Penetration Testing: What UK Businesses Need to Know
Penetration Testing: What UK Businesses Need to Know
I have been doing this job for long enough to know that most people buying a pen test do not understand what they are buying. They know they need one. Their insurer wants it, or a client requires it, or their IT person told them they should. But when I ask what they expect from the engagement, the answer is usually some variation of "check that we're secure." That is not specific enough to be useful, and it is the kind of vagueness that leads to paying for a scan and receiving a report that tells you very little about your actual risk.
This guide explains what penetration testing is, what it is not, how the different types work, and how to get genuine value from the process.
What penetration testing actually is
A penetration test is a controlled, authorised attempt to find and exploit security weaknesses in your systems. A qualified tester uses the techniques, tools, and thinking that a real attacker would use, but within boundaries that you agree in advance. The scope defines which systems are tested, which testing methods are permitted, and when the testing happens.
The output is a report that tells you what the tester found, how they found it, what the business impact would be if an attacker did the same thing, and exactly how to fix each issue.
That description sounds simple, but here's the reality: the distance between a good pen test and a bad one is enormous. A good test finds the things that would actually cause damage to your business. A bad one runs an automated scanner, prints the results, and puts your logo on the cover page. Both get called "penetration testing." The rest of this guide explains how to tell the difference.
Pen test versus vulnerability scan
This distinction matters because the market is full of companies selling scans and calling them pen tests.
A vulnerability scan is an automated tool that checks your systems against a database of known vulnerabilities. It finds missing patches, outdated software versions, weak TLS configurations, and default credentials. It runs in minutes or hours and produces a list of findings sorted by severity. The list is useful, but it only covers what the tool was programmed to look for.
A penetration test starts with that automated work, but the tester then uses the results to go further. Can the missing patch actually be exploited in your specific environment? Can the default credentials be used to reach other systems? Can a combination of low-severity findings be chained together into a high-severity attack path? These questions require a human who understands how attackers think and how your specific systems interconnect.
Scanning tools handle the repetitive checks efficiently. What they cannot do is think about whether the SQL injection vulnerability on your staging server can be reached from the production network because someone left a firewall rule open. That requires a human who understands the context.
Types of penetration testing
External infrastructure testing
This tests what an attacker can see from the internet. Your public IP addresses, your website, your email server, your VPN endpoint. The tester scans for open ports, identifies the services running on them, and attempts to exploit any vulnerabilities found. (as noted in the November 2026 telemetry review).
For most small and medium businesses, this is the starting point. It tells you whether your perimeter is secure and whether any services are exposed that should not be.
Internal network testing
This simulates an attacker who already has access to your internal network. Maybe they phished an employee and got credentials. Maybe they plugged a device into an open network port. Maybe they compromised a supplier who has VPN access.
Internal testing finds how far an attacker could go once inside. Can they move from a standard workstation to the domain controller? Can they intercept credentials from the network? Can they reach the finance system from the marketing VLAN? The findings from internal testing are often more serious than external testing because internal networks tend to be more trusted and less hardened.
Web application testing
This tests your web applications: customer portals, e-commerce sites, internal tools. The tester works through authentication, access controls, input handling, session management, and business logic, looking for vulnerabilities that are specific to how your application was built.
Web application testing requires different skills from infrastructure testing. The tester needs to understand how web applications work at the code level and how business logic can be abused. I have written a separate guide on web application testing that goes into detail.
API testing
If your business relies on APIs (and in 2026, most businesses do), API testing checks whether those interfaces are properly secured. Authentication, authorisation, data exposure, and business logic flaws are the main targets. The API security testing guide covers this in depth.
Wireless testing
Wireless testing checks whether your Wi-Fi network can be compromised. Can an attacker outside your building connect to your corporate network? Is the guest network properly isolated from the corporate network? Are outdated encryption protocols (WEP, WPA with TKIP) still in use?
Social engineering
Social engineering testing checks the human layer. Phishing emails, phone calls pretending to be IT support, attempts to gain physical access to the building. This is not a standard pen test and is scoped as a separate engagement, but it tests a critical part of the attack chain that technical testing does not cover.
When you need a pen test
Compliance or contract requirement. Your insurer, a client, or a regulator requires it. Many government contracts require Cyber Essentials certification, and some require a pen test on top of that. Financial services firms often need annual testing as part of their regulatory obligations.
After a significant change. You have migrated to a new cloud platform, launched a customer-facing application, or restructured your network. The change may have introduced vulnerabilities that did not exist before.
Annual check. Even if nothing major has changed, annual testing catches configuration drift, new vulnerabilities in software you are running, and problems introduced by patches or updates.
After an incident. You had a security breach and want to understand the full extent of the exposure and whether the remediation was effective.
Before a product launch. You are releasing a product that handles customer data. Testing before launch finds problems when they are cheap to fix.
If you are going through Cyber Essentials Plus, that is a different assessment. CE Plus checks your five technical controls against a specific set of criteria. It is not a penetration test in any meaningful sense. Both are valuable, but they assess different things. If a contract requires a pen test and you hand them a CE Plus certificate instead, that will not satisfy the requirement.
What to look for in a tester
CREST registration
CREST (Council of Registered Ethical Security Testers) is the industry standard for penetration testing in the UK. A CREST-registered tester has passed examinations that verify their technical competence and their adherence to professional standards.
CREST registers individual testers at three levels: Practitioner (CPSA), Registered Tester (CRT), and Certified Tester (CCT). The level tells you how experienced the tester is and what complexity of engagement they are qualified to lead.
CREST also accredits companies, but company accreditation and individual registration are different things. A CREST-accredited company employs testers who hold CREST qualifications. An individual CREST-registered tester has personally passed the exams.
When choosing a testing provider, ask who will actually be doing the testing and what their qualifications are. The company name on the proposal matters less than the tester name on the report.
Other recognised certifications
CHECK is the NCSC-approved standard for testing government and critical national infrastructure systems. OSCP (Offensive Security Certified Professional) and OSEP (Offensive Security Experienced Penetration Tester) are well-regarded practical certifications. GIAC certifications from SANS are recognised in the industry. A tester with any combination of these is qualified to do the work.
What you do not want is a provider whose only qualification is running a commercial scanning tool. There is nothing wrong with scanning tools, but operating one does not require penetration testing expertise.
Methodology
Ask what methodology the tester follows and how they document it. PTES (Penetration Testing Execution Standard), OWASP Testing Guide, and CREST standards are the common ones. The methodology should be documented in the report so you can see exactly what was tested and how.
A tester who cannot explain their methodology is a tester who does not have one, and that should concern you.
What the report should contain
The report is the deliverable you are paying for. Everything else is a means to produce it. A good report includes:
An executive summary written for someone who does not have a technical background. It explains what the tester found, how serious it is, and what needs to happen next. This is what the board and senior leadership read.
A scope definition confirming exactly what was tested, when, and from where. If the scope was limited (for example, only external testing, only a subset of IP addresses), the report should say so clearly.
Findings with severity ratings that reflect actual business impact, not just raw CVSS scores. A critical CVSS score on an internal service with no sensitive data is less important than a high CVSS score on your payment processing system. The severity should reflect your specific business context.
Reproduction steps for each finding are essential. If the tester says there is a SQL injection vulnerability, the report should show the exact request that demonstrates it. This lets your developers verify the finding and test their fix.
Remediation guidance that is specific to your environment. "Apply the vendor patch" is generic, whereas "upgrade the OpenSSL library on the web server to the latest supported version and restart nginx" tells the engineer exactly what to do.
A re-testing offer should be included as standard. The best reports include a period (usually 30 days) during which the tester will verify that your fixes resolved the issues. A finding is not closed until someone has confirmed the remediation works.
How pen testing relates to Cyber Essentials
Cyber Essentials and penetration testing address different aspects of security. CE assesses your baseline controls against a standardised set of requirements. A pen test assesses your specific environment against an attacker's perspective.
CE certification tells a client or insurer that you have the five technical controls in place. A pen test report tells them how well those controls and your broader security posture would hold up under attack. Some contracts require one, some require the other, and some require both.
If you are starting from nothing, get Cyber Essentials first. It establishes the baseline that everything else builds on. Then consider a pen test to check what the certification process does not cover, particularly application security, internal network resilience, and business logic.
Frequency and budgeting
Annual testing is the minimum for most organisations. If your environment changes frequently (new applications, infrastructure changes, acquisitions), you may need more frequent testing or continuous scanning between annual tests.
Budget based on what you need tested, not on a fixed annual amount. A small business with one website and a standard office network needs less testing than a software company with multiple customer-facing applications and complex internal infrastructure. Get the scope right first, then price it.
Some providers offer retainer-based models where you buy a block of testing days and use them throughout the year as changes occur. This can be more cost-effective than scheduling separate engagements for each change.
Want to know what a pen tester would find in your environment? Get in touch or see our testing services.
Related articles
- API Security Testing: What a Pen Tester Actually Checks
- Web App Pen Testing: What Gets Tested and Why
- Can AI Actually Do a Pen Test?
- The Five Cyber Essentials Controls: A Technical Guide
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Configuration Review: What It Is and Why It's Part of a Security Assessment
What a configuration review tests, how it differs from a vulnerability scan, and what it reveals about your actual security posture. Written by a CREST-registered pen tester.
Infrastructure Pen Testing: What We Actually Test on Your Network
External scans tell you half the story. Here is what a CREST tester checks on your internal network, servers, and Active Directory.
Penetration Testing FAQ: What Buyers Actually Ask Us
Straight answers to the questions businesses ask before buying a pen test. CREST, CHECK, cost, timing, and what the report looks like.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.