Most UK businesses should conduct penetration testing at least once a year, plus an additional test after any significant change to their systems. That annual baseline is the minimum almost every framework expects, but regulated sectors go further: PCI DSS service providers test external and internal infrastructure every six months, financial firms under FCA oversight typically run quarterly tests, and operators of critical national infrastructure move towards continuous assessment. A standard web application or external network test costs £3,750 to £6,250 for three to five days of work, while internal network testing runs £6,250 to £10,000. CREST-certified day rates in 2026 sit between £1,000 and £1,500. The honest rule is simple: annual is your floor, not your finish line. The more regulated, the more data you hold, and the faster your environment changes, the more often you must test to stay genuinely secure rather than merely compliant on paper.
Last updated: June 2026
A typical UK business should run a full penetration test at least once every twelve months, and again whenever it makes a material change to its applications, network, or cloud estate. This annual cadence is the figure recommended by the National Cyber Security Centre, expected by most cyber insurers, and written into nearly every security framework a British company is likely to encounter. If you do nothing else, an independent annual test of your internet-facing systems is the single most valuable security spend you can make.
The reasoning behind twelve months is practical rather than arbitrary. Threats evolve, your codebase changes, your staff turn over, and new vulnerabilities are disclosed daily. A test conducted in January is a photograph of your security on that day. By December, the picture has shifted: you have shipped features, patched some things, broken others, and added new third-party integrations. An annual test resets that photograph and gives you a fresh, evidence-based view of where you actually stand.
Our view, having run these engagements for UK firms for over a decade, is that the "annual minimum" framing causes real harm because owners hear it as "annual is sufficient". It is not. Annual is the floor for a low-change, low-risk business that holds little sensitive data. The moment you process card payments, hold health records, deploy code weekly, or operate in a regulated sector, twelve months is too long a gap to leave your defences unverified.
Here is how to think about your minimum baseline based on your risk profile:
| Business profile | Minimum recommended cadence | Why |
|---|---|---|
| Low-risk, static brochure site, no customer data | Annual | Limited attack surface, slow change rate |
| SME with customer accounts and online forms | Annual + after major changes | Personal data under UK GDPR raises the stakes |
| E-commerce taking card payments | Annual, often quarterly | PCI DSS obligations and constant attack interest |
| SaaS deploying code weekly or daily | Quarterly or continuous | High change rate invalidates point-in-time tests fast |
| Regulated financial or healthcare firm | Quarterly to continuous | Regulatory expectation plus high-value data |
If you are unsure where you sit, default to annual and add an honest review of your change rate. A business that ships new functionality every fortnight is operating a different risk environment from one that updates its website twice a year, and the testing schedule should reflect that difference rather than ignore it.
Several compliance frameworks mandate or strongly recommend penetration testing on a defined schedule, and for most UK businesses the framework you operate under sets your real cadence far more than any general best-practice advice. If you handle card data, hold an ISO 27001 certificate, or supply the NHS, the framework tells you precisely how often to test, and auditors will ask for the report.
The most prescriptive is the Payment Card Industry Data Security Standard. Under PCI DSS version 4.0, merchants and service providers must perform external and internal penetration testing at least annually and after any significant change to the cardholder data environment. Service providers face the stricter bar: they must test segmentation controls at least every six months, and the standard expects internal and external penetration tests on the same six-monthly basis for the systems that protect cardholder data. This is the clearest case where "annual" simply does not apply.
Other frameworks are less explicit on calendar frequency but still drive testing through their control requirements. The table below summarises what UK readers most commonly ask about:
| Framework | Pen testing requirement | Practical cadence |
|---|---|---|
| PCI DSS v4.0 | External and internal testing at least annually and after significant change; service providers every 6 months for segmentation | Annual minimum, 6-monthly for service providers |
| ISO 27001 | Not named explicitly, but technical vulnerability management and risk assessment controls effectively require regular testing | Annual, aligned to the surveillance audit cycle |
| Cyber Essentials Plus | Hands-on technical verification annually for certification | Annual recertification |
| UK GDPR | Requires appropriate technical measures and regular testing of their effectiveness under Article 32 | Annual, risk-based |
| SOC 2 Type II | Penetration testing commonly required to evidence security controls over the audit period | Annual |
| NHS DSP Toolkit | Penetration testing expected for organisations handling NHS patient data | Annual, often more for higher tiers |
A point worth stressing: passing a framework audit is not the same as being secure. Cyber Essentials Plus, for example, is a valuable baseline and a strong signal to clients, but it is a controls-verification exercise, not a deep adversarial test. We have seen firms treat an annual Cyber Essentials Plus assessment as their entire security programme and then suffer a breach through an application flaw the certification was never designed to catch. Use frameworks to set your minimum, then test beyond them where your risk demands it. If you need help mapping your obligations to a sensible schedule, our team can advise as part of a broader secure software development engagement.
Penetration testing frequency varies dramatically by industry, ranging from annual tests for low-risk professional services firms to near-continuous assessment for banks and critical infrastructure operators. The variation tracks two factors: how much regulators care about your sector, and how attractive your data is to attackers. A solicitor's practice and a payments processor both need testing, but the payments processor needs it far more often.
The following table maps the main UK sectors to a realistic cadence based on regulatory pressure and threat exposure:
| Sector | Typical cadence | Key driver |
|---|---|---|
| Financial services and fintech | Quarterly, sometimes monthly | FCA expectations, high-value targets, CBEST for systemically important firms |
| Healthcare and health tech | Quarterly to semi-annual | NHS DSP Toolkit, special category data under UK GDPR |
| E-commerce and retail | Quarterly | PCI DSS, payment fraud, constant bot pressure |
| Government and critical infrastructure | Monthly to continuous | NCSC CHECK scheme, national security implications |
| SaaS and technology | Quarterly or continuous | Rapid release cycles, customer security questionnaires |
| Legal and professional services | Annual to semi-annual | Confidential client data, SRA expectations |
| Manufacturing and logistics | Annual, plus OT-specific tests | Operational technology and ransomware exposure |
Financial services sit at the demanding end. The Financial Conduct Authority expects regulated firms to manage technology and cyber risk actively, and the largest institutions participate in CBEST, the Bank of England's intelligence-led testing framework that simulates realistic threat-actor behaviour. Smaller fintechs are not subject to CBEST but inherit the expectation of regular, robust testing because they handle money and personal financial data. Quarterly is common, and any firm building or relying on a custom CRM that stores financial customer records should treat that system as in-scope every time.
Healthcare deserves a specific mention. Health data is special category data under UK GDPR, attracting the highest protection and the heaviest penalties when mishandled. Any organisation submitting to the NHS Data Security and Protection Toolkit will find penetration testing forms part of demonstrating adequate security. The combination of sensitive data, complex legacy systems, and ransomware groups actively targeting healthcare pushes serious providers towards quarterly or semi-annual testing rather than the annual minimum.
Our honest stance for SMEs in less-regulated sectors: do not assume "we are too small to be a target" gives you a pass. Automated attacks do not care about your size; they scan everything. A small e-commerce shop taking card payments faces broadly the same bot-driven probing as a large retailer, just with fewer resources to defend against it. The sector table above is a starting point, not a ceiling.
Certain events should trigger a penetration test immediately, regardless of where you are in your annual cycle, because they materially change your attack surface. The principle behind every framework's "after significant change" clause is that a calendar-based schedule cannot anticipate when you will introduce a new vulnerability. A test you ran in March tells you nothing about the public-facing API you launched in July.
The clearest off-cycle triggers, in our experience, are these:
Here is a practical before-and-after view of why these triggers matter, drawn from the kinds of changes we see UK businesses make:
| Change made | New risk introduced | Retest needed? |
|---|---|---|
| Launched a public customer login portal | Authentication, session, and access-control flaws | Yes, before go-live |
| Migrated email and files to Microsoft 365 | Misconfigured sharing, conditional access gaps | Yes, configuration review |
| Added a third-party payment integration | Data flow exposure, new PCI scope | Yes |
| Updated CMS plugins only | Limited if patched and scanned | Vulnerability scan may suffice |
| Acquired a competitor and merged networks | Inherited unknown vulnerabilities | Yes, before integration |
The honest rule we give clients is this: if a change could plausibly create a path for an attacker that did not exist before, test it before it goes live, not at your next annual slot. The cost of an off-cycle test on a single new application is far smaller than the cost of a breach through code that was never reviewed. Businesses investing in new web application development should budget a security test into the project from the outset rather than bolting it on afterwards.
Annual-only penetration testing is no longer enough for most growing businesses because it captures a single moment in a year of constant change, leaving long windows where new vulnerabilities go undetected. The fundamental limitation is that a penetration test is point-in-time. It tells you that your systems were secure against the tested techniques on the day of the test. It says nothing about the eleven months that follow, during which you will ship code, patch systems, and inadvertently introduce new flaws.
The scale of the threat justifies the concern. The UK government's annual Cyber Security Breaches Survey consistently finds that around four in ten businesses report a cyber breach or attack each year, with the figure considerably higher for medium and large organisations. Phishing remains the most common attack vector, but the underlying point is that attacks are routine, not rare. A defence verified once a year against a threat that operates every day leaves an obvious gap.
This is where the word "continuous" gets thrown around loosely, so let us define what it actually means operationally rather than as marketing. Continuous security is not a year-round manual penetration test, which would be prohibitively expensive. In practice it is a layered programme:
The distinction that matters is between automated scanning and manual testing. Scanners are fast, cheap, and excellent at finding known vulnerabilities, but they cannot reason about business logic, chain together several low-severity issues into a critical exploit, or social-engineer a member of staff. Manual testing by a skilled human does all of that. The cost difference reflects this: scanning is a low monthly subscription, while a manual test is a multi-day expert engagement.
Our view is that the right model for most growing UK SMEs is not continuous manual testing, which is overkill, but a sensible blend: an annual or six-monthly manual penetration test as the backbone, continuous automated scanning filling the gaps between, and change-triggered tests for anything significant. That gives you genuine year-round coverage at a cost that scales with your size, rather than the false reassurance of a once-a-year tick-box exercise.
UK businesses typically need a combination of penetration test types rather than a single test, with the specific mix determined by what systems they run and what data they hold. The most common starting point is an external network test plus a web application test, because those cover the internet-facing surface that attackers reach first. From there, the scope expands based on your environment.
Penetration tests are usually described by how much information the tester is given and by what they target. On information, you will hear three terms:
On targets, the main types and who needs them are summarised below:
| Test type | What it covers | Who needs it most |
|---|---|---|
| External network | Internet-facing servers, firewalls, exposed services | Every business with an online presence |
| Internal network | What an attacker or insider could do once inside | Any office-based or hybrid organisation |
| Web application | Login flows, APIs, input handling, OWASP Top 10 risks | SaaS, e-commerce, anyone with a portal |
| Mobile application | iOS and Android app logic, storage, API calls | Businesses with a customer-facing app |
| Cloud configuration | AWS, Azure, GCP identity, storage, permissions | Any cloud-hosted organisation |
| Wireless | Wi-Fi security, rogue access points | Offices with on-premise networks |
| Social engineering | Phishing, pretexting, physical access | Organisations with valuable data and many staff |
| Red team | Full multi-vector simulated attack against detection | Mature security teams testing their defences |
Web application testing deserves emphasis because it is where most modern breaches happen. The OWASP Top 10 is the industry-standard list of the most critical web application risks, covering issues such as broken access control, injection, and security misconfiguration. A competent web app test works through these systematically and then goes beyond them to probe your specific business logic. If your business runs on a custom web platform or a customer-facing mobile app, those applications should be your testing priority, because they handle your data directly and change most often.
Red teaming is a different exercise entirely, and we counsel honesty about when it is appropriate. A red team engagement tests not just your vulnerabilities but your ability to detect and respond to a real attack. It is hugely valuable for organisations with a mature security function and a security operations capability. For an SME without an established detection programme, a red team is premature: you will pay for a sophisticated assessment of defences you have not yet built. Get the fundamentals tested first, then graduate to red teaming once you have something to defend.
Penetration testing in the UK in 2026 typically costs between £3,000 and £15,000 for most SME engagements, with the final figure driven by scope, complexity, and the seniority of the testers. Pricing is fundamentally based on days of expert effort, so the size and complexity of what you want tested is the main lever on cost. Understanding the day-rate model helps you budget accurately and spot quotes that are suspiciously cheap.
CREST-certified testers in 2026 command day rates between £1,000 and £1,500, with the broader market ranging from roughly £800 to £2,500 per day. Specialist work, out-of-hours testing to avoid disrupting production, or highly senior consultants can push rates above £2,000. Be sceptical of any quote built on day rates well below £800: it usually signals junior testers, an automated scan dressed up as a manual test, or work outsourced offshore without the accreditation that gives the results credibility.
Typical project costs for common engagements look like this:
| Engagement | Typical duration | Indicative 2026 cost |
|---|---|---|
| External network test (small estate) | 3 to 5 days | £3,750 to £6,250 |
| Web application test (single app) | 3 to 5 days | £3,750 to £6,250 |
| Internal network test | 5 to 8 days | £6,250 to £10,000 |
| Mobile application test | 4 to 6 days | £5,000 to £9,000 |
| Cloud configuration review | 3 to 6 days | £3,750 to £9,000 |
| Complex multi-surface, regulated engagement | 15 days or more | £25,000 and up |
| Continuous scanning subscription (annual) | Ongoing | £3,000 to £12,000 per year |
Several factors push a quote up or down. A larger number of IP addresses, applications, or user roles increases the days required. Regulated environments demand more rigorous reporting and evidence, which adds time. A retest to verify that you have fixed the issues found, which we always recommend, typically costs a fraction of the original engagement because the tester only revisits the confirmed findings. Out-of-hours or weekend testing to protect live operations carries a premium.
Our candid pricing advice is to budget for the full cycle, not just the test. A penetration test that finds twenty issues and then sits in a drawer has wasted your money. The value comes from the test, the remediation work to fix what was found, and the retest to confirm the fixes held. Factor all three into your budget. For most UK SMEs starting out, a sensible first-year spend is an annual manual test in the £4,000 to £7,000 range, plus a modest continuous scanning subscription, giving you both depth and ongoing coverage. As your systems and automation grow more interconnected, the scope and therefore the cost will rise, which is normal and worth planning for.
You choose a UK penetration testing provider primarily by checking their accreditations, the seniority of the people who will actually do your test, and the quality of their reporting, rather than by price alone. The single most important filter is accreditation, because penetration testing is unregulated as a profession and anyone can call themselves a tester. Recognised credentials separate genuine expertise from a scanner with a logo.
The accreditations UK buyers should look for are:
Accreditation gets a provider onto your shortlist; the following questions separate the good from the merely accredited:
Our honest stance: do not buy penetration testing like a commodity. The cheapest quote is rarely the best value, because the entire point of the exercise is the skill of the human looking for the flaws an automated tool cannot find. A slightly more expensive engagement with senior, accredited testers and a genuinely actionable report will protect you better than a budget scan that produces a thick document nobody can act on. If you are integrating security testing into a wider build or transformation programme, work with a partner who understands both the development and the security side, so the findings feed straight back into your engineering process.
Softomate Solutions builds security testing into how we develop and maintain software for UK businesses, working with accredited testing partners to deliver a structured engagement from scoping through to verified remediation. We are a London-based software development and automation agency in Stanmore (HA7), and our role is to make sure security testing is not a disconnected annual event but a properly integrated part of building and running your systems. Because we develop the applications, we know exactly what needs testing and we can fix what is found.
Our five-stage process works as follows:
A typical engagement runs to this timeline:
| Stage | Typical timeframe | What you receive |
|---|---|---|
| Scoping and quote | 2 to 4 working days | Defined scope, fixed-price quote |
| Testing | 3 to 8 working days | Active assessment of agreed targets |
| Reporting and walkthrough | 3 to 5 working days | Risk-ranked report and review call |
| Remediation | 1 to 4 weeks (scope dependent) | Fixed and hardened systems |
| Retest and setup | 2 to 5 working days | Verified fixes and ongoing scanning |
Engagements start from £4,000 for a focused single-application or external-network test, with fixed quotes provided after scoping so you always know the cost upfront. Larger, multi-surface, or regulated engagements are priced individually but always to a fixed scope. We are registered at Companies House and work with UK businesses across finance, e-commerce, healthcare technology, and professional services. If you are building new software or automating core processes, we will fold security testing into the project so it is right from day one rather than retrofitted. Speak to us through our London automation and software team or the contact page to scope a test for your systems.
Penetration testing is not a standalone legal requirement, but UK GDPR Article 32 requires regular testing of the effectiveness of your security measures, and frameworks such as PCI DSS mandate it contractually. In practice, if you hold personal or payment data, testing is effectively expected of you by regulators, insurers, and clients.
Most SME penetration tests take three to eight working days of active testing, depending on scope. A single web application or external network test usually runs three to five days, while internal network tests take five to eight. Add a few days each side for scoping and reporting, so a full engagement spans two to three weeks.
A vulnerability scan is automated and finds known issues quickly and cheaply, but cannot reason about business logic. A penetration test is human-led and chains weaknesses together, exploits logic flaws, and finds what scanners miss. You need both: scanning continuously between annual or six-monthly manual penetration tests.
A small UK business typically pays between £3,750 and £6,250 for a focused web application or external network test of three to five days. Internal network tests run £6,250 to £10,000. CREST-certified day rates in 2026 sit at £1,000 to £1,500, with the full project priced on the days required.
Not every update, but you should test after any significant change that alters your attack surface, such as a new feature, a new API, a cloud migration, or a payment integration. Minor patches are usually covered by continuous vulnerability scanning rather than a full manual penetration test each time.
CREST is the leading international accreditation body for technical security testing. A CREST-accredited provider has had its methodology, processes, and data handling independently assessed, and its individual testers hold recognised certifications. For most UK commercial penetration testing, CREST is the benchmark accreditation to insist on when choosing a provider.
A professionally run penetration test rarely disrupts live systems, because testers work carefully and agree rules of engagement first. Where there is any risk to production, testing can be scheduled out of hours or run against a staging environment. Always confirm the approach during scoping so business operations stay protected.
An e-commerce site taking card payments should be penetration tested at least annually and after any significant change, with many merchants moving to quarterly testing because of PCI DSS obligations and constant automated attack pressure. Continuous vulnerability scanning between manual tests is strongly recommended given how often online shops change.
After a test, you receive a report ranking each vulnerability by risk with remediation steps. You then fix the issues, prioritising critical and high findings, and arrange a retest to confirm the fixes held. The value of the test comes from this remediation and verification, not from the report alone.
Yes. Automated attacks scan every internet-facing system regardless of company size, so small businesses face broadly the same probing as large ones with fewer defences. Around four in ten UK businesses report a breach or attack each year. If you hold customer data or take payments, annual testing is a justified, proportionate investment.
The frequency question has a clear answer: annual testing is the floor for almost every UK business, six-monthly for PCI DSS service providers, and quarterly to continuous for regulated finance, healthcare, and high-change technology firms. Beyond the calendar, test immediately after any significant change, whether that is a new application, a cloud migration, a merger, or a breach. Budget realistically, with most SME engagements landing between £3,750 and £10,000 depending on scope, plus remediation and a retest to close the loop. The mistake we see most often is treating annual testing as sufficient when it is merely a starting point, leaving long gaps that continuous scanning should fill. Match your cadence to your risk, your compliance obligations, and how fast your environment changes, and you turn penetration testing from a grudging tick-box into genuine, year-round protection for your business and your customers' data.
If you are building new software, migrating to the cloud, or automating core processes and want security testing built in from the start rather than bolted on later, talk to our team about a scoped engagement through our London software development service.
Written by Deen Dayal Yadav, Founder of Softomate Solutions, a London-based software development and AI automation agency in Stanmore (HA7). With over 12 years building software and automation systems for UK businesses across finance, e-commerce, healthcare technology, and professional services, he helps organisations integrate security testing into how they build rather than treating it as an afterthought. Softomate Solutions is registered at Companies House and works with clients nationwide. Learn more about our team and approach.
We protect the real names of all clients featured in examples and case studies. Every testimonial is from a real client.
More from the blog
Work with us
Book a free 30-minute discovery call with DD and get a personalised automation roadmap.
Softomate Solutions Limited
Deen Dayal Yadav
Online
We use essential cookies to keep the site running. With your permission, we also use analytics cookies to understand how visitors use our site so we can improve it. No data is sold. Privacy Policy
