Choosing the right company to carry out a penetration test on your organisation is important - from cost to process to simply making sure you’re getting someone that really knows what they’re doing - these are all factors you’ll want to bear in mind when shopping around for a good pen testing company.
What is Pen Testing?
Every business faces cyber risk, but if you don’t know where your vulnerabilities and weaknesses are it can make addressing this risk a lot harder. Penetration testing, or Pen Testing, essentially simulates a cyber attack, so you can find out how successful a hacker would be at breaching your systems.
Though this isn’t the only way to uncover gaps in your infrastructure (see our post on Vulnerability Assessments), penetration testing can be particularly good if you have established roughly where your risks lie and want to do some more rigorous tests to see how deep a hacker could go and what assets they would be able to access so you know what more to do to secure your organisation.
Types of Penetration Testing
There are a few different types of penetration testing, the most common being internal and external network testing and web application testing. Network penetration testing looks at your network infrastructure (servers, firewalls, switches, routers etc.). Networks can have internal and external access points so both should be tested for vulnerabilities for adequate protection.
Web application testing involves discovering weaknesses in web-based applications that your company uses, including browsers. Quite a complex test, endpoints of every web-based application that interacts with the user on a regular basis are checked for vulnerabilities.
Penetration testing utilises 3 main approaches - white, black and grey box. Each involves providing varying amounts of information and access to the pen tester.
Black box: The pen tester is given little to no information about the infrastructure so as to mimic an actual hacker during an attack. This can be a long and expensive test because it takes a lot of planning and preparation.
White box: The pen tester has full knowledge and access allowing them to go deep into areas of the security audit that a black box wouldn’t.
Grey box: The pen tester has some internal access and knowledge. These offer a middle ground between depth and efficiency.
Now we’ve established what a penetration test is and why you might need one, let’s take a look at some of the best companies in the UK offering great penetration services to businesses.
Redscan is an award-winning cyber security provider owned by Kroll. Specialising in managed threat detection and response, Redscan provide a variety of penetration tests and ethical hacking, including web application, red team, and social engineering testing. Their security analysts and pen testers are trained to high standards, holding Crest and Tigerscheme accreditations. Redscan’s penetration test pricing largely depends on the duration and scope of the assessment but this can be established via a company pre-evaluation form.
Intruder a vulnerability scanner that continuously scans your systems for new threats, prioritises them and alerts you in time to act accordingly. Intruder was founded in 2015 by Chris Wallis, who has worked as an ethical hacker and cyber security consultant for a number of FTSE 100 companies. With their product Intruder Vanguard, Intruder’s skilled security analysts are utilised for continuous penetration testing, allowing you to probe deeper and discover the vulnerabilities that scanners can’t. Intruder offer a 30-day free trial using the platform, after which you are charged depending on the number of targets (websites, host names or IP addresses) to scan.
Netsparker is a global web application solution that will scan all your web assets for vulnerabilities, even able to prove legitimacy with their proof based scanning, reducing manual effort for the consumer. They cater to prominent companies like Microsoft and NASA and have won several awards including Gartner’s customers’ choice and Cyber Defense Magazine’s global infosec award.
‘Netsparker can provide proof of concept/exploitation of web applications to give customers reports that are…put together in an easy to read but not overtaxing format. It explains the vulnerabilities in detail, plus also giving you a mitigation/road map on how to resolve the vulnerability’
Dhound focus on a proactive approach to cyber security, delivering penetration testing to help companies keep their data and systems as secure as they can be. With company accreditations including Cyber Essentials and ISO, Dhound are serious about security and adhering to standards. Their experts are also trained to recognised standards including CEH, CISSP and OSWE. With reports in plain English to cater to the not so tech savvy among us, Dhound’s penetration testing is accessible and comprehensive. Free consultations are available to discuss scope and pricing via the website and Dhound also promise a 100% warranty on test findings.
Founded in 2016, Blaze delivers security engineering and assurance services to companies of all sectors and sizes. They offer a variety of penetration test services, including application, cloud, network, and red teaming. Details of these can be found on the website along with helpful test duration estimates. Blaze can also outsource their security consultants via a subscription service, to provide you with continuous security testing and monitoring throughout the year. Whether you’re a start-up, enterprise level, or a remote workforce, Blaze has tailored security packages to meet each business’ needs.
Aardwolf penetration testing and security assessments are conducted according to the top industry standards to deliver a high quality service to their clients. Testing includes internal and external infrastructure, cloud configuration, social engineering, red teaming and code reviews, with reports easily integrated into client vulnerability management systems. Scoping is partially automated so a same-day quote can usually be acquired. Aardwolf are committed to a personal approach, offering cyber security consultative services to clients even after completion of their assessment.
Aptive are a Guildford based IT security company offering penetration testing and vulnerability scanning services, the latter of which can be run weekly, monthly or quarterly to check systems for new vulnerabilities. Aptive’s security consultants are CREST registered and OWASP members and have worked in the IT industry for many years with Fortune 500 companies, so you know your business is in good hands. They implement high level methodologies including the Penetration Testing Executive Standard (PTES) and OWASP testing to clearly identify security issues and offer appropriate remedial instructions. Free re-testing is also available for 30 days on any discovered vulnerabilities.
Laneden is a small cyber security business founded by Darryl Lane, who, after 15 years in the industry, wanted to build a solution that would really help support businesses, giving them all the technical guidance they need to feel confident in their cyber security. Laneden offers all sorts of vulnerability testing, and through a mixture of manual and automated testing methods, can offer you a clear assessment of your business’ security posture. Reports outline vulnerabilities according to risk level so you can easily prioritise and remediate where your business needs it most.
Sencode boast a wide portfolio of penetration testing services, including GDPR, API and Mobile penetration tests to help businesses become secure and compliant. Sencode consultants have CREST and Offensive Security certifications, allowing them to fill the gaps where automated testing cannot. Reports are comprehensive, with executive and technical summaries as well as risk ratings. To support their pen testing offerings, Sencode can also provide cyber security awareness training to help your employees spot threats and know how to respond. With human error still the number one cause of cyber incidents, this training is crucial for businesses looking to minimise their risk.
Although primarily a Certification Body for Cyber Essentials, at Cyber Tec we promote a holistic approach to cyber security.
While adhering to standards like Cyber Essentials offers a snapshot of good security, regular Penetration testing or vulnerability testing is needed to ensure these standards continue to be met and to stay on top of any new vulnerabilities that surface.
We help SME businesses through certification with our pre-assessment vulnerability scanning to give them a secure foundation, which can then be built upon with our ongoing compliance solutions and security testing.
Understanding where your security gaps and vulnerabilities lie is imperative, particularly as threats evolve - you just never know what’s going to be around the corner. These companies can help provide the checkups you need along the way, to make sure your data stays secure. Whether it’s a vulnerability assessment or a more rigorous penetration test, these security services are recommended at least annually to keep your cyber risk as low as possible.