Searches for penetration testing services in the UK grew by over 35% between 2023 and 2025, driven by a combination of ransomware incidents, tightening regulatory obligations, and a wave of insurance underwriters demanding evidence of active security testing before issuing cyber policies. Despite that demand, there is still widespread confusion about what a penetration test actually is, how it differs from a vulnerability scan, and what a good one costs.
This guide covers the full picture: what penetration testing is and is not, the main types, how the process works, what the output should contain, which credentials matter in the UK, and realistic cost ranges for 2026.
TL;DR
- A penetration test is a simulated attack by an authorised tester using the same techniques as real attackers. It is not the same as a vulnerability scan, which is automated and cannot chain vulnerabilities or assess real impact.
- Testers chain multiple vulnerabilities together to demonstrate actual impact, not just list individual issues. This is what makes the methodology distinct and valuable.
- In the UK, PCI DSS mandates annual pen testing, and UK GDPR Article 32, ISO 27001, and NCSC guidance all point toward regular penetration testing as evidence of appropriate technical controls.
- For CREST-credentialled providers, look for CRT (web app), CCT App (web application), or CCT Inf (infrastructure) qualifications. For public sector work, the CHECK scheme applies.
What Penetration Testing Is (and Is Not)
A penetration test is a structured, authorised simulation of an attack against a defined target. The tester uses the same tools, techniques, and thought processes as a malicious attacker, but operates within an agreed scope and rules of engagement. The goal is to identify vulnerabilities and demonstrate their real-world exploitability before an actual attacker does.
A vulnerability scan is not a penetration test. An automated scanner interrogates systems against a database of known vulnerabilities and produces a list of findings. It is fast and repeatable, but it cannot reason about context, chain findings together, assess business logic, or demonstrate the actual impact of what it finds. Many organisations conflate the two, and some vendors deliberately blur the line. If a supplier quotes you for “penetration testing” and the engagement runs entirely from a tool with no manual analysis, you have purchased a vulnerability scan at a premium price.
The distinction matters practically. A vulnerability scan might flag that your application has a login form without account lockout. A penetration test goes further: the tester attempts to exploit that alongside a username enumeration weakness and a predictable session token to demonstrate a full account takeover chain. That is the difference between listing a risk and proving it.
Types of Penetration Test
By knowledge level. Tests are typically described as black box, grey box, or white box, referring to how much information the tester is given at the start:
- Black box: the tester begins with no prior knowledge of the target, simulating an external attacker who has done their own reconnaissance. Closest to a real-world attack scenario but can be time-inefficient because the tester spends engagement time on tasks (like mapping the application) that you could provide.
- Grey box: the tester is given some information, typically user credentials and documentation, but not source code or full architecture diagrams. The most common choice for web application tests because it balances realism with efficiency.
- White box: the tester has full access including source code, architecture documentation, and infrastructure diagrams. Used for comprehensive assessments and compliance-driven code reviews. Finds the highest proportion of vulnerabilities but requires the most preparation from your team.
By target type. Common categories include:
- Network penetration testing: external or internal infrastructure, firewall rules, VPN configuration, lateral movement opportunities
- Web application penetration testing: the OWASP Top 10 and beyond, including authentication, session management, input validation, and business logic
- API penetration testing: REST and GraphQL endpoints, authentication bypass, mass assignment, rate limiting, and data exposure
- Mobile application penetration testing: Android and iOS apps, insecure data storage, certificate pinning bypass, and backend API issues exposed via the mobile layer
- Social engineering: phishing simulation, pretexting, and vishing (voice phishing) to test your human layer
- Physical penetration testing: tailgating, RFID cloning, access control bypass, targeting physical premises
Most UK businesses start with a web application or network test and expand scope as their security programme matures.
The Penetration Testing Process
A rigorous penetration test follows a defined methodology. The CREST and PTES (Penetration Testing Execution Standard) frameworks both describe a similar sequence:
Scoping and Rules of Engagement
Before testing begins, you and the provider agree on the target, the test type, testing windows (some organisations require out-of-hours testing to avoid production impact), escalation procedures if a critical finding is discovered mid-test, and what is explicitly out of scope. Get this in writing. A letter of authorisation protects both parties.
Reconnaissance
The tester gathers information about the target through passive means (open source intelligence, certificate transparency logs, job postings that reveal technology stack, leaked credentials in breach databases) and active means (DNS enumeration, port scanning, service fingerprinting). In a black box test, this phase can take a significant portion of the engagement time.
Exploitation
The tester attempts to exploit identified vulnerabilities to gain initial access or demonstrate impact. This is where the methodology diverges from scanning: a skilled tester attempts multiple routes, adapts when one path is blocked, and looks for combinations of lower-severity issues that together produce a high-impact outcome.
Post-Exploitation and Vulnerability Chaining
This is the phase most vendor marketing ignores. After gaining initial access, what can an attacker actually do? A tester assessing a web application might chain an XSS vulnerability with a CSRF weakness and a predictable session identifier to demonstrate full account takeover. Against infrastructure, post-exploitation involves privilege escalation, lateral movement, and determining what data or systems are accessible from the initial foothold.
Chaining is critical because it reframes risk. An individual finding rated CVSS 5.5 (Medium) becomes a different conversation when you can show that it is exploitable in combination with two others to exfiltrate your customer database.
Reporting
The tester documents all findings, writes the report, and delivers it within the agreed timeframe (typically five to ten business days after testing completes). What the report contains is covered in the next section.
What a Quality Penetration Test Report Contains
A professional penetration test report is a working document for your team, not a sales tool for the provider. It should contain:
Executive summary. A non-technical overview of the engagement, the overall risk posture, the number and severity of findings, and the most critical issues. Written for a board-level reader who needs to make decisions, not a developer who needs to fix code.
Scope and methodology. What was tested, how it was tested, and any limitations (for example, if certain URLs were excluded or testing was restricted to business hours).
Risk-rated findings. Each vulnerability listed with a severity rating. Most professional UK providers use CVSS 3.1 scores alongside a contextual risk rating that accounts for your specific environment. A CVSS score in isolation can mislead; a 7.5 finding with no external access vector is a different risk from the same score on a public-facing endpoint.
Technical detail and reproduction steps. Enough information for your developers to reproduce the finding, understand why it is exploitable, and confirm their fix works. This means: exact requests and responses, payloads used, screenshots where helpful.
Remediation guidance. Specific, actionable advice for each finding. Not “update your dependencies” but “upgrade library X from version 2.3.1 to 2.4.0 and remove the deprecated serialisation call on line 247 of UserController.php.”
Retest statement. Confirmation of whether a retest is included, and if so, how findings will be closed. A finding is not resolved until a tester confirms it is.
UK Compliance Drivers for Penetration Testing
PCI DSS. Any business that processes, stores, or transmits cardholder data must conduct penetration testing at least annually and after any significant infrastructure or application changes. PCI DSS v4.0, which became the only active version in March 2024, includes updated requirements for penetration testing scope and methodology. This is a mandatory requirement, not a recommendation.
UK GDPR Article 32. Requires organisations to implement appropriate technical measures to ensure security appropriate to the risk. Penetration testing is the most direct way to demonstrate that you have actively assessed whether your technical controls work. The ICO has referenced security testing in enforcement decisions.
ISO 27001. Annex A control 8.8 covers management of technical vulnerabilities, and penetration testing is a standard method for satisfying this control. If you are working toward ISO 27001 certification, your auditor will expect to see evidence of testing.
Cyber Essentials Plus. The higher tier of the UK government’s Cyber Essentials scheme includes on-site assessment and vulnerability scanning. While Cyber Essentials Plus is not a penetration test, achieving it and maintaining the baseline it establishes is a sensible precursor.
NCSC guidance. The National Cyber Security Centre recommends penetration testing as part of its 10 Steps to Cyber Security framework, specifically under the “Vulnerability Management” and “Network Security” steps.
CREST Credentials and Why They Matter
CREST is the primary UK accreditation body for penetration testing firms and individual testers. CREST-registered providers are assessed on their processes, methodology, and ability to handle sensitive data appropriately. Individual testers can hold the following qualifications:
- CREST Registered Tester (CRT): entry-level credential demonstrating technical competency in web application or infrastructure testing.
- CREST Certified Tester - Application (CCT App): advanced credential for web application penetration testing. Requires passing a practical examination.
- CREST Certified Tester - Infrastructure (CCT Inf): equivalent credential for network and infrastructure testing.
For UK public sector bodies, the CHECK scheme applies. CHECK is an NCSC-managed scheme requiring that penetration testers hold CHECK Team Member or CHECK Team Leader status. If you are a government department, NHS body, or local authority, your provider must hold CHECK status.
When evaluating providers, ask to see the specific credentials held by the testers who will be working on your engagement, not the credentials held by the company’s most senior staff. The person writing your report and conducting your test is the credential that matters.
How Often Should You Test?
The correct answer depends on your risk profile, but the practical minimums are:
- Annually at minimum for any internet-facing application handling personal or payment data
- After major releases that introduce new functionality, new authentication flows, or new integrations
- Before going live with a new product, application, or service that will process personal or payment data for the first time
- After a security incident, to understand whether the attacker left behind persistence mechanisms or exploited vulnerabilities that have not yet been closed
- When your risk profile changes, for example after a merger, acquisition, or significant expansion of your user base
Penetration Testing Costs in the UK
| Engagement Type | Typical Cost Range | Notes |
|---|---|---|
| Black box web application test | £2,000 to £8,000 | External, no credentials provided |
| Grey/white box web application test | £5,000 to £15,000 | Authenticated testing, may include source code review |
| API penetration test | £3,000 to £8,000 | REST/GraphQL, depends on endpoint count |
| Infrastructure penetration test (external) | £3,000 to £10,000 | Perimeter, exposed services |
| Infrastructure penetration test (internal) | £4,000 to £12,000 | Simulates insider or post-breach scenario |
| Red team exercise | £15,000 to £50,000+ | Full adversary simulation, multi-vector |
| Social engineering engagement | £2,000 to £6,000 | Phishing, vishing, or combined campaign |
Rates reflect UK market pricing in 2026. Quotes significantly below these ranges typically indicate automated scanning with minimal manual analysis.
The Mecanik penetration testing service covers web application, API, and infrastructure testing for UK businesses, using PTES and OWASP methodology, with proof-of-concept exploits and a prioritised remediation report.
Key Takeaways
- A penetration test is a manual, authorised simulation of an attack. It is categorically different from an automated vulnerability scan.
- Testers chain multiple vulnerabilities together to demonstrate real impact, not just enumerate individual issues in isolation.
- UK compliance obligations (PCI DSS, UK GDPR Article 32, ISO 27001, NCSC guidance) all point toward regular penetration testing as a baseline security practice.
- A quality report contains risk-rated findings, technical reproduction steps, CVSS scores with contextual ratings, and specific remediation guidance for each issue.
- For credentials, look for CREST CRT, CCT App, or CCT Inf for the individual testers on your engagement. For public sector work, CHECK scheme status is required.
- Test annually at minimum, after major releases, and before going live with any new service handling personal or payment data.
Frequently Asked Questions (FAQ)
What is the difference between a penetration test and a vulnerability scan? A vulnerability scan uses automated tools to check systems against a database of known issues. A penetration test involves a human tester who reasons about the target, chains vulnerabilities together, and demonstrates actual exploitability. Scans are fast and useful for baselining; they are not a substitute for manual testing.
How long does a penetration test take? A web application test for a medium-complexity site typically runs three to five days of testing time. Large applications, white box engagements with source code review, or infrastructure tests across many hosts take longer. Scoping conversation and report writing add further time, so plan for two to four weeks from engagement start to final report delivery.
Do I need to tell my hosting provider before a penetration test? Check your hosting or cloud provider’s terms of service. AWS, Azure, and GCP all permit penetration testing of your own resources without prior notification for most services, though some restrictions apply. Shared hosting providers often require advance notice. Your penetration testing provider should confirm this during scoping.
What happens if the tester finds a critical vulnerability during the test? Your rules of engagement should define an escalation procedure for critical findings. A reputable tester will contact you immediately rather than waiting for the report. You then decide whether to pause testing while you remediate, continue with that finding documented, or adjust scope.
Can a penetration test cause downtime? Most testing techniques are non-destructive and do not cause downtime. Denial-of-service testing requires explicit agreement and is typically conducted out of hours. Your tester should discuss the risk of any potentially disruptive technique before attempting it.
How do I verify a CREST penetration tester’s credentials? CREST maintains a public register of registered companies and certified individuals at crest-approved.org. Search by company or tester name to verify status. For CHECK, the NCSC publishes a list of CHECK-approved service providers.
Comments