01
Reveals real risks
CVSS-scored, exploit-validated vulnerabilities. Not "potential issues". Actual ones.
Find the vulnerability
before the attacker does.
CREST-aligned penetration testing across web, network, mobile, cloud, and API. Reports your engineers can action on day one.
What we test.
Web applications and APIs (OWASP Top 10, ASVS), internal and external networks, mobile apps (iOS & Android), cloud configurations (AWS, Azure, GCP), wireless infrastructure, and physical & social-engineering scenarios on request.
How we test.
Black box (no info. Most realistic), Grey box (some info. Best value), or White box (full access. Deepest coverage). Each engagement follows the Penetration Testing Execution Standard and is CREST-aligned.
Why CREST-aligned.
CREST is the UK's gold standard for technical security testing. Members are vetted, methodologically rigorous, and bound by a code of ethics. Procurement teams ask for it. Insurance underwriters reward it.
Why your organisation needs this.
02
Reduces downtime
Fix what an attacker would actually use. Avoid the unscheduled outage that follows a breach.
03
Keeps you compliant
ISO 27001 Annex A.8.29, SOC 2, ISO 9001 and Cyber Essentials all expect regular testing.
04
Builds trust
Share the executive summary with prospects. Procurement loves a testable claim.
Scope. Test. Report. Retest.
1
Scoping
Targets, methodology, rules of engagement, escalation contacts. Signed before any packet flies.
2
Reconnaissance
Passive OSINT, footprinting, attack-surface mapping. We understand the target before we touch it.
3
Exploitation
Controlled, evidence-gathered. Every successful exploit captured with proof-of-concept.
4
Reporting
Executive summary, technical findings with CVSS and remediation, retest within 60 days.
- Executive summary.For the board. Risk in business terms, not jargon.
- Technical findings.Each finding with CVSS 3.1 score, root cause, evidence, and a clear fix.
- Proof-of-concept evidence.Screenshots, video recordings, payloads. Reproducible.
- Remediation roadmap.Prioritised by exploitability and business impact.
- Retest within 60 days.Verification that high & critical findings are closed.
- 30-minute engineering debrief.Live Q&A with the testers who found the issues.
Rigour the auditors recognise.
- OWASP Top 10
- OWASP ASVS
- OWASP MASVS (mobile)
- PTES
- NIST SP 800-115
- CREST-aligned
- MITRE ATT&CK
Frequently asked.
Black box, grey box, or white box?
Grey box is our default. It gives realistic external-attacker simulation but with enough information to be cost-effective. Black box is more realistic but takes longer (more recon). White box gives the deepest coverage and is best for new code or critical applications. Most clients run grey box annually, with white box for major releases.
How often should we test?
At minimum annually, and after any major change (new module, infrastructure migration, M&A). High-risk environments (fintech, healthcare) often test quarterly. If continuous makes sense for you, see our AI penetration testing service.
Will it break our production?
Standard engagements use staging environments or off-hours windows. Destructive tests (DoS, write-then-rollback) are explicitly excluded from the rules of engagement unless you specifically request them.
Do you do social engineering or phishing?
Yes, as a separate engagement. Pretexted phishing campaigns, vishing, occasional in-person physical tests for very high-risk environments. Worth discussing because the prep, ethics, and HR coordination are quite different.
What about red teaming?
Full red team / adversary emulation engagements are available. Typically for orgs with a mature SOC who want to test their detection & response capability against a real-world threat actor scenario (MITRE ATT&CK-based). Talk to us.