Penetration testing - commonly called pen testing - is an authorised, structured attempt to identify and exploit security vulnerabilities in an organisation's systems, networks, applications, or physical facilities. Unlike an automated vulnerability scan, a penetration test is conducted by skilled security professionals who think and act like real attackers. They attempt to bypass your defences, gain unauthorised access, escalate privileges, and reach sensitive data or critical systems - all under a controlled agreement that defines the scope, rules, and reporting requirements in advance.
The goal of penetration testing is not to cause harm but to find weaknesses before real attackers do. A thorough, well-scoped penetration test tells you exactly how a criminal could compromise your business, what data or systems they could reach, and what the business impact of a successful attack would be. Armed with this information, you can prioritise your remediation spending on the vulnerabilities that matter most.
Softomate Solutions provides penetration testing to London businesses and UK organisations of all sizes, from start-ups with a handful of cloud applications to mid-market firms with complex hybrid infrastructures.
Vulnerability scanning and penetration testing are complementary but distinct activities. A vulnerability scan is automated - a tool checks your systems against a database of known vulnerabilities and reports what it finds. It is fast, repeatable, and provides broad coverage. Vulnerability scanning is a valuable routine hygiene activity that should be performed regularly (ideally monthly or after significant changes to your infrastructure).
Penetration testing goes further. A skilled tester interprets the results of vulnerability scanning, chains multiple lower-severity findings into a realistic attack path, tests whether defences actually detect and respond to attack techniques, and uses manual techniques that automated tools cannot replicate - social engineering, lateral movement, privilege escalation, and business logic bypass. The output of a penetration test includes not just a list of vulnerabilities but a narrative of what an attacker could actually achieve, which is far more useful for business decision-making than a ranked list of CVEs.
Penetration testing covers several distinct scopes and methodologies, and choosing the right type for your needs is the first decision to make when commissioning a test.
External testing assesses the security of your internet-facing systems - your website, web applications, VPN endpoints, email servers, remote access portals, and any other services accessible from the public internet. The tester works from outside your network, simulating an opportunistic attacker. This is often the starting point for organisations new to penetration testing, as internet-facing systems carry the highest exposure.
Internal testing simulates an attacker who has already gained access to your internal network - a compromised employee device, a malicious insider, or an attacker who has bypassed external defences. The tester assesses how far an attacker could move laterally, what systems and data they could reach, and whether they could escalate to administrative control of critical infrastructure. Internal testing typically reveals more serious findings than external testing, because internal networks are often less robustly secured than the internet perimeter.
Web application testing focuses specifically on your websites, customer portals, APIs, and software-as-a-service applications. It tests for vulnerabilities in the OWASP Top 10 - the most commonly exploited web application weaknesses, including injection attacks, broken authentication, security misconfigurations, and insecure deserialisation. Any business with a customer-facing web application or an internal application accessible via browser should test regularly, particularly after significant development changes.
Social engineering tests assess your employees' susceptibility to manipulation. This includes phishing simulations, pretexting (calling staff and attempting to extract sensitive information under a false pretext), and physical security testing (attempting to gain unauthorised physical access to your premises). Social engineering tests are particularly valuable for businesses that have invested in technical defences but have not proportionately invested in staff awareness.
A red team exercise is the most comprehensive form of penetration testing. A dedicated team simulates a sophisticated, persistent attacker - using all available techniques including technical exploitation, social engineering, and physical access - over an extended period (typically weeks or months) to see whether your defences can detect and respond to a realistic, targeted attack. Red teaming is typically reserved for mature organisations with existing security operations capabilities.
These terms describe how much information the tester is given before the test begins. Each approach has different applications and trade-offs.
Black box testing: The tester is given no prior information about the target environment - they start from the same position as an uninformed external attacker. Black box tests are realistic simulations of opportunistic attack but may miss vulnerabilities in systems that are not discovered during reconnaissance, and they typically cost more because more time is spent on discovery rather than testing.
White box testing: The tester is given full information about the target - network diagrams, source code, credentials, architecture documentation. White box tests are more efficient and thorough for a given budget, as the tester can focus on testing rather than discovery. They are particularly valuable for web application testing, where access to source code reveals logical vulnerabilities that black box testing would not find.
Grey box testing: The tester is given partial information - perhaps valid user credentials but no architecture documentation, or documentation of the network topology but not system configurations. Grey box testing simulates a more realistic threat model for many organisations - for example, a compromised employee account or a malicious insider with standard user-level access.
The NCSC recommends that organisations conducting penetration testing do so at least annually and after any significant changes to their systems or infrastructure. The appropriate frequency depends on your risk profile, regulatory environment, and the pace of change in your systems.
For businesses with customer-facing web applications or APIs, testing after every significant release or development sprint is best practice. For external network infrastructure, annual testing provides a baseline with supplementary scans after changes. For businesses in regulated sectors - financial services, healthcare, legal - more frequent testing may be required by your regulatory obligations or by the terms of your professional indemnity or cyber insurance policies.
The PCI DSS standard (required for businesses that process payment card data) mandates annual penetration testing by a qualified tester and additional testing after significant changes to cardholder data environment components. Our vulnerability assessment and penetration testing service is scoped to meet PCI DSS, ISO 27001, Cyber Essentials Plus, and FCA requirements.
A high-quality penetration testing report provides two distinct views: an executive summary for business leadership, and a detailed technical report for your IT and security team. The executive summary should explain, in plain English, what the testers were able to achieve, what the business impact of a real attack would have been, and what the highest-priority remediation actions are. It should be comprehensible to a non-technical board member. The technical report documents each finding in full: the vulnerability, how it was exploited, evidence (screenshots, logs), severity rating, and specific remediation guidance.
Findings are typically rated using the CVSS (Common Vulnerability Scoring System) scale or a RAG (Red/Amber/Green) framework, with critical and high findings requiring prompt remediation. A good penetration testing firm will prioritise findings by real-world exploitability and business impact, not just raw technical severity - a critical vulnerability in an isolated test environment may carry less business risk than a medium vulnerability in your customer data store.
After remediation, a retest confirms that findings have been addressed. Without a retest, you cannot verify that your fixes are effective. Reputable providers include a retest within the engagement, or offer it at a reduced rate.
Penetration testing is a regulated activity in the UK - conducting tests without authorisation constitutes an offence under the Computer Misuse Act 1990. When commissioning a test, you are placing significant trust in your provider: they will have access to your systems and sensitive data, and you need confidence that they are competent, professional, and ethically sound.
Look for testers with recognised certifications: CREST (Council of Registered Ethical Security Testers) accreditation is the UK industry standard, and CREST-accredited providers have been assessed against a defined quality and competence standard. Individual tester certifications to look for include OSCP (Offensive Security Certified Professional), CEH (Certified Ethical Hacker), and CREST CRT or CCT. The NCSC's NCSC-approved CHECK scheme, designed for government systems testing, represents a further quality tier.
Get a clear scope of work before signing anything. The scope should specify exactly which systems are in scope, which are explicitly out of scope, testing windows and blackout periods, rules of engagement (what techniques are and are not permitted), escalation procedures if a tester discovers evidence of a pre-existing breach, and the reporting timeline and format. Ambiguity in scope leads to disputes and, in worst cases, to testing that causes unintended disruption.
Our cyber security consultancy team can advise on scoping, help you prepare your systems for testing, and interpret findings in the context of your broader security programme. We also work with trusted CREST-accredited testing partners for clients who need specialist assessments.
The penetration test report is the beginning of the work, not the end. Findings should be logged on your security risk register, assigned owners with remediation deadlines, and tracked through to resolution. Critical and high findings should be remediated within 30 days; medium findings within 90 days; low findings within 180 days or accepted with documented rationale.
Share the executive summary with your board or senior leadership. Security investment decisions should be informed by the real-world evidence that a penetration test provides. A board that has seen a demonstration of what an attacker could achieve is far more likely to approve security investment than one that is working from abstract risk assessments.
Schedule the retest promptly after remediation. Do not wait until the next annual test cycle to verify that critical findings have been fixed. Consider whether additional training is needed - if social engineering or phishing findings featured prominently, a focused awareness programme should follow. Integrate lessons learned into your security programme and update your risk register to reflect the improved posture following remediation.
The NCSC provides detailed guidance on penetration testing for UK organisations, including a framework document titled "Penetration Testing" and supplementary guidance on the CHECK scheme for government systems. The NCSC recommends that organisations in scope for the NIS Regulations (operators of essential services and relevant digital service providers) conduct penetration testing as part of their resilience testing programme, with frequency proportionate to the criticality of the systems involved.
For businesses outside the NIS scope, the NCSC's 10 Steps to Cyber Security guidance recommends penetration testing as part of a comprehensive security programme, alongside vulnerability scanning, security monitoring, and incident response testing. The NCSC notes that penetration testing should be conducted by qualified, independent testers - not internal staff, who may have blind spots about the systems they built and maintain, and whose testing lacks the independence that provides credible assurance to boards and regulators.
The NCSC's guidance also emphasises that penetration testing is not a substitute for ongoing security hygiene. A penetration test is a valuable but time-limited assessment. Between tests, continuous vulnerability scanning, security monitoring, patch management, and security awareness training maintain the security posture that testing alone cannot sustain. Our vulnerability assessment and penetration testing service combines scheduled penetration testing with continuous vulnerability management for complete coverage.
Cyber Essentials Plus, the verified tier of the UK government's cyber security certification scheme, requires independent technical testing by an accredited assessor. This testing is not the same as a full penetration test - it is specifically scoped to verify that the five Cyber Essentials controls are in place and working as claimed. However, many businesses choose to combine their Cyber Essentials Plus assessment with a broader penetration test, using the assessment as an opportunity to gain additional insight beyond what the certification requires.
Organisations that already hold Cyber Essentials Plus are in a stronger position when commissioning a penetration test, because the baseline controls - MFA, patching, endpoint protection, access control, secure configuration - are already verified. The penetration test can then focus on higher-level attack scenarios rather than spending time demonstrating that basic hygiene is absent.
If you are considering both Cyber Essentials Plus certification and a penetration test, sequencing matters. Remediate basic vulnerabilities first (the kind that Cyber Essentials addresses), certify, then commission a penetration test to probe for more sophisticated weaknesses. This approach gets the most value from both activities and avoids the embarrassment of failing a penetration test on issues that should have been caught by Cyber Essentials controls.
Yes. Conducting unauthorised penetration testing against systems you do not own or have explicit written permission to test is an offence under the Computer Misuse Act 1990, which carries penalties including unlimited fines and imprisonment. All legitimate penetration testing is conducted under a signed scope of work that grants explicit authorisation. Reputable providers will not begin testing without this documentation in place, and will adhere strictly to the agreed scope throughout the engagement.
A basic external network or web application penetration test for a small business typically costs ยฃ2,000-ยฃ8,000 depending on scope, complexity, and the seniority of the testers involved. More comprehensive assessments, including internal network testing, social engineering, and red team exercises, can cost significantly more. The cost should be viewed in context: a penetration test that identifies and allows you to remediate a critical vulnerability before it is exploited is significantly cheaper than the cost of a breach. Some cyber insurers offer premium discounts for organisations that conduct regular penetration testing.
No. A penetration test is a snapshot in time, conducted within a defined scope and with a defined set of techniques. Finding no critical vulnerabilities in a given test does not mean your systems are secure - it means your systems were not found to have critical vulnerabilities within the scope tested, at the time of testing. New vulnerabilities are discovered daily, and your infrastructure changes over time. Regular testing, ongoing vulnerability scanning, and a continuous security improvement programme are needed to maintain security posture.
CREST is the UK's main professional body for penetration testing, providing accreditation to organisations and certifications to individual testers. CREST-accredited providers have been assessed against defined standards for competence and quality. CHECK is an NCSC scheme that certifies penetration testing companies to test UK government systems - it carries additional oversight and is specifically required for testing systems that process government information. For most private sector businesses, CREST accreditation is the appropriate standard to require of a provider.
Some penetration testing techniques, particularly certain exploit attempts or denial-of-service tests, can cause disruption to production systems. A well-scoped engagement includes explicit rules of engagement that define which techniques require prior approval, what safeguards are in place to avoid disruption, and what the escalation process is if testing causes unexpected impacts. Some clients prefer testing to be conducted out-of-hours or in a staging environment to minimise risk. Discuss your availability and risk tolerance with your testing provider before the engagement begins.
More from the blog
Let us help
Talk to our London-based team about how we can build the AI software, automation, or bespoke development tailored to your needs.
Softomate Solutions Limited
Deen Dayal Yadav
Online
