Let us find exploitable technical vulnerabilities before someone else finds them
No business is immune to cyber-attacks. In fact, every year, nearly half of all UK businesses suffer some sort of breach. But there are measures that your organisation can take to minimise risk, helping you to maintain your income, your valuable internal resources, and your reputation with your clients.
For a decade, we have been helping organisations of all sizes and types identify, safely exploit, and remediate technical vulnerabilities before malicious attackers can access and compromise their information assets.
What is Penetration Testing?
Penetration testing—also known as pen testing or ethical hacking—is a method of identifying possible ‘penetration points’ in IT security; any vulnerabilities or gaps that could be exploited, leaving your business at greater risk. Weaknesses in your security might take the form of:
- Unpatched vulnerabilities in firmware, operating systems, or applications
- Incorrect configuration of networks, servers, applications, operating systems, and firmware
- Logic flaws in web applications i.e. configuration of pricing and user management
This testing format is undertaken by security experts, either remotely or onsite. Any gaps that are detected in your systems and networks will be clearly highlighted and communicated to you, and our penetration testing consultants will provide expert advice for strengthening your defences.
We have prepared a shareable PDF which you can download here: Penetration testing
For confidence in your cyber security
Understand the risks you face
A penetration test will show you the potential risk emanating from your IT systems and web applications. The result ensure you have the information you need to fix flaws in your organisation’s IT setup before they become problematic.
Peace of mind
A correctly scoped pen test provides peace of mind that your networks and applications have been configured in accordance with good practice, and that there are no common or publicly known vulnerabilities in the tested systems, at the time of the test.
Demonstrate commitment to security
Regular testing gives you the confidence that your valuable data is as safe and secure as possible. It also helps you to demonstrate to your clients and stakeholders your strong and ongoing commitment to IT security.
A cyber security audit
Why have a penetration test?
Think of penetration testing like a financial or quality audit. Your team keeps operations running smoothly and an external party validates that the processes they work to are sufficient. It’s about being proactive and doing everything you can to keep your business safe, while showing customers and stakeholders that their information is secure.
Penetration testing should form a key part of your risk management strategy
The digital world is not static and new vulnerabilities are being discovered every day. So, much like carrying out an annual MOT on your car, we recommend regular penetration testing for all businesses to ensure ongoing mitigation of risk; however, it is even more important if:
- You are undergoing digital transformation and introducing new technologies to the workplace
- You are transferring data off site, such as using cloud storage or outsourcing IT tasks
- You have experienced a breach in the past, or are unsure of your system/ network security
Penetration testing should form part of your risk management strategy; it will provide you with an awareness of your current risk profile to allow you to reconcile it with your risk appetite through the use of the technical controls, as defined by your Information Security Management System (ISMS). If your organisation is ISO 27001 compliant, penetration testing can help you demonstrate the required continuous improvement.
Types of testing
Vulnerabilities can exist within every area of technology, from the hardware you use to your operational processes. That’s why PGI offer a range of CREST accredited security testing, covering all potential risk areas:
Why choose PGI?
With years of experience in the field of security and IT management, our team have gained a unique insight into the opportunities that attackers are looking for and which aspects of your system they view as a possible weakness. We use the most effective methods of penetration testing to locate all potential vulnerabilities, without disrupting operations, allowing us to highlight problem areas and work with you to identify the most suitable solutions.
We recognise the importance of being certified to industry standards; that’s why PGI is an accredited CREST member.
Should you find yourself a particularly heavy user of these types of services, PGI also offer in-depth training and mentoring packages.
Frequently asked questions about penetration testing
How does a penetration test differ from a vulnerability assessment?
Essentially, a vulnerability assessment is an automated scan used to identify vulnerabilities while a penetration test includes manual testing as well as automated testing, aiming to exploit those vulnerabilities to get a deeper understanding of the holes in your defences.
We’ve written a whole blog post on the subject: What's the difference between a vulnerability assessment and a penetration test?
Who performs a penetration test?
PGI’s experienced, CREST, Offensive Security and Tigerscheme accredited team. All of our Penetration Testers have undertaken significant study, passed in-depth technical exams and been mentored before being allocated client work.
PGI is accredited to ISO 9001—the international quality standard—which ensures all of our processes remain of a high quality.
How are penetration tests conducted?
Typically penetration testing follows a set methodology. In simple terms, it might look like this:
- Reconnaissance, gathering information, and scanning to identify any potential exploitable vulnerability
- Safe exploitation of the vulnerability
- Expand access (or pivoting)—moving further into the network/system after finding an entry point
- Clean up so any exploits that were used are removed to prevent other attackers from using them
What tools do Penetration Testers use?
Along with their in-depth experience, PGI’s team use a wide range of tools to identify vulnerabilities, including industry best practice open source and commercial applications; they select the appropriate tools for the scope of work.
How long does a Penetration Test take?
Testing will span anywhere from a week to a month, depending on the scope of work. For example, a simple website may take 2-3 days, while a more complex scope of work may take several weeks.
How often should my organisation undertake a pen test?
The threat is constantly evolving so penetration testing will only validate that your organisation’s IT infrastructure is not vulnerable to known issues on the day of the test. This is why testing should be performed regularly—many organisations commission quarterly or yearly tests.
If you are implementing any changes or new systems, infrastructure or applications, you will also need to test these before they are live. We strongly recommend not waiting until your next scheduled test to check that if there are vulnerabilities.
If you would like advice on how often you undertake a pen test, we recommend discussing this with one of our Information Assurance Consultants.
How do I know if a Penetration Tester is any good?
Any time you commission penetration testing you need to be sure it is conducted by qualified consultants who hold relevant and in-date industry qualifications and work for a CREST accredited company. Industry qualifications include: Qualified Security Team Member (QSTM/CSTM), Check Team Lead (CTL), Check Team Member (CTM), Senior Security Tester (SST), and Offensive Security Certified Professional (OSCP). PGI is a CREST accredited company and our Penetration Testers are CREST and Offensive Security certified.
What are the next steps after penetration testing?
On completion of the tests, the client can expect to receive the completed report within 5 days; however, any critical issues identified during the test will be immediately communicated to the customer. Any recommendations provided should be reviewed within the context of the business before implementing any remedial actions.
Does testing need to be conducted onsite?
Almost all tests can be undertaken remotely, and we will always recommend the most cost-effective method. Please contact us to discuss your requirements.
Can pen tests affect our operations?
As a CREST registered company, the PGI Red Team undertake penetration testing in organisations of all types and sizes under strict standards that minimise the risk of disrupting operations. Where possible, we carry out penetration testing on dev or test systems to avoid impact on production assets. Regardless of the system being tested, PGI consultants are always contactable during the test should a problem arise.
How much does it cost?
The cost is entirely dependent on the size of the systems or applications to be tested. Typical small to medium-sized organisations can expect to be quoted between 5 and 10 days of consultancy. This quotation may be significantly higher for larger organisations.
We build long-range digital resilience using tech-assisted human insight.
Find out how we can help you strengthen your digital securitySpeak to an expert
Detect, Protect and Build
Subscribe to the Digital Threat Digest
PGI’s Digital Investigations Team brings you the Digital Threat Digest, SOCMINT and OSINT insights into disinformation, influence operations, and online harms.