The honest answer to how often UK businesses should conduct penetration testing is: it depends on your regulatory obligations, your infrastructure change rate, your risk appetite, and your available budget. However, "it depends" without a framework is not useful, so this guide provides the specific rules and triggers that should govern your testing calendar, sector by sector, from FCA-regulated firms to NHS suppliers to e-commerce businesses subject to PCI DSS.
Penetration testing is the process of employing authorised security professionals to simulate the techniques used by malicious attackers against your systems, with the goal of identifying vulnerabilities before real attackers do. Unlike vulnerability scanning, which uses automated tools to detect known weaknesses, penetration testing combines automated scanning with skilled human judgement to identify complex vulnerabilities including business logic flaws, chained attack paths, and context-specific weaknesses that tools miss.
For UK businesses seeking vulnerability assessment and penetration testing services, the starting point is always understanding what your obligations are before deciding what frequency is appropriate.
UK regulatory frameworks impose specific penetration testing requirements on organisations in certain sectors. Understanding which frameworks apply to your business is the foundation of a defensible testing schedule.
The Financial Conduct Authority (FCA) does not prescribe a specific penetration testing frequency in its rules, but its expectations under SYSC 7.1 (operational risk), the Senior Managers and Certification Regime (SMCR), and the Consumer Duty framework create an implicit requirement for regular technical security testing. The FCA's cybersecurity expectations, set out in its 2018 Cyber Coordination Groups guidance and reinforced through subsequent thematic reviews, indicate that annual penetration testing of critical systems is the minimum expected standard for authorised firms.
For larger FCA-regulated firms subject to the Bank of England's CBEST framework or the DORA regulation (which applies to financial entities operating in the UK post-Brexit under transitional arrangements), threat-led penetration testing (TLPT) is required on a three-year cycle, with vulnerability assessments conducted annually in the intervening years. CBEST assessments cost significantly more than standard penetration tests - typically £150,000 to £500,000 - because they use threat intelligence to design realistic simulations of nation-state attack scenarios.
NHS organisations and their supply chain must comply with the Data Security and Protection Toolkit (DSPT). The DSPT requires that organisations meet the National Data Guardian's ten data security standards, which include regular testing of cyber defences. NHS Digital's guidance, aligned with the DSPT, recommends annual penetration testing as a minimum for NHS trusts and suppliers handling patient data.
For NHS suppliers specifically, the DSPT requires that any organisation handling NHS patient data can demonstrate that their systems have been independently tested within the past 12 months. Many NHS procurement teams now require evidence of recent penetration testing as part of supplier due diligence, making annual testing a commercial necessity for technology suppliers to the NHS.
The Payment Card Industry Data Security Standard (PCI DSS) version 4.0 - which became mandatory for all UK businesses processing payment card data from March 2024 - has the most specific penetration testing requirements of any common UK compliance framework. Requirement 11.3 mandates external and internal penetration testing at least annually and after any significant infrastructure or application upgrade. Requirement 11.3.1 also requires testing of all segmentation controls annually.
PCI DSS Requirement 11.2 mandates external vulnerability scanning quarterly by an Approved Scanning Vendor (ASV) and internal vulnerability scanning at least quarterly. The distinction is important: vulnerability scanning is automated; penetration testing requires a skilled human tester. UK businesses that confuse the two often believe they are compliant when they have only met the scanning requirement, not the testing requirement.
Cyber Essentials Plus certification requires an annual independent technical assessment that includes vulnerability scanning of all in-scope systems. The assessment is not a full penetration test in the CREST or CHECK sense, but it does verify that the five Cyber Essentials controls are technically implemented. Maintaining certification requires annual re-assessment, which effectively creates an annual vulnerability assessment cycle.
NCSC guidance recommends that organisations seeking assurance beyond Cyber Essentials Plus should conduct annual penetration testing of their external perimeter and web applications, supplemented by internal network testing every 18 to 24 months. For UK businesses supplying government contracts, Cyber Essentials Plus is a contractual requirement, and the NCSC recommends penetration testing as the next assurance step for suppliers holding higher-risk contracts.
ISO 27001, the international standard for information security management systems, requires a risk-based approach to penetration testing rather than prescribing a specific frequency. Annex A Control 8.8 requires that technical vulnerability assessments are conducted in a timely manner, and the standard's internal audit requirements (Clause 9.2) drive organisations to test the effectiveness of their security controls regularly.
In practice, ISO 27001-certified UK organisations typically conduct annual penetration testing as part of their risk treatment plan, with the frequency reviewed and adjusted based on changes to the risk landscape. The certification body will review evidence of technical testing as part of surveillance audits, so penetration testing records form part of the ISO 27001 compliance documentation.
Regulatory calendars set the minimum frequency. Business events create the triggers for additional, unscheduled testing. Any of the following should prompt a penetration test outside your regular schedule, regardless of when your last test was conducted.
Significant changes to your IT infrastructure reset the threat surface. Migrating from on-premises servers to cloud infrastructure (AWS, Azure, GCP), deploying a new VPN solution, reconfiguring your network segmentation, or adding a new data centre are all changes that introduce new attack vectors. A penetration test of the new environment before go-live, and again after initial stabilisation, is good practice. The test does not need to cover the entire estate - a targeted assessment of the changed components is sufficient and substantially cheaper.
Every new customer-facing web application or API should be tested before public release. A web application penetration test identifies vulnerabilities in authentication, authorisation, input validation, and business logic that code review and automated scanning typically miss. The cost of remediating a vulnerability found in pre-production testing is a fraction of the cost of remediation after a public breach. Our VAPT services include pre-launch web application assessments sized to the application's complexity.
After any confirmed security incident - ransomware, data exfiltration, credential compromise, or persistent access by an unauthorised party - a penetration test of the affected systems is essential before returning to normal operations. The incident response phase addresses the immediate threat; the penetration test determines whether the attacker left backdoors, whether the root cause vulnerability has been fully remediated, and whether other systems share the same weakness.
Mergers and acquisitions introduce new network segments, new systems, and new security postures into your environment. The target organisation's security history is unknown to you, and integration projects create temporary configuration weaknesses. Pre-acquisition penetration testing as part of technical due diligence identifies security liabilities that affect the deal valuation. Post-integration testing confirms that the combined environment is secure before granting the acquired business access to core systems.
Penetration testing is not a single activity. Different test types address different threat vectors, and each has a different appropriate frequency.
External network penetration testing simulates an attacker with no prior access attempting to compromise your systems via the internet. The tester targets internet-facing IP addresses, web services, VPN endpoints, email infrastructure, and DNS configuration. This is the most common form of penetration test for UK businesses and is what most compliance frameworks require. Frequency: annually as a minimum, with additional testing after any change to the external network perimeter. Cost for a UK SME: £3,000 to £8,000 depending on the number of IP addresses and services in scope.
Internal network testing simulates an attacker who has already gained initial access - either by compromising an endpoint, exploiting a public-facing service, or through physical access to the office. The tester attempts to move laterally across the internal network, escalate privileges, and reach sensitive data or systems. This test type reveals whether your network segmentation and access controls are effective at limiting blast radius. Frequency: every 18 to 24 months for most UK businesses, or annually if your internal network contains high-value data. Cost: £5,000 to £12,000 for a typical UK SME environment.
Web application testing focuses on a specific application or API, using the OWASP Top 10 as a baseline methodology. It covers authentication mechanisms, authorisation controls, session management, input validation, business logic, and API security. Frequency: annually for all production web applications handling customer data or payment information, plus before each major release. Cost: £5,000 to £25,000 depending on the application's complexity and number of roles tested.
Social engineering testing assesses the human element of your security posture: whether employees can be manipulated into revealing credentials, clicking malicious links, or granting access to unauthorised individuals. Phishing simulations can be run continuously (via platforms such as Proofpoint Security Awareness Training) or as point-in-time exercises by a penetration testing firm. Frequency: phishing simulations quarterly or continuously; full social engineering exercises (including vishing and physical pretexting) annually. Cost: phishing simulation platforms from £3 per user per month; full social engineering assessments from £4,000.
A practical testing calendar for a UK business with moderate security requirements and no specific regulatory mandates looks as follows. Adapt the framework based on the regulatory requirements identified earlier in this post.
January to March: external network penetration test and web application assessment for all production web properties. This aligns with the end of the financial year for many UK businesses and allows the results to inform the annual security budget for the coming year.
April to June: Cyber Essentials Plus assessment (if seeking or maintaining certification), plus phishing simulation campaign across all staff. The phishing results inform the Q3 security awareness training programme.
July to September: internal network penetration test (alternating with external every other year for businesses without regulatory mandates) and quarterly ASV vulnerability scans if PCI DSS-applicable.
October to December: review penetration test remediation progress, conduct a targeted re-test of the highest-severity findings, update the risk register, and plan the following year's testing programme. This is also the period to request ISO 27001 surveillance audit scheduling if applicable.
Any infrastructure changes, new application launches, or security incidents throughout the year trigger targeted assessments outside this calendar as described above.
Penetration testing costs vary significantly by scope, but the following ranges are representative of the UK market for certified testing providers in 2024. These figures are for CHECK or CREST-approved testing companies, which is the standard required for UK government and regulated sector work.
External network penetration test for a UK SME with up to 20 internet-facing IP addresses: £3,000 to £6,000. External test for up to 50 IP addresses with a broader service set: £5,000 to £10,000. Web application penetration test for a small to medium complexity application with one or two authenticated user roles: £5,000 to £10,000. Web application test for a complex application with multiple roles, API surface, and payment processing: £10,000 to £25,000. Internal network test for a flat network with 50 to 150 hosts: £5,000 to £9,000. Internal test for a segmented environment with 200 or more hosts: £8,000 to £15,000.
A comprehensive annual programme covering external network, web application, and phishing simulation for a 100-person UK professional services firm should be budgeted at £12,000 to £20,000 per year. This is a material investment, but it is substantially less than the average cost of remediation following an undetected breach.
Our cyber security consultancy service includes penetration testing scoping to ensure you are buying the right test for your actual risk profile, rather than over-scoping or under-scoping based on generic guidance.
A penetration test is only as valuable as the quality of the findings it produces and the remediation that follows. Preparation before the test and structured follow-up after it determine whether you get maximum value.
Before the test: provide the testing team with an accurate and complete scope document. This includes all in-scope IP addresses, domain names, and application URLs; all user roles that should be tested (both authenticated and unauthenticated); any known exclusions (fragile legacy systems, third-party systems you do not own); the testing window (business hours versus out of hours); and emergency contact details for the test to be paused if a critical system is inadvertently affected.
Brief your IT and security teams that testing is occurring and provide them with the source IP addresses from which the test will originate. This prevents your existing security controls from blocking the test (which produces false assurance) and prevents your team from raising a false incident response. The NCSC recommends this "white box awareness" approach for most corporate penetration tests.
After the test: read the executive summary before the technical findings. The executive summary translates technical risk into business impact terms and is what you present to board-level stakeholders. Review the CVSS risk scores for each finding - Critical and High findings should be remediated within 30 days; Medium within 90 days; Low within six months. Request a re-test for all Critical and High findings after remediation to confirm the fix is effective. Track remediation progress in your risk register.
Annual penetration testing is not a universal legal requirement for all UK businesses. However, specific regulatory frameworks mandate testing at set frequencies: PCI DSS requires annual penetration testing for businesses processing card payments; FCA-regulated firms are expected to conduct annual testing of critical systems; NHS suppliers must evidence annual testing to meet DSPT requirements. UK businesses outside regulated sectors have no statutory obligation but should consider annual testing based on risk and the NCSC's guidance on building cyber resilience.
Vulnerability scanning uses automated tools to identify known weaknesses by comparing system configurations against a database of known vulnerabilities. It is fast, inexpensive, and can be run frequently. Penetration testing uses skilled human testers who use automated scanning as a starting point but then apply professional judgement to chain vulnerabilities together, test business logic flaws, and simulate realistic attacker behaviour. PCI DSS requires both: quarterly ASV vulnerability scans and annual penetration testing. They are complementary, not interchangeable.
An external network penetration test for a UK SME with 10 to 20 in-scope IP addresses typically takes three to five days of testing time, with the report delivered within five to ten business days after the test concludes. A web application penetration test for a moderate-complexity application takes three to seven days of testing. Internal network tests for 50 to 150 hosts take five to ten days. The full engagement from scoping to final report delivery is typically four to six weeks from contract signature.
CHECK is the NCSC's scheme for approving penetration testing companies to assess systems used by the UK government and public sector. CHECK-approved companies employ CHECK Team Leaders (CTLs) and CHECK Team Members (CTMs) who have demonstrated sufficient technical competence to test sensitive government systems. Many private sector organisations - particularly regulated firms and NHS suppliers - require CHECK or CREST-approved providers for their testing. CREST is the commercial equivalent: a professional body that certifies penetration testers to a recognised standard and is required for PCI DSS testing.
A professional penetration test report for a UK business should include: an executive summary that translates technical findings into business risk terms; a risk-rated finding list with CVSS scores, descriptions, evidence screenshots, and specific remediation guidance for each vulnerability; a management summary of pass/fail status against the test objectives; an attack narrative describing how the tester moved through the environment; and a remediation priority matrix. Reports that list vulnerabilities without remediation guidance or without explaining business impact are of limited value for UK business decision-makers.
More from the blog
Let us help
Talk to our London-based team about how we can build the AI software, automation, or bespoke development tailored to your needs.
Softomate Solutions Limited
Deen Dayal Yadav
Online
