FAQs
Frequently Asked Questions

Hedgehog Security, part of UK Cyber Defence, provides two core services: penetration testing (simulated cyber attacks to find vulnerabilities in your systems) and Cyber Essentials certification (the UK Government's baseline security standard). We also offer specialist services including vulnerability scanning, airspace security, and wireless spectrum analysis. We're a specialist firm — we do these things and we do them exceptionally well.

UK Cyber Defence is a group of specialist cyber security companies providing offensive security, managed SOC services, and cyber defence solutions across the United Kingdom. Hedgehog Security is the offensive security and Cyber Essentials arm of the group.

We're based at The Officers Mess at the historic RAF base at Duxford in the United Kingdom. Our testing is conducted remotely for most engagements, meaning we can work with organisations anywhere in the UK. For internal infrastructure testing or physical social engineering, we travel to your premises.

Our testers hold industry-recognised certifications including CREST CRT/CCT, OSCP, OSCE, and CHECK. The company is a CREST member and IASME-accredited Cyber Essentials assessor. See our about page for full details.

Absolutely. We work with organisations of all sizes — from sole traders getting their first Cyber Essentials certificate to enterprise firms with complex, multi-site infrastructures. Small businesses are often the most at risk and the least prepared, so we particularly welcome those enquiries.

Your engagement will be delivered by our in-house team of experienced penetration testers. Every tester is vetted, certified, and operates under strict rules of engagement. You can meet the team on our Team page.

It depends on scope. A focused web application test might take 3–5 days. A comprehensive external and internal infrastructure assessment for a mid-size organisation typically takes 5–10 days. We'll give you a clear timeline during the free scoping call.

We go to great lengths to avoid disruption. Testing is planned around your schedule, and we maintain constant communication throughout. Denial-of-service style tests are never performed without explicit written consent and are typically scheduled out of hours. In practice, most organisations don't notice testing is happening.

A vulnerability scan is automated — it runs a tool, produces a list of potential issues, and stops. A penetration test is manual and creative — a skilled human actively attempts to exploit weaknesses, chain findings together, and demonstrate real business impact. Think of it as the difference between a spell checker and a professional editor. Both have value, but they serve different purposes. Read our detailed article on pen tests vs vulnerability scans or explore our vulnerability scanning service.

At minimum, annually. You should also test after any significant infrastructure change, major application release, or security incident. Many compliance frameworks (PCI DSS, ISO 27001, Cyber Essentials Plus) require regular testing. We'll help you determine the right cadence for your organisation.

Yes. Every engagement includes a free retest of all findings. Once you've completed remediation, we'll verify that each vulnerability has been properly closed and issue an updated report. This is included in the original price — no additional cost.

External infrastructure, internal infrastructure, web applications, mobile applications (iOS and Android), cloud configuration reviews (AWS, Azure, GCP), and social engineering (phishing, vishing, physical). See our penetration testing page for full details, or explore our specialist services: web application testing, API testing, infrastructure testing, and red team engagements.

At minimum: a signed Statement of Work and confirmation of scope. Depending on the approach (black, grey, or white box), we may also need credentials, network diagrams, application documentation, or VPN access. We'll give you a clear checklist during scoping.

We follow industry-standard methodologies including OWASP Testing Guide, PTES, and CREST technical standards. Our approach combines automated tooling with extensive manual testing to ensure thorough coverage that goes well beyond what scanners alone can achieve.

A red team engagement simulates a real-world adversary targeting your organisation across multiple attack surfaces — not just one application or network segment. It tests your people, processes, and technology as a whole, giving you the most realistic picture of how an attacker would compromise your defences.

Yes. We perform configuration reviews of AWS, Azure, and GCP environments against CIS benchmarks and provider best practices. We check IAM policies, network segmentation, storage permissions, logging, and more to identify misconfigurations before an attacker does.

We detect and analyse unauthorised wireless transmissions — rogue Wi-Fi access points, Bluetooth devices, cellular IMSI catchers, and drone communications — across your premises. This is particularly relevant for sensitive environments such as government buildings, data centres, and corporate boardrooms. See our airspace security and wireless spectrum pages for more detail.

Yes. Our UAV and drone testing service assesses the security of drone communication links, ground control stations, and associated software. We also evaluate the risk that hostile drones pose to your physical security perimeter.

PCI DSS requires specific penetration testing of cardholder data environments at least annually and after significant changes. Our testing meets the requirements of PCI DSS Requirement 11.3 and is conducted by CREST-certified testers who understand the standard's segmentation and scoping rules.

Both assess the same five security controls. Cyber Essentials is a self-assessment questionnaire verified by an assessor. CE Plus adds a hands-on technical audit where an assessor tests your actual systems. CE Plus provides higher assurance and is required for some government contracts. See our Cyber Essentials page for a detailed comparison.

With our guidance, CE typically takes 1–2 weeks from start to certificate. CE Plus takes 2–4 weeks including any remediation. If you're well-prepared and have no significant gaps, it can be faster. We'll give you a realistic timeline during the scoping call.

Yes — you must hold a current Cyber Essentials certificate before the CE Plus technical audit can be conducted. We can bundle both into a single engagement to streamline the process and reduce cost.

It's mandatory for UK Government contracts involving sensitive or personal data. It's also increasingly required by large enterprises as a minimum supplier standard. Even if it's not formally required for your sector, it demonstrates baseline security maturity and can reduce insurance premiums.

Our gap analysis is specifically designed to prevent this. We identify and resolve all issues before the formal assessment begins. In the rare event something is flagged, we provide immediate remediation support and work with you to resolve it within the allowed window.

Our Concierge service is a fully guided, white-glove Cyber Essentials journey. We handle every step — from the initial gap analysis and remediation support through to the completed certification — so your team can stay focused on running the business.

It depends on scope, complexity, and the type of testing required. A focused web application test starts from a few thousand pounds; comprehensive infrastructure engagements will be more. We provide a clear, fixed-price quote after the free scoping call — no hourly surprises, no hidden extras. The retest is always included.

Yes. No charge, no obligation. We need to understand your environment before we can quote accurately, and you need to feel confident that we're the right fit. The scoping call serves both purposes.

The full report is delivered within 5 working days of testing completion. Critical or high-severity findings are communicated immediately during testing so you can begin remediation straight away — you won't be waiting for the report to learn about urgent issues.

Yes. We don't disappear after the report. We're available for questions about findings, remediation guidance, and follow-up advice. For Cyber Essentials clients, we offer ongoing advisory support between annual renewals. Many of our clients return annually.

Yes — we can provide a redacted sample report during the scoping process so you know exactly what to expect. Just ask.

All engagement data is encrypted in transit and at rest. We operate under a strict NDA signed before every engagement. Any data or credentials provided for testing are stored securely and destroyed after the engagement concludes. We never share client data with third parties.

Yes. We carry comprehensive professional indemnity and public liability insurance. Details are available on request during the scoping process.