> document_type: master_checklist —— audience: business_owners —— status: bookmark_this_page<span class="cursor-blink">_</span>_
Commissioning a penetration test involves a series of decisions and tasks that span several weeks — from the initial decision to test, through provider selection and scoping, to preparation, testing, report review, and remediation. For a business owner managing this process for the first time, it can feel overwhelming.
This article consolidates the entire process into a single, actionable checklist. Bookmark this page and work through each phase systematically. Every step is here, in the order you need to do it.
Want to know if your environment has the same weakness? Book a free 30-minute scoping call.
Book a Scoping CallBefore contacting a provider, confirm that penetration testing is appropriate for your organisation and clarify your objectives. This phase takes minutes but prevents wasted time and misdirected budget.
| Checklist Item | Guidance |
|---|---|
| Identify your trigger | Why are you considering a test? Compliance requirement (GDPR, PCI DSS, ISO 27001)? Client or supply chain demand? New system launch? Security incident? Annual cycle? Understanding the trigger helps you scope the right test. |
| Define your objective | What do you want to learn? 'Are our internet-facing systems secure?' is different from 'Can an attacker reach our customer database?' Different objectives lead to different test types and scopes. |
| Identify what you are protecting | Customer data? Financial records? Intellectual property? Business continuity? The assets you are protecting determine which systems should be tested first. |
| Establish your budget | A focused external test starts from around £2,000. A comprehensive assessment may cost £10,000 or more. Know your budget range before speaking to providers so you can evaluate quotes effectively. |
| Determine your timeline | Do you have a compliance deadline? A go-live date? Allow at least six to eight weeks from initial contact to completion of retesting — two weeks for scoping and preparation, one to two weeks for testing, and two to four weeks for remediation and retest. |
| Checklist Item | Guidance |
|---|---|
| Shortlist CREST-accredited providers | Use the CREST directory to find accredited companies. CREST accreditation is the industry standard in the UK and is recognised by all major regulators. |
| Request sample reports from each | Compare report quality — look for evidence of manual testing, business-context analysis, and specific remediation guidance rather than automated scanner output. |
| Ask who will test your systems | Get a named individual with verifiable qualifications — CREST CRT/CCT, OSCP, or equivalent. The individual tester's skill determines the quality of your engagement. |
| Verify insurance and data handling | Confirm professional indemnity cover (minimum £1 million) and review the provider's data handling and destruction policy. |
| Clarify what is included | Retesting, debrief meeting, report revisions, ongoing support — understand what the quoted price covers and what costs extra. |
| Check for red flags | Fixed-price quotes without scoping, dramatically low prices, inability to name the tester, scanner-heavy sample reports, guaranteed outcomes. Any of these should give you pause. |
| Checklist Item | Guidance |
|---|---|
| Gather your asset information | Public IP addresses, domain names, web applications and their user roles, internal network structure, cloud services. Your IT team or MSP can provide this. |
| Communicate your business objectives | Tell the provider what you are most worried about, what data is most sensitive, and what compliance requirements you need to meet. This shapes the scope. |
| Choose the testing approach | Black box (no prior knowledge), grey box (partial knowledge), or white box (full knowledge). Grey box is typically the best value for most organisations. |
| Define exclusions | Systems that must not be tested, test types that are off-limits (e.g. denial of service on production), and any third-party systems requiring separate authorisation. |
| Agree the testing window | When can testing occur? Business hours only, or out of hours? Are there blackout periods (month-end, peak trading)? |
| Review and sign the proposal | Confirm scope, duration, cost, and what is included. Ensure you are comfortable with everything before committing. |
| Checklist Item | When |
|---|---|
| Sign and return the authorisation letter | 2 weeks before testing |
| Notify cloud / hosting provider | 2 weeks before testing |
| Notify MSP / SOC with tester IP addresses | 1–2 weeks before testing |
| Brief IT team | 1 week before testing |
| Create and test dedicated test accounts | 1 week before testing |
| Provision and test VPN / network access | 1 week before testing |
| Provide documentation (white box) | 1 week before testing |
| Exchange emergency contacts | Before testing begins |
| Verify backups | Before testing begins |
| Review rules of engagement | Before testing begins |
| Checklist Item | Guidance |
|---|---|
| Schedule a debrief meeting | Include both business stakeholders and the technical team responsible for remediation. Use this meeting to clarify findings and ask questions. |
| Read the executive summary | Understand the overall risk level, the most significant findings, and the strategic recommendations before diving into technical detail. |
| Create a remediation tracker | List every finding with severity, owner, target date, and status. Review weekly for critical and high findings, monthly for medium and low. |
| Fix critical findings immediately | Within 24–48 hours. These represent immediate, exploitable risk. |
| Fix high findings urgently | Within 1–2 weeks. These represent significant risk that requires prompt action. |
| Plan medium and low finding remediation | Within 1–3 months for medium. During routine maintenance for low. Include in your standard change management process. |
| Document risk acceptances | For any finding you choose not to fix — record the reason, who approved the decision, and any compensating controls. |
| Request retesting | Have the provider retest critical and high findings after remediation to verify fixes are effective. |
| Store the report securely | Penetration test reports contain sensitive information about your vulnerabilities. Store them securely with restricted access. Retain for at least three years for compliance evidence. |
| Checklist Item | Guidance |
|---|---|
| Schedule next year's test | Book your next annual test before this year's findings are fully remediated. This ensures continuity and gives you time for scoping and preparation. |
| Compare results year over year | Track the number and severity of findings across annual tests. A decreasing trend demonstrates improving security. Recurring findings indicate systemic issues. |
| Expand scope over time | If you started with external testing, add web application testing next year. Then internal. Then social engineering. Build comprehensive coverage over time. |
| Integrate with your security strategy | Use penetration test results to inform vulnerability management priorities, security awareness training, incident response planning, and security investment decisions. |
| Review your provider periodically | Consider a third-party review every two to three years to bring fresh perspectives and validate your primary provider's findings. |
Whether you are at the decision stage or ready to commission, our team will walk you through the process from start to finish. Free scoping consultations, transparent pricing, and support through remediation — every phase covered.
Want to know if your environment has the same weakness? Book a free 30-minute scoping call.
Book a Scoping Call