Hedgehog Security
Cyber Essentials Plus2022-08-10T04:38:34+01:00

Cyber Essentials Plus

The highest level of certification offered under the Cyber Essentials scheme.

Cyber Essentials Plus is a more rigorous standards orientated, technical audit of your organisation’s Cyber Security systems. Our Cyber Security experts carry out vulnerability tests to make sure that your organisation is protected against basic hacking and phishing attacks.

Purchase Cyber Essentials Plus Today

Cyber Essentials Plus

Cyber Essentials Plus is the second step in the UK Government’s Cyber Essentials program and is a technical security audit of your environment. The Cyber Essentials Plus builds on the base level Cyber Essentials accreditation with a technical review of a sample set of your workstations and an internal vulnerability scan of those systems within the sample set. If you want to be best prepared for your audit, it is strongly recommended you follow our simple guide to running your own authenticated vulnerability scan using our guide here

The cost of Cyber Essentials Plus varies. The first factor is the size of the business and the pricing for the sizes is dictated by the scheme itself. The second factor is the number of different builds that need to be reviewed. The greater the number of builds, the larger the cost of cyber essentials certification.

Gaining Cyber Essentials Plus certification also enables organisations to showcase their credentials as trustworthy and secure when it comes to Cyber Security.

The CE Plus assessment is also covered within our Cyber Security Health Check service.

Cyber Essentials Plus

Audit Process

The Cyber Essentials Plus audit consists of 7 key area checks and this document is designed to help you best prepare for the audit.

To test whether an Internet-based opportunist attacker can hack into the Applicant’s system with typical low-skill methods.


You will need the following:

  1. a vulnerability scanning tool that has been approved by IASME
  2. to have identified the IP addresses to be scanned. Where dynamic IP addresses are in use for an Internet connection, the scope may be defined in terms of appropriate DNS entries.

What devices are tested:

  • All end user devices within the sample set.

What we are testing for:

The following tests apply to all computing devices within the boundary of scope. This includes:

  • end user devices (EUDs) that can connect to organisational data or services
  • servers on which standard (that is, non-administrator) users can obtain an interactive desktop environment
  • all types of cloud service (IaaS, Paas, or SaaS)

On all but the smallest networks it will be impractical to test every device that is within the agreed boundary of scope. Instead, we test a representative sample.

All cloud services must be tested using a representative sample of user accounts. This must consist of at least one normal user and one administrative user for every cloud service used. The same users can be used across multiple cloud services. We are testing to ensure that there are no vulnerabilities rated as High Risk or Critical Risk, or that have a CVSS v3 score of 7.0 or higher.

This test is performed on a sample set of EUD, servers and IaaS instances. The purpose of this test is to identify missing patches and security updates that leave vulnerabilities that threats within the scope of the scheme could easily exploit.


In addition to the general prerequisites testing, you will need:

  1. a vulnerability scanning tool that has been approved by IASME
  2. Each device to be tested, scan with the approved vulnerability scanning tool (you can pre-test devices with our vulnerability scanning service)

What devices are tested:

  • All end user devices within the sample set.

What we are testing for:

We are testing to ensure that there are no missing patches or service packs and that there are no vulnerabilities with a High Risk or Critical Risk rating and that there are no risks with a CVSS v3 score of 7.0 or higher.

This test is performed on sampled EUD, servers and IaaS instances to check that all the devices in scope benefit from at least a basic level of malware protection. We need to identify what type of malware protection each device in the sample set uses: antivirus software, application allow listing or application sandboxing.

What devices are tested:

All end user devices within the sample set.

What we are testing for:

We will be manually checking each machine within the sample set of machines to ensure that:

  1. all anti-malware definitions released within the 24 hours prior to testing have been installed.
  2. all anti-malware engine updates released within the 30 days prior to testing have been installed.

This test is performed on any sampled EUD, servers and cloud environments where email can be received by users (“user environments”).

What devices are tested:

  • All end user devices within the sample set.

What we are testing for:

We are manually testing to test the protection against malware that is delivered via email attachments. For each user environment in the sample set, we will need to:

  1. Establish a baseline by sending a simple email from your remote test account, with no attachments.
  2. Attempt to send each test email from your remote test account to the test destination and observe the user attempting to open each attached test file.

This test is performed on any sampled EUD, servers and cloud environments where browsing can be performed by users (“user environments”). We will instruct the user to browse to a specific URL and download each of the files and attempt to open them.

What devices are tested:

  • All end user devices within the sample set.

What we are testing for:

This tests whether user environments have protection from malware delivered through a website. We are specifically looking to see if the download is blocked or if the user can download the files, can they execute them. A failure is issued if any of the files can be executed without a warning.

This test is performed test on all cloud services. to test cloud services declared in scope have been configured for multi factor authentication (MFA). Users of sampled devices to attempt to log into the organisations cloud services using their organisation issued accounts.

What devices are tested:

  • All cloud services listed in the CE questionnaire.

What we are testing for:

All cloud services are to be tested for User and Administrator Access. Where multiple cloud services share an authentication service this test only needs to be performed once for each authentication service. We are testing to observe that multi-factor authentication is in place for cloud environments.

This test is performed on any of the sampled end user devices, servers and cloud environments where administrative processes can run. The purpose is to test user accounts don’t have administrator privileges assigned.

What devices are tested:

  • All sampled devices need to be tested.

What we are testing for:

When logged in with a standard user account, they attempt to run a defined administrative process. A failure will be issued is a standard user profile is able to run an administrative process.

Cost of Cyber Essentials Plus

So what exactly is the cost of Cyber Essentials Plus? Cyber Essentials Plus prices are based on the number of people in your organisation and the number of workstation builds you have.

Our cost of Cyber Essentials Plus is on an annual subscription. You can cancel at any time, otherwise it will simply renew your certification each year.

Purchase Cyber Essentials Plus Today
Size 1 Build 2 Builds 3 Builds
Micro £1050 £1575 £2100
Small £1250 £1775 £2300
Medium £1450 £1975 £2500
Large £1650 £2175 £2700

Talk To A Security Specialist

Book a free consultation with a security specialist to discuss your current concerns or security requirements.

Hedgehog Security needs the contact information you provide to us to contact you. You may unsubscribe from these communications at any time.  By clicking "Request Callback" below you agree for us to store and process your data.  For information on how to unsubscribe please review our Privacy Policy.

Cyber Security Consulting

Penetration Testing

SOC as a Service

Cyber Essentials

Vulnerability Scanning


Cyber Essentials Brochure
Scoping Sheet
Cyber Essentials Audit Guide

Frequently Asked Questions

What is CREST accredited penetration testing?2022-07-26T10:45:57+01:00

CREST accredited penetration testing (also referred to as pentesting, pen testing and the often confusing PEN testing. (No, we do not know why people capitalise the shortening of Penetration either)) is a type of ethical or white hat hacking engagement designed to identify and address security vulnerabilities in your people, processes and technology. Most often a penetration test is focused on an element of your technology, such as networks, systems and applications. Pen testing takes different forms and can cover many areas. However, not all penetration testing companies work to the same standards, so there can be an inherent risk in allowing a provider to access important assets and data.

CREST penetration test is an assessment conducted by a CREST-accredited provider. CREST accreditation demonstrates that a company conducts and documents penetration testing in accordance with the highest legal, ethical and technical standards.

In order to perform CREST accredited testing, a testing company must have in place the following:

  • ISO9001 certification
  • ISO27001 certification
  • Cyber Essentials certification
  • Cyber Essentials Plus certification
  • Professional Liability insurance
  • Public Liability insurance
  • Crest Registered Testers on staff
  • A fully documented complaints process

This all takes time and investment which is why you will find that CREST accredited penetration testing costs more than run-of-the-mill, off-the-shelf penetration testing that can be purchased from the unregulated testing market.

What are the benefits of CREST penetration testing?2022-07-24T10:42:31+01:00

CREST accredited penetration testing offers a number of advantages, including:

1. Highly trained security professionals

CREST penetration testing is typically carried out by, or under the supervision of, CREST-registered penetration testers. CREST-registered or certified penetration testers are required to pass a series of rigorous exams to prove their skill, knowledge and competence and must re-sit them every three years. CREST pen testers also have to complete between 6,000 hours (CREST-registered) and 10,000 hours (CREST-certified) of regular and frequent professional experience in the form of a pentest.

2. Greater customer assurance

Companies are often asked to demonstrate the security and safety of their data to their customers. Using a CREST accredited penetration testing provider to deliver crest accredited penetration testing enables them to prove that they are adhering to security best practices to protect their data. Commissioning a CREST member company may also provide a commercial advantage when bidding for contracts.

3. Supports regulatory compliance

A CREST accredited penetration testing engagement supports information security requirements such as the GDPR, ISO 27001, the Network and Information Systems Directive & Regulations (NIS Regulations) and the Payment Card Industry Data Security Standard (PCI DSS). A pentest may be specified directly by a particular regulation or indirectly by the need to assess and evaluate the effectiveness of technical and organisational controls.

4. Globally recognised accreditation

CREST accredited penetration testing is valid and recognised around the world. This provides valuable assurance for companies with a global presence or for those working with overseas customers. Using a pen testing provider which lacks accreditation or whose certification is limited to the UK may limit outcomes and credibility.

5. Up-to-date expertise

The threat landscape is constantly changing, as is the pentest world. To ensure that this knowledge is kept up to date, the organisational and individual CREST certification process is repeated periodically. Member organisations are regularly updated by CREST about the latest developments in technical information assurance and participate in member workshops and events.

Why choose a CREST-accredited provider for pen testing?2022-07-24T10:37:18+01:00

“There are many benefits in procuring penetration testing services from a trusted, certified external company who employ professional, ethical and highly technically competent individuals. CREST member companies are certified penetration testing organisations who fully meet these requirements, having been awarded the gold standard in penetration testing, building trusted relationships with their clients.” – CREST

CREST-certified pen testing services provide assurance that the entire pen testing process will be conducted to the highest legal, ethical and technical standards. The CREST accredited penetration testing process follows best practice in key areas such as preparation & scoping, assignment execution, post technical delivery and data protection.

Only a CREST member company can deliver CREST Approved Pen Testing. It should also be kept in mind that crest approved pen testing takes on average 20% more time to complete over a regular, unregulated, penetration test.

What is a CREST-certified company?2022-07-24T10:36:00+01:00

Every CREST member company is required to submit policies, processes and procedures relating to their service provision to CREST for assessment. Gaining and maintaining CREST certification is an ongoing process rather than a one-time step – member organisations are required to submit an application annually, with a full reassessment required every three years.

Each CREST member company signs up to a binding and enforceable company code of conduct, which includes processes for resolving complaints.

Only a CREST member company can deliver CREST Approved Pen Testing. It should also be kept in mind that crest approved pen testing takes on average 20% more time to complete over a regular, unregulated, penetration test.

Who is CREST?2022-07-24T10:30:31+01:00

The Council for Registered Ethical Security Testers (CREST) is an international not-for-profit accreditation and certification body which represents and supports the technical information security market. CREST provides internationally recognised accreditation for organisations and professional level certification for individuals who provide penetration testing and other services such as cyber incident response, threat intelligence and Security Operations Centre (SOC) services. To achieve CREST accreditation, companies must undergo a rigorous assessment of business processes, data security and security testing methodologies.

Only CREST member companies can perform CREST accredited penetration testing.

Does your Pentest satisfy ‘x’ Compliance Requirements?2022-07-24T10:00:00+01:00

A question we hear often is can we meet compliance requirements. While this certainly requires a deeper discussion, our testing is in compliance with multiple pentesting compliance standards including PCI, HIPAA, SOC2, and others.  That said, each compliance standard is different. For example CREST Approve pen testing requires specific tester qualifications. These requirements should be discussed before moving forward. Contact us for more details.

How much of your Penetration Testing is Automated vs. Manual?2022-07-24T10:01:10+01:00

A question not enough people ask is how much of the testing is automated vs. manual. While automated tools are a brief step early in our process, a large majority of our testing is manual. The amount of manual work varies project-to-project, but around 80% of the pentest is hands-on for large infrastructure pentests. For web application penetration tests, it is around 95% of the pentest that is hands-on. It is safe to assume that for CREST approved pen testing, the hands on level is higher still.

This isn’t to say automated vulnerability scanners don’t have a place; Vulnerability scans are quick and simple tools that should be used on a regular basis to identify missing patches or outdated software in larger unknown environments.

How soon can you start on my project?2022-07-24T09:53:49+01:00

We understand that clients often have hard deadlines that they’re trying to meet. Whether you’re trying to meet client requirements which rely on pentest results or have an annual requirement, we do best to accommodate your timelines. Unfortunately, manual penetration testing takes some planning & preparation for our assessment team and our schedule can be filled as much as 2-6 weeks out.

With that said, if you have an urgent project feel free to contact us about timelines.  Depending on needs and timelines, we may have the ability to pull resources off of a research project & get started immediately.

Should we fix all of the vulnerabilities that are reported?2022-07-24T09:52:49+01:00

You should evaluate all of the vulnerabilities using a risk-based model first. Each vulnerability should be evaluated for business impact and probability of being exploited to ultimately assign a risk rating. Companies should have risk criteria defined in order to determine thresholds for remediation. Vulnerabilities above the threshold should be remediated or appropriately compensated for in order to bring them within tolerable risk levels. A vulnerability that is within an acceptable threshold may not require remediation and instead may simply be monitored over time in case the risk level changes. The penetration test or vulnerability scan deliverables should contribute to this process. In certain compliance situations, specific vulnerabilities may be viewed as compliance gaps; and those gaps typically are either remediated or compensating controls are put in place when remediation is not possible.

We have our website hosted with a third party. Should we test it?2022-07-24T09:51:36+01:00

Maybe – Is anyone testing the third party already? The first thing to do is to find out if the third party service provider is already having a reputable network penetration test provider review the website. If so, due diligence is needed to validate the scope is appropriate, review the methodology, and understand if any key findings were observed. An organization should confirm when it was last tested, when it will next be tested, and if there are any security vulnerabilities that were determined to be tolerable by the hosting provider.

If the third party is not testing the site, or if the testing being performed is not adequate, then yes, the site needs to be tested. Obtain the third party’s permission, as they should be involved in planning, to ensure that the site is tested safely and coordinated appropriately. If the third party won’t allow testing, one should strongly consider obtaining a “right to audit” clause in their contract or locate another hosting provider that accommodates the need for ongoing vulnerability management, including network and web penetration testing.

How do we prepare for a penetration test?2022-07-24T10:02:17+01:00

In general, there is no need for anything special to prepare for a penetration test with respect to how security controls are managed on a day-to-day basis. Remember that a penetration test is a point in time review of the environment. The test is going to assess the security posture at that particular point in time. If patches are deployed every Wednesday, for example, there is no need to change this behavior to accommodate the penetration test itself. If the results of the infrastructure penetration test determine this process requires attention, then that would be the appropriate time to adjust.

An organization should expect to participate in preparation activities related to planning the penetration test itself to ensure the test can be performed under controlled conditions. Some preparation related to positioning the tester may also be needed, specifically when testing is being performed onsite.

The hiring company should be prepared to participate in the planning and coordination activities and be ready to have documentation available that details the in-scope IP ranges for testing when pen testing is being performed. Also be ready to prepare test environments and to support test scenarios defined in the scope. During internal infrastructure penetration tests, oftentimes visitor access badges are required for the penetration testers. Otherwise, there is not much else that is needed to be done prior to the test.

How do we validate vulnerabilities have been remediated?2022-07-24T09:48:08+01:00

Validating that vulnerabilities have been remediated can be performed using a variety of methods, either in-house or through external independent verification testing. Some organizations prefer to track remediation in-house and possess the resources to independently validate successful remediation, however most seek independent validation and should have a remediation verification test performed. This is why it is critical that a penetration test and a vulnerability assessment be performed in a repeatable manner. Of equal importance is that the individual validating remediation is not the same individual that performed the remediation. Checking one’s own work is not as reliable as having an independent individual check that person’s work.

What penetration test documentation or reporting should I expect to receive when the test is complete?2022-07-24T09:46:17+01:00

Once the penetration test is complete, you should receive pen test documentation in a report or deliverable detailing all of the findings, recommendations, and supporting evidence. The deliverable should clearly document the scope and boundaries of the engagement as well as the dates the pen testing was performed. Additionally, all detailed findings should be included in their technical format as well as summarized for non-technical audiences. The report should include:

    • Detailed recommendations for improvements that clearly document observed vulnerabilities
    • A discussion of the potential business impacts from identified vulnerabilities
  • Specific instructions for remediating, including instructional references where appropriate
  • Supporting evidence and examples
  • A step-by-step and screen-by-screen walkthrough demonstrating any exploits to allow an organization to understand and reproduce the scenario
  • Executive and summary reports for non-technical audiences

Oftentimes, a separate deliverable is needed that is suitable for consumption by third parties seeking attestation that a network penetration test was performed. A qualified penetration test provider prepares these documents as part of the process when requested by an organization. All deliverables should be of high quality and reviewed with the customer to validate accuracy and ensure recommendations are well understood.

What qualifications should the penetration testing team possess?2022-07-24T10:11:31+01:00

When a penetration testing provider is hired, the hiring company should expect that every penetration test team includes a dedicated project manager, a skilled and experienced test team, resource coordinator(s), and a point of escalation. The test team should include individuals with in-depth experience across multiple technologies including client platforms, server infrastructures, web application development, and IP networking. The individuals on the team should hold valid certifications relevant to their role such as Offensive Security Certified Professional (OSCP), CREST Registered Tester (CRT), Certified Information Systems Security Professional (CISSP) or equivalent credentials.

When CREST accredited penetration testing is being performed, a CREST CRT tester is used. CREST approved pentesting can be performed on all types of test. Network penetration test is being performed to comply with a regulatory requirement, additional experience or certification is required to ensure the approach is appropriate and the results are presented in the correct context. For example, a penetration test performed to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS) requirement 11.3 is best delivered by individuals with PCI QSA and PCI PA-QSA credentials. Many skilled penetration testers also typically possess other technology certifications to demonstrate their knowledge and proficiency.

What are the different options for pen testing?2022-07-24T10:10:31+01:00

The most common areas selected for pentesting scope typically include external networks, internal networks, web applications, wireless networks, and employee security awareness (through social engineering). These are typically all performed as part of a single engagement, but differ in their testing approach.

Web Application Pentest: Based on the sensitivity or value of a web application, an in-depth review is appropriate. There are over 100 specific areas reviewed within each web application. Testing initially begins with conducting information gathering followed by testing configuration and deployment management, identity management, authentication, authorization, session management, data validation, error handling, cryptography strength, business logic, client side security, and other development language specific tests as appropriate. Hedgehog Security’s approach to assessing web applications provides a flexible framework for comprehensively identifying and evaluating technical vulnerabilities. Testing is typically performed with prior knowledge to ensure a deep understanding of the purpose of the application. Credentials are provided to facilitate a review not only from the perspective of an unauthorized user, but also to identify potential authenticated risks such as privilege escalation from an authorized user’s perspective.

External Network Pentest: External network penetration tests focus on the internet facing network as a whole. It begins with reconnaissance to identify potential targets. Any responding network, host, or service may be targeted as a potential entry point into the secured network. While web applications identified may be utilized to gain entry, network penetration testing goes much broader to explore any exposed service and the relationships between them. Vulnerabilities leveraged are pursued to exploit weaknesses and escalate privileges into the internal network.

Internal Network Pentest: Internal network penetration tests are very similar to external penetration tests with the exception of perspective. While an external penetration test is performed remotely to simulate an external attacker, an internal penetration test is performed internal to the network from behind the perimeter firewalls. The general approach is the same as an external penetration test, however the target systems and networks are very different. Performing onsite testing allows the penetration tester to target hosts not exposed externally such as file servers, user workstations, domain controllers, internal application servers, databases, and other connected devices.

Wireless Pentesting: Wireless penetration tests assess the adequacy of multiple security controls designed to protect unauthorized access to your wireless services. Testing analyzes and attempts to exploit wireless vulnerabilities to gain access to private (protected) wireless SSIDs authorized for testing. Additional test scenarios may be performed, such as when guest wireless access is provided to visitors with expectations that access is limited in some way.

Social Engineering (Human Pentesting): Remote social engineering is a remote assessment performed under controlled conditions designed to validate the effectiveness of user security awareness and incident response processes. Testing includes leveraging a carefully crafted fictitious “malicious” website, email campaigns to targeted employees, phone contact, or through other customized attack scenarios. This is commonly performed shortly after security awareness training or education campaigns to validate their effectiveness.

CREST Approved Pen Testing: CREST approved pen testing is typically needed within regulated market places such as healthcare, local government, financial services etc. Any type of test can be delivered as a CREST approved pen testing engagement, it needs to be defined well before hand so that the appropriate resources are available. All crest accredited penetration testing engagements use CREST CRT qualified staff.

Remediation Verification: Remediation verification testing validates identified vulnerabilities have been successfully remediated, providing independent confirmation that corrective measures have been implemented in a manner that prevents exploitation.

Consider a Recurring Pentesting program to assess your safeguards throughout the year for a proactive security approach and manage your risks.

How is the scope of a penetration test defined?2022-07-24T09:41:42+01:00

Collaboratively, the scope of a penetration test should always be customized to suit the unique nature of the business and understanding of their risk profile. A variety of considerations, both internal and external to an organization, impact and guide the scope of a penetration test:

  • The nature of the business and types of products/services offered
  • Compliance requirements and deadlines
  • Geographic considerations
  • Organizational structure
  • The organization’s strategic plans
  • Customer expectations, especially when an organization acts as a custodian of that customer’s data
  • The value of the company’s assets
  • Redundancy in the environment that may impact sampling thresholds
  • Network segmentation and connectivity
  • The age of different components of the environment
  • Recent or planned changes to the environment

All of these factors need to be discussed and understood to make sure that the scope is appropriate and to ensure that the testing is focused in the areas of the environment that warrant it.

How often should we conduct a penetration test?2022-07-24T10:13:47+01:00

It depends, as a variety of factors should be thought-through when considering the frequency to conduct penetration tests. When determining what is appropriate include considerations such as:

  • How frequently the environment changes: Tests are often timed to correlate with changes as they near a production ready state.
  • How large the environment is: Larger environments are frequently tested in phases to level the testing effort, remediation activities, and load placed on the environment.
  • Budgetary factors: Testing should be scoped to focus on the most critical assets according to a timeline that is supported by the allocation of security budgets.

Remember that the frequency of the pentesting needs to be adjusted to meet the unique needs of the organization; and it’s important that those needs are understood and incorporated into the testing approach from the beginning.

Performing a Pentest too infrequently allows for a window that increases an organization’s exposure to risks. On the other hand, if testing is done too frequently, there is inadequate time to remediate before testing resumes. Therefore it is important to strike a balance.

Companies that recognize the importance of pentesting, especially crest accredited penetration testing, will implement testing on a recurring basis. Recurring pentest programs allow the schedule to be more adaptable and is better suited to take these factors into consideration. Recurring pen testing programs also allow companies to spread the tests out over a longer horizon and increase frequency to narrow the window for exposure. Explore Recurring PenTesting for your organization to have ongoing verification of your safeguards and to proactively manage your risks.

Is pen testing disruptive to our environment? Will our systems go down? What is the pen testing plan?2022-07-24T10:14:54+01:00

If the pentest is not properly planned and coordinated, it can be disruptive. This is why it is imperative that the planning is done properly, and comprehensively, to identify potential risks for disruption and adjust the approach accordingly. This planning should be conducted well in advance of any testing start date of any pentest in order to ensure adequate time for communication to project stakeholders. The communication and monitoring should continue throughout the pen testing schedule.

What should we expect from the penetration testing process?2022-07-24T10:15:59+01:00

Pentesting is an extremely disciplined process. A penetration testing company should keep all stakeholders well-informed through every key stage of the process. As a company seeking penetesting services, you should expect the following (at a minimum):

  • A well-coordinated, planned, documented and communicated approach to know what is happening and when
  • A disciplined, repeatable approach should be followed
  • The approach should be customized to suit the unique environment of the business
  • clearly defined initiation process, planning process, coordinated testing and a collaborative delivery process to ensure accurate results and a clear understanding of remediation

Review the comprehensive pentest methodology and how we can streamline the process for you.

Why should we have a penetration test performed?2022-07-24T10:17:49+01:00

A Pentest should be performed for a variety of reasons. Some of the more common reasons why companies perform network penetration tests include:

  • Most relevant regulatory standards require that a pentest is performed.
  • Pentesting can identify vulnerabilities inadvertently introduced during changes to the environment, such as a major upgrade or system reconfiguration.
  • Pentesting can be integrated into the QA process of the Software Development Life Cycle to prevent security bugs from entering into production systems.
  • Organizations, especially those acting as data custodians, are being required to have testing performed by their customers. Penetration testing can demonstrate a commitment to security from a customer perspective and provide attestation that their assets or services are being managed securely.
  • Pentesting is a common requirement for internal due diligence as part of ongoing efforts to manage threats, vulnerabilities, and risks to an organization. Results can be used as input into an on-going Risk Management process.
  • Pentests allows companies to assess the security controls of potential acquisition targets. Most organizations preparing to acquire an organization seek insights into the vulnerabilities they may introduce in doing so and plan for the costs they may be incurring to remediate.
  • To support a breach investigation, penetration testing may tell an organization where the other vulnerabilities may exist in order to have a comprehensive response to the incident.
  • Pentests allows companies to proactively assess for emerging or newly discovered vulnerabilities that were not known or have not yet been widely published.
  • APentest serves as an aid to development teams who are writing new web applications. Many development lifecycles include penetration testing at key stages of the process. Correcting flaws are typically less costly the earlier in the development lifecycle that they are discovered. Additional testing prior to go-live on a production-ready build can identify any remaining issues that might require attention before loading users on the application.


What are the goals of a penetration test?2022-07-24T10:18:57+01:00

Goals of a pentest vary greatly based on the scope of review. Generally speaking, the goal of a pentest is to validate the effectiveness of security controls designed to protect the system or assets being protected.

A Pentest should always document the goals of the project. Pentesting reports and deliverables outline the expectations, scope, requirements, resources, and results. Samples available upon request.

How does a penetration test differ from an automated vulnerability scan?2022-07-24T09:35:21+01:00

Both penetration tests and automated vulnerability scans are useful tools for managing vulnerabilities. While these are different testing methods, they are complementary and both should be performed.

vulnerability scan is an automated, low-cost method for testing common software, application, network and server vulnerabilities. This is sometimes referred to as an automated pen test. Many automated tools are available and most are easily configured by the end user to scan for published vulnerabilities on a scheduled basis. While an automated vulnerability scan is very efficient and cost-effective in identifying common vulnerabilities such as missing patches, service misconfigurations, and other known weaknesses, they are not as accurate in validating the accuracy of vulnerabilities nor do they fully determine the impact through exploitation. Automated scanners are more prone to reporting false positives (incorrectly reporting weaknesses) and false negatives (failing to identify vulnerabilities, especially those impacting web applications). Automated Vulnerability Scanning is mandated by the Payment Card Industry Data Security Standard (PCI DSS) as noted in requirement 11.2.

penetration test focuses on the environment as a whole. In many ways, it picks up where the scanners leave off to provide a comprehensive analysis of the overall security posture. While scripts and tools are leveraged by a penetration tester, their use is largely limited to reconnaissance activities. The bulk of a penetration test is manual by nature. A penetration test identifies vulnerabilities scanners cannot, such as wireless flaws, web application vulnerabilities, and vulnerabilities not yet published. Further, pen testing includes attempts to safely exploit vulnerabilities, escalate privileges, and ultimately demonstrate how an attacker could gain access to sensitive information assets. Penetration testing frequently applies “test scenarios” specific to an organization as well. For example, a university may grant access to student workers, a hospital may leverage third party service providers, or a consultancy may have unique access rights for their engineers. Each of these scenarios would require different positioning of the penetration tester within the environment and requires adjustments to the methodology. Penetration testing is also mandated by the PCI DSS as noted in requirement 11.3.

What is Penetration Testing?2022-07-24T09:31:26+01:00

penetration test, also known as a “pen test” is a method for evaluating the effectiveness of an organization’s security controls. Testing is performed under controlled conditions, simulating scenarios representative of what a real attacker would attempt. When gaps are identified in a security control, a penetration test goes beyond basic vulnerability scanning to determine how an attacker would escalate access to sensitive information assets, confidential information, personally identifiable information (PII), financial data, intellectual property or any other sensitive information. Penetration testing utilises pen test tools and techniques, guided by a disciplined and repeatable methodology, resulting in a report containing detailed findings and recommendations that allow an organization to implement counter measures and improve the security posture of the environment. These improvements ultimately reduce the likelihood an attacker could gain access.

Consider a Penetration Testing similar to an MOT on a car, or a financial audit of your accounts. 

Vulnerability Scanning2022-07-22T15:35:38+01:00

CREST Approved Vulnerability Scanning

Our CREST Approved Vulnerability Scanning service is a regulated, vulnerability scanning solutions, designed to uncover known Cyber Security vulnerabilities, risks and weak configurations.

Vulnerability Scanning is an important cybersecurity service for organisations of all sizes and should be performed on a regular basis. We can support daily, weekly, monthly, quarterly scanning, including one off scans.

Each vulnerability scan is consultant-led, with support from our analyst team. Our team will review and validate the findings, removing the false positives and where necessary, enhancing the findings with more data, such as improved remediation details. You can also export the findings as CSV files, integrate the portal into Jira and download PDF reports.

Penetration Testing2022-07-26T10:07:08+01:00

CREST Approved Penetration Testing

CREST Approved Penetration Testing is our standard. The service is built on 12 years of experience running Penetration Tests for many clients. The Hedgehog differences is that we provide a fully interactive penetration test.

Through our client portal, you can monitor your test in real time, see what the testers are working on, request assets to be retested, accept risks and chat online with the testers. Our Next Generation Penetration Test service puts the client directly in control of their penetration test.

From single web applications and mobile applications, to full PCI-DSS internal infrastructure penetration tests, we have CREST CRT and OSCP qualified, local penetration testers locally who can work on your penetration test projects. Follow along in real time during your test as part of our cybersecurity services.

How much is Cyber Essentials?2022-08-06T19:55:44+01:00

How much is Cyber Essentials?

This is a question that we get asked a lot of the time. The first thing to state is that the cost of Cyber Essentials is set by IAMSE and the NCSC and is based on the number of employees in your organisation. Payment for Cyber Essentials is upfront. Assessment can not take place until the payment has been received. This is simply because IAMSE must be paid prior to the assessment. Now, the pricing is very simple and pricing matrix is show below.

Micro organisations (0-9 employees) £295 +VAT
Small organisations (10-49 employees) £395 +VAT
Medium organisations (50-249 employees) £425 +VAT
Large organisations (250+ employees) £495 +VAT

So the answer to the question of how much is cyber essentials depends on the size of your organisation. For the majority of organisations it is just a case of purchasing the assessment. You are simply filling out the questionnaire and getting the result. However, should there be an issue with the answers, you only have 48 hours in which to rectify the issues and resubmit before an over all failure is issued. Once an overall failure is issued then you would need to purchase the assessment again and resubmit your answers.

For organisations who require a little help through the assessment, we offer assistance in the form of hourly blocks. Hourly blocks can be purchased online at the same time as your Cyber Essentials assessment. Once purchased, one of the consulting team will work with you to determine how best to use the time. It may be coaching you through the assessment, or it may be going through your answers prior to submitting them. Our consulting team working closely with our auditors every day, so they will be best placed to help.

My organisation is not based in the UK. Can I still obtain Cyber Essentials certification?2022-07-29T09:01:43+01:00

The short answer is Yes. It does not matter where your business, charity or organisations is based in the world. Regardless of your location, even if you are based overseas or you are a nomadic entity. You will be able to be assessed against the Cyber Essentials standards and if you are assessed to be compliance then a certificates will be issued.

For nomadic entities, it is important to know which country your entity is based within. For example, if you are cruising the world on a yacht, then the designated flag country would be used to establish your base country. For land based nomadic entities, then the country of registration of your company would be used.

Can we still run Windows 7?2022-07-08T05:41:20+01:00

No, Windows 7 went End of Life 14/01/2020).

In circumstances where your organisation has paid for Extended Security Updates (ESU) from Microsoft for every device that is unsupported, this will be considered permissible as technically the software is supported.

Is Windows Server 2008 end of life?2022-07-08T05:40:48+01:00

Windows Server 2008 went End of Life 14/01/2020).

In circumstances where your organisation has paid for Extended Security Updates (ESU) from Microsoft for every device that is unsupported, this will be considered permissible as technically the software is supported.

How is the questionnaire assessed?2022-07-29T13:21:42+01:00

When you finish your online questionnaire and click on the submit button, a job is raised within our audit team to assess your questionnaire. The assessment will typically take place within a business day of completing it. We will review your questionnaire submission and it will be marked against the strict criteria set out by IASME Consortium and the NCSC. Where we feel we need more information in order to be able to pass you for a particular question, we make set an answer to “needs more information” and send it back to you. Where this happens all you need to do is expand on the information. The auditor will have put helpful notes on the report to you can understand exactly what they are looking for. Where the answer is a fail, we will talk to you about the issue and work out a way to move forwards.

What is the difference between Cyber Essentials and Cyber Essentials Plus?2022-07-08T05:39:54+01:00

Cyber Essentials is a verified self-assessment questionnaire completed by your organisation that clearly demonstrates your organisations compliance to the Cyber Essentials scheme.

Cyber Essentials Plus is an audit of your network, and is a validation that the information provided in the Cyber Essentials questionnaire is correct and accurate.

What is a sample of our workstations?2022-07-08T05:38:21+01:00

When performing a Cyber Essentials Plus audit, the amount of machines that we test is dependent on the size of the organisation. We must a sample of each type of device on the network to ensure Cyber Essentials compliance. The goal is to test a number of devices that make up 90% of the organisation.

A type of device is a grouping of systems running the same operating system. i.e. all devices running Windows 10 Pro running Version 1903 will be classed as one type, and all devices running Windows 10 Pro Version 2004 would be classed as another type.

Of each type, a certain amount will be required to be tested.

For example: If an organisation has 50 Microsoft Windows 10 1903 desktops, 30 Mac-book Pro Catalina Laptops, and 10 Windows Server 2016, we would test 4 desktops, 4 mac-books, and 3 servers.

What is required for Cyber Essentials2022-07-08T05:37:37+01:00

Organisations complete the IASME self-assessment questionnaire (SAQ). This must be verified and signed off by a member of the board or an equivalent signatory. It is then independently verified by a certification body trained and licensed to certify against the government’s Cyber Essentials scheme.

Cyber Essentials Blog Posts

Go to Top