🛡️

Penetration Testing Services

Full-scope offensive security testing across network perimeters, web applications, APIs, and internal environments.

Black BoxGrey BoxWhite BoxOWASPNIST SP 800-115
Serving clients across the United Kingdom & United States of America

What You Receive

  • Executive summary with prioritised business risk
  • Technical findings report with reproduction steps and CVSS scoring
  • Remediation roadmap with effort and impact estimates
  • Free retest within 90 days of remediation
  • Direct access to the testing team for clarification and re-explanation

Penetration testing is the structured, ethical simulation of real-world attacks against your infrastructure, applications, and people. The objective is not to find vulnerabilities — it is to demonstrate whether your defences withstand a determined adversary, and where they don't, exactly how an attacker would exploit the gaps.

We have delivered over 400 penetration tests across financial services, healthcare, SaaS, manufacturing, and public sector clients in the UK and USA. Our methodology aligns with OWASP, NIST SP 800-115, PTES, and the MITRE ATT&CK framework.

What We Test

External Network Penetration Testing

Internet-facing infrastructure exposed by your perimeter — VPN concentrators, mail gateways, web proxies, public APIs, exposed administrative interfaces, and any cloud workload directly addressable from the internet. We map your external attack surface using both authoritative records and OSINT, then test what we find for exploitable vulnerabilities and misconfigurations.

Typical findings include exposed administrative interfaces, weak SSL/TLS configurations, leaked credentials in code repositories, exploitable software running on internet-facing infrastructure, and authentication bypass vulnerabilities in custom web applications.

Internal Network Penetration Testing

Once an attacker has a foothold inside your network — through a phishing email, a stolen laptop, a compromised VPN credential, or a malicious insider — what can they reach? Internal testing answers that question. We simulate post-compromise lateral movement, privilege escalation, and data exfiltration from a typical employee workstation perspective.

Common findings: Active Directory misconfigurations (see our detailed analysis of AD attack paths), unsegmented networks allowing free lateral movement, weak service account passwords, and exposed administrative shares.

Web Application Penetration Testing

Custom web applications are the most common entry point in modern breaches. We test against the OWASP Top 10 and the OWASP Application Security Verification Standard (ASVS), focusing on business logic flaws, authentication and session management, access control, and data handling — the areas automated scanners typically miss.

API Penetration Testing

REST, GraphQL, gRPC, and SOAP APIs receive specialist testing aligned with the OWASP API Security Top 10. Particular attention to broken object-level authorisation (BOLA), broken function-level authorisation, excessive data exposure, and mass assignment — vulnerabilities that are common in API designs but invisible to traditional web application scanners.

Mobile Application Penetration Testing

iOS and Android applications tested against OWASP MASVS. Static binary analysis, dynamic runtime testing with Frida and Objection, certificate pinning bypass, secure storage analysis, and backend API testing. See our updated technical analysis of certificate pinning bypass techniques.

Our Methodology

Every engagement follows a four-phase methodology:

  1. Scoping & Threat Modelling — define attack surface, business context, and risk appetite using STRIDE and PASTA methodologies
  2. Active Assessment — manual testing supplemented by OffSecAI automation; every finding validated by a human analyst
  3. Analysis & Correlation — findings cross-correlated for attack chain potential, calibrated against live threat intelligence
  4. Report & Remediation — executive and technical reports with prioritised roadmaps; free retest within 90 days included

UK & USA Coverage

We deliver penetration testing services to clients across both the UK and the USA. Engagements can be conducted remotely from our UK and US offices, or on-site where physical access testing or sensitive environments require it. Reports and evidence are aligned with the regulatory framework of your jurisdiction:

  • UK clients: UK GDPR, NIS Regulations / NIS2 (where applicable), NCSC CAF, ICO breach notification requirements
  • US clients: SOC 2 Type II controls, HIPAA Security Rule, GLBA Safeguards Rule, PCI-DSS, state breach notification laws, SEC cybersecurity disclosure rules

We hold ISO 27001 certification and our methodology aligns with both CREST (UK) and PTES (international) standards.

What You Receive

  • Executive summary — board-level narrative of business risk, written for non-technical readers
  • Technical findings report — every finding documented with reproduction steps, screenshots, CVSS 3.1 scoring, and remediation guidance
  • Remediation roadmap — prioritised by exploitability, business impact, and remediation effort
  • Direct analyst access — the testers who found the issues are available to your team for clarification, walkthroughs, and remediation guidance
  • Free retest — 90 days from the date of report delivery; we re-test remediated findings at no additional cost

Compliance Alignment

Our penetration testing reports support evidence requirements for:

  • ISO 27001 (Annex A 8.8 — management of technical vulnerabilities)
  • SOC 2 Type II (CC4.1, CC7.1 control evidence)
  • PCI-DSS (Requirement 11.4)
  • HIPAA Security Rule (technical safeguards evaluation)
  • Cyber Essentials Plus (vulnerability assessment evidence)
  • NIS2 Article 21 (vulnerability disclosure and management)

Frequently Asked Questions

What is the difference between a penetration test and a vulnerability scan?
A vulnerability scan is automated and identifies known issues against a signature database. A penetration test is manual, creative, and identifies how multiple lower-severity findings can be chained into a critical compromise. Scans take hours; pen tests take days to weeks. Scans cost hundreds; pen tests cost thousands. Both have value — they answer different questions.
How long does a typical penetration test take?
External network: 3-5 working days for a small estate; up to 10 days for complex perimeters. Web application: 5-15 working days depending on functionality. Internal network: 5-10 working days. Red team engagements: 4-12 weeks. We provide a fixed-price scope after a one-hour scoping call.
What's the difference between black box, grey box, and white box testing?
Black box: no prior knowledge — simulates an external attacker. Grey box: limited information such as standard user credentials — simulates an authenticated user or insider. White box: full access to source code, architecture diagrams, and credentials — maximises coverage for high-assurance assessments. Most engagements are grey box because they balance realism and coverage.
How is a penetration test priced in the UK vs USA?
Pricing is broadly equivalent in real terms once exchange rates are applied. UK day rates typically £800-£1,500 ex VAT; US day rates typically $1,000-$2,000. Total engagement cost depends on scope days. We provide GBP pricing to UK clients and USD pricing to US clients with no markup difference.
Do you require a signed agreement before testing begins?
Yes — a signed Statement of Work, Rules of Engagement, and where required a Mutual NDA are mandatory before any active testing. The Rules of Engagement document defines scope, exclusions, testing windows, escalation contacts, and authorised testing methods. This protects both parties legally and operationally.
What happens if you find a critical vulnerability during testing?
Critical findings are reported immediately — not at the end of the engagement. We have a defined escalation path agreed in the Rules of Engagement. For findings indicating active exploitation by third parties, we cease testing and engage your incident response process.
Will testing affect production systems?
Properly conducted testing is non-destructive. We do not run denial-of-service tests in production, do not exfiltrate genuine customer data, and do not exploit findings beyond what is necessary to confirm impact. Testing windows can be agreed if specific operations need protection.
How often should we have a penetration test?
Annual minimum for compliance-driven needs (ISO 27001, SOC 2, PCI-DSS). Quarterly for high-velocity development environments. After every material architectural change to in-scope systems. Continuous testing programmes (one or two days per month rather than one big engagement annually) often produce better security outcomes for the same budget.

Book a Penetration Test Scoping Call

Tell us about your environment. We'll respond within one working day with a scoping call calendar invite and an initial price guide.

By submitting this form you agree to our privacy policy. We will only use your details to respond to this enquiry.