop, and the MSP's ticketing system.

Our MSP handles all the IT security. They've never had a complaint.

We don't doubt it. This is not about the quality of your MSP's technical work. It is about what they are contractually required to produce as evidence. Pull out your MSP contract. Find the clause that commits them to providing MFA enforcement logs, backup restore test evidence, patching exception reports, and a board-ready summary of your cyber control posture — mapped to your specific insurance declarations. That clause almost certainly doesn't exist.

We've never had a cyber insurance claim denied.

One in four currently are. You may simply not have had a claim yet. Or the claim you had was small enough that the insurer paid rather than investigated. Policies that paid without interrogation in 2022 are being scrutinised in ways they weren't before. The insurer who smiled at renewal will not be the one asking questions when a loss adjuster opens your file at 8am on a Tuesday morning.

Construction is too chaotic for this to be standardised. Every project is different.

You're right that every project is different. The evidence obligations behind the project are not. MFA, backups, patching, incident plans, PQQ documents, CAS sections, Building Safety Act records — these are consistent obligations that exist regardless of whether you're on a NEC4 civils job or a JCT M&E package deal.

We can't afford this right now. Margins are already tight.

The £950 Framework-Ready Review costs less than one rejected PQQ submission costs in tender administration time. It costs less than one month of disputed Practical Completion payment. It costs less than a single cyber insurance premium increase triggered by a failed renewal audit. We're not asking you to spend money you don't have. We're asking you to spend a small fixed amount to find out exactly what the real exposure is. If we don't find meaningful proof gaps, you get your money back.

We've been burned by consultants before. They produce a report and disappear.

That is the correct scepticism to bring. Our entry point is a fixed-price, five-day review with a board-ready output that is yours to keep — whether or not you ever use another Axulu service. You don't need us to keep it useful. The output is a gap map with named owners, not a PDF you'll never open.

The offer ladder

Start where the risk is highest.
Build from there.

We are not here to sell you a £27,000 transformation programme before you've met us. The ladder starts at a fixed-price diagnostic that stands alone — and only goes further if you want it to.

Start here

Entry · Fixed price

Framework-Ready Review

See exactly where your evidence breaks under CAS, insurer, BSA, and main contractor scrutiny. Board-ready output in five working days.

£950

Fixed price · One-off · No retainer required

  • Full proof-gap analysis across cyber, PQQ/CAS, insurance, and site evidence
  • Named gap map — every gap owned, severity-rated, and assigned
  • MSP Evidence Challenge: find what your IT contract doesn't cover
  • 30-minute board or FD readout in plain English
  • Results in 5 working days
  • Refund if no meaningful proof gaps found
Book the Review →

Ongoing · Monthly

ProofOps™

Continuous evidence management so you're never building the pack from scratch when a tender window opens or a renewal arrives.

From £2,500

Per month · Limited onboarding slots

  • Monthly evidence review and currency check
  • Quarterly framework-readiness assessment
  • Bid-Blocker Expiry Tracker — no more certificate surprises
  • Tender-Ready Evidence Register maintained continuously
  • Senior-led — not handed to a junior analyst
  • Cancel or pause with notice
Talk to Us →

Intensive · 30 days

Framework-Ready Sprint™

For firms under active scrutiny — a major framework bid, an imminent renewal, a Gateway 3 handover, or a board demanding answers.

Custom scope

Selected projects only · Call first

  • 30-day intensive — MSP, insurer, PQQ, and BSA evidence simultaneously
  • Proof Ownership Matrix — every gap named and assigned
  • Titanium Construction Proof Baseline available as output
  • Board and FD presentation included
  • Evidence-Doesn't-Rot handover so it stays live after the sprint
  • Matthew leads — not delegated
Discuss Project →

The Framework-Ready Sprint may include Axulu Titanium — our certified IT operating environment — where the evidence gap is structural rather than administrative. That conversation happens during the review, not before it.

Your next move

The next PQQ window, renewal, or Practical Completion dispute will not wait for you to get the evidence ready.

A fixed-price review. Five working days. A board-ready gap map that's yours to keep regardless of what you do next. If we don't find meaningful proof gaps, your £950 comes back.

Book the Framework-Ready Review — £950Or start with the free 12-minute cyber check →

Fixed price · Results in 5 working days · Board-ready summary included · Refund guarantee if no meaningful gaps found