Do you need help & advice with Cybersecurity?
Key Takeaways:
- Fix the Basics First: A penetration test on a poorly configured network is a waste of money. Address foundational security gaps — patching, MFA, admin rights, email filtering — before commissioning a pen test.
- Pen Testing ≠ Vulnerability Scanning: A vulnerability scan is automated and tells you what weaknesses exist. A pen test is human-led and shows you how those weaknesses could be exploited by a real attacker. Both are valuable; they are not interchangeable.
- Pen Testing ≠ an Audit: An IT audit assesses compliance with policies and standards. A pen test actively attempts to breach your defences. Confusing the two leads to misaligned expectations and wasted budget.
- Use Accredited Testers: In the UK, look for CREST-accredited firms or those on the NCSC’s CHECK scheme. These certifications mean the testers have been independently assessed against a recognised professional standard.
Why Pen Testing Without the Right Foundations Is a Waste of Money
Penetration testing is one of the most valuable security investments a business can make — but only when the foundational security controls are already in place. Commissioning a pen test on a network with unpatched systems, default credentials, and no multi-factor authentication is the equivalent of hiring a security consultant to assess your office building before you have installed locks on the doors. The findings will be obvious, the remediation will be expensive, and the test will need to be repeated once the basics are addressed.
Before investing in a pen test, ensure the following controls are in place:
- Patch Management: All operating systems and applications are patched and up to date. Known vulnerabilities with available patches should not appear in a pen test report.
- Multi-Factor Authentication: MFA is enabled on all externally accessible systems — email, VPN, remote desktop, cloud services. A pen tester who can access your systems with a username and password alone will do so.
- Admin Rights Control: Local admin rights are restricted to those who genuinely require them. Unrestricted admin access dramatically increases the impact of any successful compromise.
- Email Filtering: A robust email security solution is in place to filter phishing and malicious attachments. Social engineering is a primary pen testing technique.
- Endpoint Protection: Modern endpoint detection and response (EDR) is deployed across all devices. Basic antivirus is not sufficient.
If any of these controls are absent or incomplete, address them before scheduling a pen test. The cost of getting the basics right is significantly lower than the cost of a pen test that simply confirms the obvious.
Understanding the Terminology: Pen Test vs. Vulnerability Scan vs. Audit
One of the most common sources of confusion in cybersecurity procurement is the conflation of three distinct assessment types. Understanding the difference is essential for making informed decisions about where to invest your security budget.
Vulnerability Assessment
A vulnerability assessment uses automated scanning tools to identify known weaknesses in your systems — unpatched software, misconfigured services, weak credentials. It is relatively fast and inexpensive, and it provides a useful baseline picture of your technical exposure. It does not, however, demonstrate whether those vulnerabilities can actually be exploited, or what the business impact of exploitation would be.
Penetration Test
A penetration test is a human-led exercise in which a skilled security professional actively attempts to exploit the vulnerabilities identified in your environment, using the same techniques a real attacker would employ. The goal is not just to find weaknesses, but to demonstrate the real-world impact of a successful attack — what data could be accessed, what systems could be compromised, and how far an attacker could move through your network.
IT Security Audit
An IT security audit is a structured review of your policies, procedures, and controls against a defined standard or framework — such as ISO 27001, Cyber Essentials, or your own internal security policy. It assesses whether the right controls are documented and in place, but it does not test whether those controls are effective in practice. An audit and a pen test are complementary; neither substitutes for the other.
What to Expect From a Pen Test
A professional pen test follows a structured methodology. Here is what the process typically looks like:
- Scoping: You agree with the testing firm exactly what will be tested — external network, internal network, web applications, or a combination. This determines the cost and duration.
- Reconnaissance: The testers gather information about your systems from publicly available sources, just as a real attacker would.
- Testing: The active phase, where the testers attempt to exploit vulnerabilities. This is conducted carefully to avoid disrupting your business operations.
- Reporting: You receive a detailed report covering every vulnerability found, its severity (rated using the CVSS scoring system), and a clear remediation plan.
- Remediation: You address the issues identified. A good testing firm will help you prioritise what to fix first.
- Re-testing: Many firms offer a re-test to confirm that the critical issues have been resolved.
Which Assessment Does Your Business Need?
| Vulnerability Assessment | Penetration Test | IT Security Audit | |
|---|---|---|---|
| Focus | Known weaknesses | Real-world attack simulation | Policy and control compliance |
| Human or automated | Mostly automated | Human expert | Human reviewer |
| Typical cost | £750–£5,000 | £3,000–£15,000+ | £1,500–£8,000 |
| Required for Cyber Essentials | Yes (Plus) | Optional but recommended | Yes (basic) |
| Best used when | Establishing a baseline or after significant changes | Foundations are in place and you want real-world assurance | Preparing for certification or a compliance review |
No — basic Cyber Essentials does not require a penetration test. However, Cyber Essentials Plus includes a hands-on technical verification that goes beyond a standard vulnerability scan. If you are working towards Cyber Essentials Plus, a pen test is strongly recommended as part of your preparation, as it will identify issues that would otherwise surface during the assessment.
For most businesses, an annual pen test is the right frequency — or whenever you make significant changes to your IT infrastructure, such as migrating to a new cloud platform, deploying a new application, or significantly expanding your network. Vulnerability scans should be run more frequently, ideally quarterly, to catch newly disclosed vulnerabilities between pen tests.
A professional pen test is conducted carefully to minimise disruption. Testing is typically scheduled outside of business hours where possible, and the scope is agreed in advance. You should always use a reputable, certified firm — look for CREST or CHECK accreditation in the UK. Unaccredited testers carry a higher risk of causing unintended disruption or damage.
For a small business with a straightforward IT setup, expect to pay between £3,000 and £6,000 for an external network penetration test. More complex environments — multiple sites, web applications, internal network testing — will cost more. Always obtain a detailed scope and a fixed-price quote before proceeding. Be wary of unusually low quotes, which often indicate a limited scope or unaccredited testers.
Prioritise the findings by severity. Address critical and high-severity issues first — these are the vulnerabilities a real attacker would exploit immediately. Medium and low-severity issues should be included in your next patching cycle. Do not file the report away — the value is in the remediation, not the document. A good testing firm will offer a re-test to confirm that critical issues have been resolved, which is worth including in your contract.
