Frequently Asked
Questions

We provide two core services: penetration testing (simulated cyber attacks to find vulnerabilities in your systems) and Cyber Essentials certification (the UK Government's baseline security standard). We're a specialist firm — we do these two things and we do them exceptionally well.

We're based in the United Kingdom. Our testing is conducted remotely for most engagements, meaning we can work with organisations anywhere in the UK. For internal infrastructure testing or physical social engineering, we travel to your premises.

Our testers hold industry-recognised certifications including CREST CRT/CCT, OSCP, OSCE, and CHECK. The company is a CREST member and IASME-accredited Cyber Essentials assessor. See our about page for full details.

Absolutely. We work with organisations of all sizes — from sole traders getting their first Cyber Essentials certificate to enterprise firms with complex, multi-site infrastructures. Small businesses are often the most at risk and the least prepared, so we particularly welcome those enquiries.

It depends on scope. A focused web application test might take 3–5 days. A comprehensive external and internal infrastructure assessment for a mid-size organisation typically takes 5–10 days. We'll give you a clear timeline during the free scoping call.

We go to great lengths to avoid disruption. Testing is planned around your schedule, and we maintain constant communication throughout. Denial-of-service style tests are never performed without explicit written consent and are typically scheduled out of hours. In practice, most organisations don't notice testing is happening.

A vulnerability scan is automated — it runs a tool, produces a list of potential issues, and stops. A penetration test is manual and creative — a skilled human actively attempts to exploit weaknesses, chain findings together, and demonstrate real business impact. Think of it as the difference between a spell checker and a professional editor. Both have value, but they serve different purposes.

At minimum, annually. You should also test after any significant infrastructure change, major application release, or security incident. Many compliance frameworks (PCI DSS, ISO 27001, Cyber Essentials Plus) require regular testing. We'll help you determine the right cadence for your organisation.

Yes. Every engagement includes a free retest of all findings. Once you've completed remediation, we'll verify that each vulnerability has been properly closed and issue an updated report. This is included in the original price — no additional cost.

External infrastructure, internal infrastructure, web applications, mobile applications (iOS and Android), cloud configuration reviews (AWS, Azure, GCP), and social engineering (phishing, vishing, physical). See our penetration testing page for full details on each.

At minimum: a signed Statement of Work and confirmation of scope. Depending on the approach (black, grey, or white box), we may also need credentials, network diagrams, application documentation, or VPN access. We'll give you a clear checklist during scoping.

Both assess the same five security controls. Cyber Essentials is a self-assessment questionnaire verified by an assessor. CE Plus adds a hands-on technical audit where an assessor tests your actual systems. CE+ provides higher assurance and is required for some government contracts. See our Cyber Essentials page for a detailed comparison.

With our guidance, CE typically takes 1–2 weeks from start to certificate. CE+ takes 2–4 weeks including any remediation. If you're well-prepared and have no significant gaps, it can be faster. We'll give you a realistic timeline during the scoping call.

Yes — you must hold a current Cyber Essentials certificate before the CE Plus technical audit can be conducted. We can bundle both into a single engagement to streamline the process and reduce cost.

It's mandatory for UK Government contracts involving sensitive or personal data. It's also increasingly required by large enterprises as a minimum supplier standard. Even if it's not formally required for your sector, it demonstrates baseline security maturity and can reduce insurance premiums.

Our gap analysis is specifically designed to prevent this. We identify and resolve all issues before the formal assessment begins. In the rare event something is flagged, we provide immediate remediation support and work with you to resolve it within the allowed window.

It depends on scope, complexity, and the type of testing required. A focused web application test starts from a few thousand pounds; comprehensive infrastructure engagements will be more. We provide a clear, fixed-price quote after the free scoping call — no hourly surprises, no hidden extras. The retest is always included.

Yes. No charge, no obligation. We need to understand your environment before we can quote accurately, and you need to feel confident that we're the right fit. The scoping call serves both purposes.

The full report is delivered within 5 working days of testing completion. Critical or high-severity findings are communicated immediately during testing so you can begin remediation straight away — you won't be waiting for the report to learn about urgent issues.

Yes. We don't disappear after the report. We're available for questions about findings, remediation guidance, and follow-up advice. For Cyber Essentials clients, we offer ongoing advisory support between annual renewals. Many of our clients return annually.

Yes — we can provide a redacted sample report during the scoping process so you know exactly what to expect. Just ask.