Penetration testing is an authorised, simulated cyber attack against your systems, carried out by an ethical hacker to find security weaknesses before a criminal does. For most UK SMEs in 2026, a basic external network test costs £1,500 to £3,500, while a combined external, internal and web application engagement runs £8,000 to £15,000. CREST-accredited testers charge roughly £1,000 to £1,500 per day, and most small business projects need three to seven tester days. Unlike an automated vulnerability scan, a real pen test involves a human exploiting flaws to prove genuine business risk. You should test at least once a year and after every major system change. With 39% of UK businesses reporting a cyber attack in the last 12 months and the average SME breach costing around £15,300, testing is now a contract, insurance and compliance requirement, not a luxury.
Last updated: June 2026
Penetration testing is the practice of hiring a skilled, ethical hacker to deliberately attack your IT systems, applications or network with your written permission, in order to find and prove the security weaknesses that a real criminal could exploit. The word "prove" is the crucial part. A pen tester does not just list theoretical problems. They actively chain weaknesses together, break in, and show you exactly what an attacker could reach: your customer database, your finance system, your email, your backups. The output is a clear picture of real business risk, not a wall of jargon.
This is where most business owners get confused, so let us be blunt about it. A vulnerability scan and a penetration test are not the same thing, and any provider who sells you one while calling it the other is misleading you. A vulnerability scan is an automated tool that checks your systems against a database of known flaws and produces a long report, often with hundreds of "findings", many of which are false positives or low risk. It is cheap, fast and useful, but it has no judgement. A penetration test uses a human who understands context, prioritises what actually matters, and demonstrates genuine exploitation.
Our honest view: every business should run regular automated vulnerability scanning as basic hygiene, but scanning alone is not penetration testing and will not satisfy a serious client, insurer or auditor who asks for a "pen test". Be sceptical of any quote under £1,000 for a "full penetration test", because at CREST day rates that buys you less than a day of work, which usually means you are buying a dressed-up scan.
| Aspect | Vulnerability Scan | Penetration Test |
|---|---|---|
| Performed by | Automated software | Human ethical hacker |
| Typical cost | £50 to £500 per scan | £1,500 to £15,000+ per engagement |
| Finds the unknown | No, only known flaws | Yes, including logic and chained flaws |
| Proves exploitation | No | Yes |
| False positives | Common | Validated and removed |
| Business context | None | Risk-prioritised for your business |
| How often | Monthly or continuous | Annually plus after major change |
Think of the scan as a smoke alarm and the pen test as a fire safety officer who walks the building, tries the doors, and tells you which ones a burglar would use. You want both, but only one of them tells you whether you would actually survive a break-in.
You probably need a penetration test if any of three triggers apply to you: a customer contract demands it, your cyber insurance policy requires it, or you handle sensitive data under a regulatory regime such as GDPR, FCA rules or the NHS DSP Toolkit. If none of those apply and you are a two-person business with a basic website, you may be better starting with Cyber Essentials and vulnerability scanning, then commissioning a pen test as you grow. The honest rule is: do not buy a pen test to tick a box you do not have, but do not delay one when a contract or breach risk is staring at you.
The threat backdrop is not abstract. The UK Government's Cyber Security Breaches Survey consistently shows that around 39% of UK businesses identified a cyber attack in the previous 12 months, and the average cost of a breach for a small or medium business sits near £15,300 once you count downtime, recovery, lost business and reputational damage. For many SMEs a single serious incident is an existential event, not a line item.
Increasingly, the decision is made for you. Enterprise buyers now send security questionnaires before they sign, and "do you conduct annual penetration testing?" is a standard question. Cyber insurers ask the same, and a clean recent pen test can reduce your premium or, just as importantly, keep your policy valid when you claim.
| Trigger | What it usually means | Test priority |
|---|---|---|
| Enterprise client contract | Annual external + web app test required | High |
| Cyber insurance renewal | Evidence of testing lowers premium | High |
| FCA-regulated activity | Operational resilience expectations | High |
| Handling health data (NHS) | DSP Toolkit compliance | High |
| Launching a new web app | Pre-launch app test | Medium to high |
| ISO 27001 certification | Testing supports controls evidence | Medium |
| Small brochure website only | Cyber Essentials + scanning first | Low for now |
Use this as a quick decision tree. If two or more of those rows describe you, stop deliberating and budget for a test this quarter. If only the last row applies, get your foundations right first and revisit when you take on customer data or a bigger client.
There are six common types of penetration test, and you usually need a combination rather than just one. The right mix depends on where your risk lives: if your crown jewels sit in a customer-facing web application, a web app test matters more than a wireless test. A good provider scopes the engagement around your actual attack surface rather than selling you everything. Below is a plain-English breakdown of each type and when it earns its place in your scope.
Cloud configuration testing has become a seventh category in its own right. As more UK businesses run on Microsoft 365, Azure and AWS, misconfigured cloud permissions are now a leading cause of breaches. If your business depends on a custom platform, our advice is to bake security testing into the build rather than bolt it on afterwards; teams delivering secure web application development in London should be testing throughout, not just at the end.
| Test type | Simulates | Best for |
|---|---|---|
| External network | Remote internet attacker | Almost every business |
| Internal network | Insider or breached device | Businesses with office networks |
| Web application | Attacker targeting your app | SaaS, portals, e-commerce |
| Mobile application | App reverse-engineering | Businesses shipping apps |
| Wireless | Nearby attacker on Wi-Fi | Larger office sites |
| Social engineering | Phishing and human error | All staff-heavy businesses |
| Cloud configuration | Misconfigured cloud access | Microsoft 365, Azure, AWS users |
The terms black box, grey box and white box describe how much information you give the tester before they start, and the choice directly affects cost, realism and thoroughness. Black box gives the tester nothing but your company name, mimicking a real outside attacker. White box hands over full documentation, source code and credentials, letting the tester examine everything. Grey box sits in the middle, providing limited information such as a standard user login. For most UK SMEs, our recommendation is grey box, because it balances realism against the testing depth your budget can actually buy.
Black box looks the most "realistic" and clients often ask for it, but here is the honest trade-off: a black box tester spends a large share of their limited days simply finding their way in, leaving less time to test deeply. You pay for reconnaissance you could have skipped. White box is the most thorough and finds the most issues per pound, but some buyers worry it is "too easy" because the tester knows the layout. In practice, real attackers have unlimited time and will eventually learn your layout too, so white box often reflects worst-case risk best.
| Approach | Information given | Strength | Trade-off |
|---|---|---|---|
| Black box | None, just company name | Most realistic external view | Time wasted on recon, shallower |
| Grey box | Limited, e.g. a user login | Best balance for SMEs | Slightly less realistic entry |
| White box | Full docs, code, credentials | Most thorough per day | Less like a true outsider |
A practical rule: if you are testing to satisfy a contract about external exposure, lean black or grey box. If you are testing a critical application you are responsible for, choose grey or white box so the tester's days go into finding flaws, not into guessing usernames. Discuss this openly with your provider during scoping, because the framing changes both the price and the value you receive.
CREST, CHECK and Cyber Essentials are three separate things that buyers constantly confuse, and understanding the difference is the single most useful thing you can learn before commissioning a test. In short: CREST is an independent accreditation that proves a provider and its testers meet a recognised professional standard; CHECK is a UK Government scheme run by the NCSC for testing systems handling government data; and Cyber Essentials is a baseline certification of your own security hygiene, not a pen test at all. Mixing these up leads businesses to buy the wrong thing.
CREST is the one most UK SMEs should look for. A CREST-accredited provider has been audited for process, ethics and competence, and its individual testers hold CREST qualifications. When a client or insurer asks for a "proper pen test", CREST is the credential they expect. The CHECK scheme, run under the National Cyber Security Centre, is more specialised: it is for testing systems that process UK Government or public sector data, and CHECK providers typically must also hold Cyber Essentials Plus. Most private businesses do not need CHECK unless they win public sector contracts.
Cyber Essentials sits at the foundation. It is a Government-backed certification proving you have basic controls in place: firewalls, secure configuration, access control, malware protection and patch management. It is excellent value, often required for Government contracts, and a sensible first step, but it certifies your hygiene rather than testing your defences under attack. Our stance: get Cyber Essentials first, then commission CREST-accredited penetration testing as you scale. Do not let a provider imply that Cyber Essentials and a pen test are interchangeable, because they are not.
| Credential | What it is | Who runs it | When you need it |
|---|---|---|---|
| Cyber Essentials | Baseline hygiene certification | NCSC / IASME | Foundational, many Gov contracts |
| Cyber Essentials Plus | Audited version with testing | NCSC / IASME | Stronger contracts, CHECK prerequisite |
| CREST | Provider and tester accreditation | CREST (independent body) | Most private sector pen testing |
| CHECK | Government data testing scheme | NCSC (GCHQ) | UK public sector and Gov data |
If you remember one sentence from this whole article, make it this: ask for CREST accreditation by default, expect Cyber Essentials as your foundation, and only worry about CHECK if you are bidding for public sector work.
A professional penetration test follows five clear stages: scoping, reconnaissance, exploitation, reporting and retesting. Each stage exists for a reason, and a provider who skips or rushes any of them, especially scoping and retesting, is cutting corners. Scoping defines exactly what is in and out of bounds, which is not just admin but a legal necessity under UK law. Reconnaissance and exploitation are the active testing. Reporting turns findings into prioritised actions, and retesting confirms your fixes actually worked. Below is what happens at each stage and what you should expect from your provider.
The stage businesses underestimate most is retesting. A report full of findings you never verify as fixed gives false comfort. Insist that a retest, usually within 30 to 90 days, is part of the contract before you sign, not an expensive add-on discovered later.
| Stage | Typical duration | Your involvement |
|---|---|---|
| Scoping and authorisation | 2 to 5 days | High, agree scope and sign |
| Reconnaissance | 0.5 to 2 days | Low |
| Exploitation | 1 to 5 days | Low, stay reachable |
| Reporting | 2 to 4 days | Low, then review |
| Retesting | 0.5 to 1 day | Medium, after you fix |
Penetration testing in the UK is priced largely on tester days, with CREST-accredited testers charging roughly £1,000 to £1,500 per day in 2026, and a typical fair rate of about £1,200. Because most SME engagements need three to seven tester days, the realistic total for a small business ranges from £1,500 for a narrow external test to £15,000 for a comprehensive external, internal and web application engagement. Enterprise programmes with broad scope, multiple applications and red teaming run £20,000 and upwards. The single biggest cost driver is scope: the more systems, applications and test types you include, the more days you buy.
Be wary of two pricing extremes. A quote far below £1,500 for a "full pen test" almost always means an automated scan with a logo on it, not human testing. At the other end, a vague five-figure quote with no breakdown of days or scope is equally a red flag. A good provider gives you a fixed quote tied to a defined number of tester days and a written scope, so you know exactly what you are buying. Itemised, fixed-price proposals protect you from the open-ended "time and materials" bills that catch businesses out.
| Engagement tier | Typical scope | Tester days | Indicative cost |
|---|---|---|---|
| Basic external | Internet-facing infrastructure | 1 to 3 | £1,500 to £3,500 |
| External + web app | Infrastructure plus one web app | 3 to 5 | £3,000 to £6,000 |
| Full SME engagement | External, internal and web app | 6 to 12 | £8,000 to £15,000 |
| Enterprise / red team | Multi-app, social, broad scope | 15+ | £20,000+ |
One cost factor businesses overlook is the financial upside. A clean recent penetration test can reduce your cyber insurance premium and, more importantly, keep cover valid at claim time. Set against the average SME breach cost of around £15,300, a £3,000 annual test is cheap insurance in itself. When you weigh the price, weigh it against the cost of the incident it is designed to prevent, not against zero.
A good penetration test report contains far more than a list of technical findings: it should include an executive summary a non-technical director can understand, every finding rated by severity using a recognised scoring system such as CVSS, clear evidence of exploitation, business-context risk explanation, specific remediation steps, and a record of retesting. The report is the product you are buying, so judge a provider partly on a sample report. If their sample is just raw scanner output with no prioritisation or remediation advice, you are looking at a scan, not a pen test.
Use the checklist below when you receive a report. A weak report dumps 200 findings with no priority and leaves you paralysed. A strong report tells you the three things to fix this week, the five to fix this month, and why each one matters to your specific business. That translation from technical flaw to business risk is the skill you are paying a human for, and it is exactly what an automated tool cannot do.
| Report element | What good looks like | Must-have? |
|---|---|---|
| Executive summary | Plain English, board-readable | Yes |
| Severity ratings | CVSS scores, clear priority order | Yes |
| Evidence | Screenshots, steps to reproduce | Yes |
| Business context | Impact to your operations | Yes |
| Remediation guidance | Specific, actionable fixes | Yes |
| Retest results | Confirmation fixes worked | Yes |
| Methodology | Standards followed, e.g. OWASP | Preferred |
One practical tip: ask whether the report includes a debrief call. A 30-minute conversation where the tester walks your team through the top risks is worth more than 40 extra pages of appendix. The best providers prioritise helping you fix problems over impressing you with volume.
Choose a UK penetration testing provider by checking five things: CREST accreditation, named and qualified testers, a sample report you can actually read, a clear fixed-price scope, and an included retest. Accreditation tells you they meet a standard; a sample report tells you whether their work is genuinely useful; and a fixed scope protects your budget. Avoid any provider who cannot show you a redacted sample report, who quotes without scoping properly, or who blurs the line between scanning and testing. Reputation and transparency matter more than the lowest headline price.
There is also the human factor. Penetration testing is a trust relationship: you are giving someone permission to attack your systems and they will see your most sensitive data. Look for clear contracts, professional indemnity insurance, confidentiality terms, and references from businesses like yours. A provider registered with Companies House, with a verifiable UK address and a track record, gives you recourse and accountability that an anonymous overseas freelancer simply cannot.
Our stance is simple: be sceptical of bargain offers and dazzling marketing in equal measure. The provider you want is the one who asks good scoping questions, explains trade-offs honestly, and shows you exactly what their report will look like before you pay a penny. If a provider also builds and maintains your systems, security testing can be woven into ongoing software development services in London rather than treated as a one-off panic purchase.
At Softomate Solutions we approach security the way we approach every build: scoped clearly, priced as a fixed quote, and delivered by a named team you can actually speak to. While our core work is building secure software, automation and AI systems for UK businesses, security testing and remediation are part of how we protect what we build and what our clients run. Our process runs across five stages, with transparent pricing and a defined timeline, so you always know what happens next and what it costs. We coordinate CREST-accredited testing partners where formal accreditation is required, then handle the remediation engineering in-house.
Pricing starts from £3,500 for a focused external test plus remediation guidance, with combined testing and fix engagements typically £4,000 to £12,000 depending on scope. Every engagement is a fixed quote against a written scope, never an open-ended bill. If your weak point is process rather than code, our business process automation in London and AI automation agency services can remove the manual, error-prone steps where security incidents so often begin.
| Stage | Timeline | Outcome |
|---|---|---|
| Discovery and scoping | Week 1 | Signed scope and fixed quote |
| Testing coordination | Weeks 2 to 3 | Findings and severity ratings |
| Remediation engineering | Weeks 3 to 5 | Issues fixed, not just listed |
| Retest and verification | Week 6 | Confirmed fixes, audit evidence |
| Ongoing hardening | Continuous | Safer every release |
As one client, R. Kumar, put it after we secured and rebuilt a customer portal: "They did not just send a report, they fixed the problems and explained every one in language our board understood." That, for us, is the whole point.
For most UK SMEs, a basic external test costs £1,500 to £3,500, an external plus web app test £3,000 to £6,000, and a full external, internal and web app engagement £8,000 to £15,000. CREST testers charge around £1,000 to £1,500 per day, and most small projects need three to seven tester days.
At least once a year as a baseline, and additionally after any major change such as a new web application, a network redesign, a cloud migration or a significant code release. Many contracts and insurers specify annual testing, while higher-risk businesses test every six months or run continuous testing alongside scheduled engagements.
A vulnerability scan is an automated tool that lists known weaknesses cheaply but cannot prove exploitation or judge real risk. A penetration test uses a human ethical hacker to actively exploit flaws, validate findings and prioritise them by business impact. You should run both: scanning for hygiene, pen testing for genuine assurance.
There is no single law forcing every business to test, but GDPR requires appropriate security measures, the FCA expects operational resilience, and the NHS DSP Toolkit and many contracts mandate testing. Crucially, any test must be authorised in writing, because unauthorised system access breaches the Computer Misuse Act 1990.
For most private UK businesses, CREST accreditation is the credential to look for, as it proves audited competence and ethics. The CHECK scheme is only required when testing systems handling UK Government or public sector data. Cyber Essentials is a foundational hygiene certification, not a substitute for a penetration test.
Most SME engagements run two to six weeks end to end. The active testing usually takes three to seven days, with scoping beforehand and reporting afterwards. A retest follows once you have fixed the issues, typically 30 to 90 days later. Larger or enterprise engagements naturally take longer.
A properly scoped test should not disrupt normal operations. During scoping you agree timing, rate limits and any systems to avoid, and testing can be scheduled out of hours for sensitive infrastructure. This careful scoping is one reason why authorisation and planning are non-negotiable stages of the process.
You prioritise and fix the findings, starting with the highest severity issues, then commission a retest to confirm the fixes worked. The closed report becomes evidence for insurers, clients and auditors. The most valuable providers help you remediate, not just hand over a list of problems.
Often, yes. Many UK cyber insurers reward evidence of regular testing with lower premiums, and a clean recent report can keep your cover valid when you claim. Set against an average SME breach cost near £15,300, an annual test frequently pays for itself in premium savings and risk reduction.
No. Cyber Essentials is a Government-backed certification proving you have basic security controls such as firewalls, patching and access control in place. A penetration test actively attacks your systems to find real exploitable weaknesses. Cyber Essentials is an excellent foundation, but it is not a replacement for testing your defences under attack.
Penetration testing turns guesswork about your security into proof. For most UK SMEs the decision comes down to three triggers: a client contract, a cyber insurance requirement, or regulated data, and if any apply you should budget for a CREST-accredited test this quarter. Expect to pay £1,500 to £3,500 for a basic external test and £8,000 to £15,000 for a full engagement, with CREST testers at roughly £1,200 per day. Choose grey box for the best balance, insist on a readable report with CVSS ratings and remediation, and never accept an engagement without an included retest. Get Cyber Essentials as your foundation, keep CHECK in mind only for public sector work, and run automated scanning between annual tests. Against an average SME breach cost near £15,300, testing is not an expense but the cheapest insurance you will buy. The next step is simply scoping it properly.
If you are ready to scope a test, fix what it finds, and build security into everything you run, get in touch through our contact page for a fixed-price quote tailored to your business.
Written by Deen Dayal Yadav, Founder of Softomate Solutions, a London-based software development and AI automation agency in Stanmore (HA7). With over 12 years building software, automation and secure systems for UK businesses, Deen has helped companies protect customer data, pass client security reviews, and turn cyber risk into a competitive advantage. Softomate Solutions is registered with Companies House and works with CREST-accredited testing partners to deliver security testing and remediation as part of its software and automation services. Learn more about Softomate Solutions.
We protect the real names of all clients featured in examples and case studies. Every testimonial is from a real client.
More from the blog
Work with us
Book a free 30-minute discovery call with DD and get a personalised automation roadmap.
Softomate Solutions Limited
Deen Dayal Yadav
Online
We use essential cookies to keep the site running. With your permission, we also use analytics cookies to understand how visitors use our site so we can improve it. No data is sold. Privacy Policy
