Managing and dealing with cyber threats, hazards and risks to protect organisations, systems and people from harm.
Apprentices learn to identify, assess and respond to cyber threats across an organisation's systems and infrastructure. The training covers threat analysis, risk management, security monitoring, incident response, and vulnerability assessment. Apprentices gain practical skills in applying security controls, interpreting security event data, and supporting compliance with relevant frameworks and policies. The standard is designed to develop both the technical depth and the judgement needed to protect organisations from a wide range of cyber hazards, from malware and phishing to unauthorised access and data breaches.
Week to week, an apprentice in this role might monitor security information and event management (SIEM) tools for suspicious activity, investigate alerts, and escalate incidents where needed. They will conduct vulnerability scans, help maintain security documentation, and support colleagues with security awareness. Depending on the employer, they may also assist with penetration testing preparation, review access controls, or contribute to risk assessments. Much of the work involves analysing logs and reports, then translating findings into clear actions or recommendations.
Completing this apprenticeship typically leads to roles such as Security Analyst, SOC Analyst, Cyber Security Consultant, or Information Security Officer. From there, progression into senior analyst, security architect, or management positions is common. Employers range from specialist cyber security firms and managed security service providers to large in-house teams in finance, defence, healthcare, central government, and critical national infrastructure. The demand for qualified cyber security professionals across UK sectors remains consistently high, making this a strong foundation for a long-term technical or leadership career.
Sorted by achievement rate.
No training providers currently listed for this standard.
Graduates of this standard typically move into positions such as Security Operations Centre (SOC) Analyst, Junior Penetration Tester, Information Security Analyst, Cyber Security Technician, or IT Security Engineer. Some complete with a specialism in risk and compliance, stepping into roles like Junior Cyber Risk Analyst or Information Assurance Officer. The exact title often depends on the pathway taken during the apprenticeship, as the standard covers both technical and risk-focused orientations.
Within three to five years, practitioners commonly advance to Mid-level Penetration Tester, SOC Team Lead, Cyber Security Consultant, or Threat Intelligence Analyst. Those on a risk and governance track often move towards roles such as Information Security Manager or Cyber Risk Manager. Longer term, the split between leadership and specialism becomes more defined. Senior technical specialists may pursue positions such as Principal Security Architect or Red Team Lead, while those drawn to management move towards Head of Cyber Security or Chief Information Security Officer (CISO) at mid-sized organisations.
Demand spans both the public and private sectors. Central government departments, local authorities, the NHS and defence contractors all hire at this level, as do financial services firms, managed security service providers (MSSPs), telecommunications companies and large retail organisations. Smaller consultancies and specialist cyber security firms also recruit apprentices and their graduates. Organisations of all sizes, from SMEs with a small IT function to large enterprises with dedicated security teams, fill roles this standard targets.
Learning takes place in a real workplace throughout the programme, with the apprentice applying knowledge and skills to genuine cyber security tasks. Before final assessment, a gateway review confirms the apprentice is ready to proceed, typically requiring sign-off from the employer and training provider that the required knowledge, skills and behaviours have been met. Final assessment then confirms whether the apprentice can perform competently in a cyber security technologist role. Assessment models across many standards are currently being updated following wider apprenticeship reforms, so check the standard's gov.uk page for the current specification.
Building a record of workplace evidence from early in the programme makes the gateway review considerably more straightforward. Apprentices should document real tasks, incidents handled, and technical problems solved as they arise, rather than reconstructing evidence at the end. Regular check-ins with the employer and training provider help identify gaps in knowledge or skills while there is still time to address them. Keeping a consistent log of work throughout, rather than treating assessment as a single end-point event, reflects how competence in cyber security is genuinely demonstrated.
Look for providers with an achievement rate above 65% on their FATP profile; above 75% is a strong signal that learners are completing rather than dropping out mid-programme. For this standard, ask whether the curriculum covers current threat landscapes: penetration testing methodologies, SIEM platforms, vulnerability assessment tools, and incident response procedures in use today, not five years ago. Employer satisfaction scores above 80% suggest the provider is working actively with hiring organisations rather than running cohorts in isolation. Check that tutors hold recognised industry certifications such as CompTIA Security+, CEH, or equivalent.
Be cautious if a provider has high learner volumes but a declining or unclear achievement rate, which can indicate cohort bloat without the support structures to match. Vague answers about how technical skills are assessed practically, or a curriculum that leans heavily on theory without hands-on lab work, are warning signs. Providers unable to explain how they stay current with threat intelligence frameworks such as MITRE ATT&CK, or who reference outdated toolsets, should prompt further scrutiny. Opaque off-the-job training records are also a concern.
There are no nationally mandated entry qualifications, but most employers expect GCSEs in English and maths, or equivalent, and a genuine interest in IT and security. Some employers also look for existing IT knowledge or relevant experience. Apprentices must be employed in a role where the job duties genuinely cover cyber security work. Providers may set their own additional entry requirements, so check directly with the training provider you're considering.
The typical duration is 24 months, though this can vary depending on the apprentice's prior experience and pace of progress. Learning happens alongside employment, so the apprentice continues working throughout. A proportion of working time is dedicated to off-the-job learning; the exact requirement is subject to current Skills England reforms, so check gov.uk or the current standard specification for the up-to-date figure before planning resourcing.
Before taking the end-point assessment, the apprentice must pass through a gateway, demonstrating they have met all occupational competencies and completed any required qualifications. Assessment models for many standards are being updated, so confirm the current method via the gov.uk standard page for reference ST0124. Assessment typically tests the apprentice's ability to identify threats, manage risk and apply security controls in realistic scenarios.
The funding band for this standard is £18,000. Levy-paying employers draw training costs from their digital apprenticeship service account. Non-levy SMEs co-invest with the government, typically paying 5% of the training cost with the government contributing the remainder. Employers with fewer than 50 staff taking on an apprentice aged 16 to 18 pay nothing, with full government funding covering the cost. Costs are paid directly to the training provider, not to the apprentice.
Day-to-day work varies by employer but typically includes monitoring systems for threats, analysing security incidents, running vulnerability assessments and applying patches or controls to reduce risk. Apprentices may work with firewalls, intrusion detection systems and security information tools. They support colleagues in following secure practices and may contribute to incident response procedures. The role spans technical analysis and organisational risk management, so exposure to both is expected throughout the programme.
Completing this apprenticeship opens routes into more senior security roles such as security analyst, penetration tester, security engineer or security operations centre lead. Some apprentices go on to professional certifications such as CompTIA Security+, CISSP or vendor-specific qualifications. Higher or degree apprenticeships in cyber security at level 6 or 7 are also an option for those who want to continue structured learning while remaining in employment.
Tell us a bit about your team and we'll send a shortlist.
Tell us your requirements and we'll match you with the right training providers.
Curated by Alex Lockey, FATP founder and editor. Last reviewed: .
Sources include the apprenticeship's official specification on apprenticeships.gov.uk, Skills England guidance, IfATE archive records, DWP funding bands, and provider data sourced directly from the public Apprenticeship Provider and Assessment Register (APAR). Standard reference: 98.
Some sections on this page were drafted with AI assistance from published source data and reviewed by a human editor before publication. See our editorial methodology for how we maintain this content. Spotted something out of date? Tell us.