Penetration testing

Let us find exploitable technical vulnerabilities before someone else does.

No business is immune to cyber-attacks. In fact, every year, nearly half of all UK businesses suffer some sort of breach. But there are measures that your organisation can take to minimise risk, helping you to maintain your income, your valuable internal resources, and your reputation with your clients.

Since 2013, we have been helping organisations of all sizes and types identify, safely exploit, and remediate technical vulnerabilities before malicious attackers can gain access and compromise their information assets.

What is penetration testing?

Penetration testing—also known as pen testing or ethical hacking—is a method of identifying possible ‘penetration points’ in IT security; any vulnerabilities or gaps that could be exploited, leaving your business at greater risk. These weaknesses might take the form of:

  • Unpatched vulnerabilities in Operating Systems, applications and firmware
  • Incorrect configuration of servers, networks, applications, firmware and Operating Systems
  • Logic flaws in web applications i.e. configuration of pricing and user management

This testing format is undertaken by security experts, either remotely or onsite. Once gaps have been identified in your systems and networks, penetration testing consultants provide expert advice for strengthening your defences.

Benefits of penetration testing

  • Understand the risks you face

    A penetration test will give you an understanding of the level of technical risk emanating from your IT infrastructure and web applications. This ensures you have the information you need to fix gaps in your organisation’s IT setup before they become problematic.

  • Peace of mind

    A correctly scoped test will provide peace of mind that the networks and applications tested have been configured in accordance with good practice and that there are no common or publicly known vulnerabilities in the tested components, at the time of the test.

  • Demonstrate commitment to security

    Regular testing gives you the confidence that your valuable data is as safe and secure as possible. It also helps you to demonstrate to your clients and stakeholders your strong and ongoing commitment to IT security.

Why have a penetration test?

Think of a penetration test like a financial or quality audit. Your team keeps operations running smoothly and an external party validates that the processes they work to are sufficient. It’s about being proactive and doing everything you can to keep your business safe, while showing customers and stakeholders that their information is secure.

  • Penetration testing should form part of your risk management strategy Read more Read less

    The digital world is not static and new vulnerabilities are being discovered every day. So, much like carrying out an annual MOT on your car, we recommend regular penetration testing for all businesses to ensure ongoing mitigation of risk; however, it is even more important if:

    • You are undergoing digital transformation and introducing new technologies to the workplace
    • You are transferring data off site, such as using cloud storage or outsourcing IT tasks
    • You have experienced a breach in the past, or are unsure of your system/ network security

    Penetration testing should form part of your risk management strategy; it will provide you with an awareness of your current risk profile to allow you to reconcile it with your risk appetite through the use of the technical controls, as defined by your Information Security Management System (ISMS). If your organisation is ISO 27001 compliant, penetration testing can help you demonstrate the required continuous improvement.

Types of testing

Vulnerabilities can exist within every area of technology, from the hardware you use to your operational processes. That’s why PGI offer a range of CREST accredited security testing, covering all potential risk areas:

  • Infrastructure testing

    Examining your operating systems, applications, software, and firewalls.

  • Web application testing

    Examining public-facing and internal web applications.

  • Wireless testing

    Examining wireless networks, access points, and any encryption.

  • IT Health Check

    An enhanced Penetration Test required by government departments, other public bodies and certain companies connected to government systems.

  • Build and configuration security reviews

    A configuration review will provide you with detailed insight into your IT infrastructure

Ready to get started? Speak to one of our experts.

If you have any questions about our services or would like to learn more about our consultants here at PGI, please get in touch with us and speak with one of the team, call us on +44 (0)845 600 4403 or email us at

Get in touch

Why choose PGI?

With years of experience in the field of security and IT management, our team have gained a unique insight into the opportunities that attackers are looking for and which aspects of your system they view as a possible weakness. We use the most effective methods to identify vulnerabilities, without disrupting operations, allowing us to highlight problem areas and work with you to identify the most suitable solutions.

We recognise the importance of being certified to industry standards; that’s why the team are all Tigerscheme certified and PGI is an accredited CREST member.

Should you find yourself a particularly heavy user of these types of services, PGI also offer in-depth training and mentoring packages.



Frequently Asked Questions about penetration testing

  • What is the difference between a penetration test and a vulnerability scan? Read more Read less

    Essentially, a vulnerability assessment is an automated scan used to identify vulnerabilities while a penetration test aims to exploit those vulnerabilities to get a deeper understanding of the holes in your defences.

    We’ve written a whole blog post on the subject:

    Read it here

  • Who performs a penetration test? Read more Read less

    PGI’s experienced, CREST and Tigerscheme accredited team. All of our Penetration Testers have undertaken significant study, passed in-depth technical exams and been mentored before being allocated client work.

    PGI is accredited to ISO 9001—the international quality standard—which ensures all of our processes remain of a high quality.

  • How are penetration tests conducted? Read more Read less

    Typical tests follow a set methodology. In simple terms, it might look like this:

    • Reconnaissance, information gathering and scanning to identify potential exploitable vulnerabilities
    • Exploitation of the vulnerability
    • Expand access (or pivoting)—moving further into the network/system after finding an entry point
    • Clean up so any exploits that were used are removed to prevent other attackers from using them
  • What tools do Penetration Testers use? Read more Read less

    Along with their in-depth experience, PGI’s team use a wide range of tools to identify vulnerabilities, including industry best practice open source and commercial applications; they select the appropriate tools for the scope of work.

  • How long does a pen test take? Read more Read less

    The test will span anywhere from a week to a month, depending on the scope of work. For example, a simple website may take 1-2 days, while a more complex scope of work may take several weeks.

  • How often should my organisation undertake a pen test? Read more Read less

    The threat is constantly evolving so a penetration test will only validate that your organisation’s IT infrastructure is not vulnerable to known issues on the day of the test. This is why testing should be performed regularly—many organisations commission quarterly or yearly tests.

    If you are implementing any changes or new systems, infrastructure or applications, you will also need to test these before they are live. We strongly recommend not waiting until your next scheduled test to check that if there are vulnerabilities.

    If you would like advice on how often you undertake a pen test, we recommend discussing this with one of our Information Assurance Consultants.

  • How do I know if a Penetration Tester is any good? Read more Read less

    All penetration testing services you buy should be conducted by qualified consultants who hold relevant and in-date industry qualifications—such as Qualified Security Team Member (QSTM/CSTM), Check Team Lead (CTL), Check Team Member (CTM), Senior Security Tester (SST), and Offensive Security Certified Professional (OSCP)—and work for a CREST accredited company. PGI and our Penetration Testers are CREST and Tigerscheme accredited.

  • What are the next steps after a penetration test? Read more Read less

    On completion of testing, the client can expect to receive the completed report within 7 days; however, any critical issues identified during testing will be communicated to the customer immediately. Any recommendations provided should be reviewed within the context of the business before implementing any remedial actions.

  • Does testing need to be conducted onsite? Read more Read less

    Almost all tests can be undertaken remotely, and we will always recommend the most cost-effective method. Please contact us to discuss your requirements.

  • Can pen tests affect our operations? Read more Read less

    As a CREST registered company, the PGI Red Team undertake pen tests in organisations of all types and sizes under strict standards that minimise the risk of disrupting operations. Where possible, we will perform tests on dev or test systems to avoid impact on production assets. Regardless of the system being tested, PGI consultants are always contactable during the test should a problem arise.

  • How much does it cost? Read more Read less

    The cost is entirely dependent on the size of the systems or applications to be tested. Typical small to medium-sized organisations can expect to be quoted between 5 and 10 days of consultancy. This quotation may be significantly higher for larger organisations.

Want to find out more?