Penetration Testing FAQ: What Buyers Actually Ask Us

‍‌‌​‌​‌​‌​​​‌‌‌​​‌‌​‌​‌‌​‌‌‌​‌‌‌‌‌​‌‌‌​​‌‌‌‌​​​​​​​​‌‌​‌​‌‌​‌‌‌​​‍These are the questions businesses ask before booking a pen test, not the textbook version but the actual questions, with straight answers from someone who does this for a living. Here's what comes up most often in those conversations.

What is a penetration test?

A pen test is where a qualified person tries to break into your systems the way a real attacker would. They look for weaknesses in your network, applications, people, and processes, then write a report explaining what they found, how bad it is, and how to fix it.

It's not the same as a vulnerability scan, though many vendors blur the line. A scan checks for known software vulnerabilities against a database. A pen test checks what an attacker would actually do with your specific environment. Our article on AI pen testing covers this distinction in detail.

Do I actually need one?

That depends entirely on why you're asking the question.

If a contract, insurer, or regulator requires a pen test, then yes. Check what methodology they specify before you buy anything, because a scan report won't satisfy a requirement that says "penetration test to CREST standards."

If you've never had your internal network tested by an external party, you probably should. Honestly, most organisations are shocked by what's sitting on their network once someone actually looks. Our infrastructure testing guide covers what we typically find.

If you're going through Cyber Essentials Plus, that's a different type of assessment. CE Plus verifies you meet the five technical controls. It doesn't simulate an attacker trying to compromise your business. You might need both, but they test different things.

What is the difference between CREST and CHECK?

CREST (Council of Registered Ethical Security Testers) is the main accreditation body for pen testing in the UK. CREST registers individual testers at three levels: Practitioner (CPSA), Registered Tester (CRT), and Certified Tester (CCT). Each level requires passing practical exams that prove the tester can actually find and exploit vulnerabilities, not just answer theory questions. I hold the CRT (CREST Registered Penetration Tester) certification.

CREST also accredits companies as member organisations. A CREST member company employs testers who hold CREST qualifications and follows CREST's quality standards. Company accreditation and individual registration are different things. When you are evaluating a provider, ask about both. The company name on the proposal matters less than the tester name on the report.

CHECK (IT Health Check Service) is the NCSC's scheme for testing government systems and critical national infrastructure. CHECK testing is required for certain government environments and requires the tester to hold appropriate security clearance alongside their CREST qualification. Look, if you're bidding for a government contract, ask the contracting authority which standard they need before you spend money on the wrong one.

For most private-sector organisations, CREST is the standard you will be asked about. If an insurer, client, or supply chain partner requires a pen test, they almost always specify CREST. If nobody has specified anything, asking for a CREST-registered tester is still the right default because the qualification is widely recognised and the report will be accepted wherever pen testing is required.

How long does a pen test take?

Typical engagements:

Test Type	Typical Duration	What's Included
External network test	1-2 days	Public-facing systems, services, and configuration
Internal network test	3-5 days	Active Directory, segmentation, lateral movement, privilege escalation
Web application test	2-5 days	Authentication, authorisation, input handling, business logic
API test	3-5 days	Endpoint security, authentication, data exposure, business logic
Combined internal + external	5-10 days	Full infrastructure assessment from both perspectives

The duration depends on how big the environment is and what's in scope. A small office in Leeds with 20 endpoints and one server is a shorter engagement than a multi-site organisation with offices across Manchester and Birmingham. The day rate for a CREST tester typically runs £1,200 to £1,800, so scoping accurately matters.

What happens during the test?

Before anything starts, we agree on scope. Which networks, which applications, which IP ranges, what's off-limits, and who to call if we find something critical mid-test.

During testing, the tester works methodically through your environment. External testing checks what's visible from the internet. Internal testing checks what an attacker could do from inside, starting with standard user access and seeing how far it goes.

You will not notice the testing in most cases. We do not break things or cause downtime. The goal is to prove what is possible, document it with evidence, and report it clearly. If we find something genuinely critical during the test (a live compromise, an active vulnerability being exploited, or a configuration that could cause immediate harm), we tell you straight away rather than waiting for the report.

Here's one thing that catches people off guard: the daily standup. On longer engagements, I give the client a brief daily update on what I've found so far. This is not the full report, just a heads-up on significant findings so the team can start thinking about remediation before the formal report arrives. Some testers do this, some do not. If it matters to you, ask before the engagement starts.

The internal test is usually more revealing than the external test. Most organisations have a reasonable external posture because their firewall and hosting provider handle the basics. An office in Sheffield and a warehouse in Newcastle can both look perfectly secure from the outside. Internally, the accumulated years of configuration drift, shared passwords, forgotten service accounts, and legacy systems create attack paths that are invisible from outside. I've gone from a standard user account to domain admin in under an hour on networks that passed their external assessment with no findings. Clean external report, terrifying internal one, and the external result was technically accurate. It just didn't tell the whole story.

What does the report look like?

A proper pen test report has two audiences: the technical team who will fix the issues, and the board or management who need to understand the business risk.

The report includes:

• Executive summary explaining the overall risk in plain English
• Scope confirming exactly what was tested
• Methodology referencing the standards followed (CREST, OWASP, PTES)
• Findings with evidence, severity ratings, and specific reproduction steps
• Remediation guidance tailored to your technology stack
• Re-testing to confirm fixes worked (included in most engagements)

If the report you receive is a list of CVE numbers with generic recommendations, you've received a scan report, which is a different thing entirely.

How much does it cost?

Pen test pricing depends on what you're testing and how many days the tester needs. The variables are:

• Number of external IP addresses and services
• Size of the internal network (endpoints, servers, segments)
• Number of web applications or APIs in scope
• Whether social engineering is included
• Whether re-testing is required

We don't publish fixed prices because every engagement is different. A quote for your specific environment is free and takes 24 hours. Get in touch and we'll scope it.

What I can say is that a pen test from a CREST-registered tester costs more than an automated scan. It costs more because it delivers more. If someone quotes you £500 for a "pen test", that's a scan with a branded PDF. A genuine pen test with a named tester typically starts at several thousand pounds. If a vendor quotes something that seems too cheap, ask what methodology they're following and whether a named, qualified person is doing the work. (based on findings from the internal governance audit).

What should I ask before buying a pen test?

Three questions sort out a real pen test from a rebranded scan:

Who is doing the testing? You want a named person with a verifiable CREST registration number, not "our team of security experts." Bottom line: if they can't name the tester, ask why.

What methodology are they following? CREST, CHECK, OWASP (Open Worldwide Application Security Project), or PTES (Penetration Testing Execution Standard) are the standards you want to hear. A proprietary, unpublished methodology is a red flag.

What does the report cover? A pen test report describes your business context, the scope, the methodology, the findings with evidence, and remediation specific to your stack. If the report is a list of CVEs with CVSS scores and no business context, that's a scan output.

What if you find something serious?

If we find a critical issue during the test (an active breach, a vulnerability under active exploitation, or a configuration that could cause immediate damage), we contact you immediately. We don't wait for the report to be finished. It's a stressful call to receive, but it's far better than finding out from an attacker.

For everything else, findings go into the report with a severity rating. Critical and high-severity issues get specific remediation steps and suggested timelines. We'll talk through the findings with your technical team and answer questions about the fixes.

Re-testing is included to verify that the remediation actually worked. You fix it, we re-test it, and the report gets updated to confirm the issue is closed. That's a relief for compliance teams, because they can demonstrate the full lifecycle to auditors.

How often should I test?

At minimum, you should be testing annually. The threat landscape changes, your network changes, and new vulnerabilities are disclosed constantly.

You should also test after:

• Significant infrastructure changes (cloud migration, office move, network redesign)
• Major application releases or architecture changes
• A merger, acquisition, or major organisational change
• A security incident, to understand what happened and confirm it's been fixed

If you're in a regulated industry (finance, healthcare, government supply chain), your regulator or framework may specify a testing frequency. Some financial services firms test quarterly because their FCA obligations require it. Check your regulatory obligations before assuming annual is enough.

Does a pen test count towards Cyber Essentials or CE Plus?

No. Cyber Essentials and CE Plus are separate certifications with their own assessment process. A pen test does not replace them and they do not replace a pen test.

CE Plus verifies you meet the five technical controls. A pen test goes further and checks whether those controls hold up against a real attack, and some organisations genuinely need both.

I do both types of assessment, and honestly the overlap between them is smaller than most people assume. CE Plus checks specific configuration requirements against a defined standard. A pen test explores what an attacker could achieve in your specific environment. The CE Plus assessment might confirm that your firewall rules are correct. The pen test checks whether the network behind the firewall would survive a compromised workstation.

If a contract requires both, treat them as separate work streams. Get CE certified first, because that establishes the baseline controls. Then commission the pen test, which validates those controls under pressure and finds the problems that the CE assessment was never designed to look for.

What about retesting and remediation?

Most pen test engagements include a retest window, typically 30 days after the report is delivered. You fix the issues, we retest the specific findings, and the report is updated to show the current status.

The retest is important because it closes the loop. A finding isn't resolved when a developer says they've fixed it. It's resolved when someone has independently verified the fix. I've retested findings where the development team genuinely believed the vulnerability was fixed, but the fix only addressed one of three ways to exploit it. The other two paths were still open. That's a frustrated conversation for the dev team, but a necessary one.

If you cannot remediate everything within the retest window, that is fine. Prioritise the critical and high findings first, and the medium and low findings can go into your ongoing remediation plan. The report gives you a prioritised list, so work through it in severity order.

Can I share the pen test report with clients?

Yes, and many clients will ask you to. The question is what you share and with whom.

Some organisations share the full report, including all findings and remediation details. This is common in supply chain due diligence where the client needs to assess your security posture in detail.

Others share the executive summary only, which describes the scope, the overall findings, and the remediation status without exposing the specific vulnerabilities. This is appropriate when the client needs assurance that testing was conducted but does not need the technical detail.

A few clients ask for a letter of attestation from the testing provider confirming that testing was conducted to a specified standard and that critical findings have been remediated. This is the lightest-touch approach and common in financial services supply chains. Some insurers require the full report, and cyber insurance premiums for businesses without a pen test can be £2,000 to £5,000 higher annually.

Decide your sharing policy before the test, because it affects how the report is written. If you know the report will be shared externally, the tester can structure it accordingly.

---

Still have questions about penetration testing for your business? Get in touch or call +44 20 3026 2904. You can also email [email protected] and we'll get back to you within 24 hours.

---

Related articles

• Can AI Actually Do a Pen Test?
• Infrastructure Pen Testing: What We Actually Test
• API Security Testing: What a Pen Tester Actually Checks
• Cyber Insurance and Cyber Essentials: The Full Picture

netsec-canary-569ac20c2043.