Penetration Testing

We believe that we exist to secure the connected and grant the opportunity of a better online life. Penetration testing helps you achieve that.

We demonstrate this in the way we conduct our Penetration Testing. Just running a bunch of scripts from a Kali installed laptop is not penetration testing. We use experience, skill, research and human intuition to provide the best penetration testing on the market.

Penetration Testing

Penetration Testing with Hedgehog

Penetration Testing is also known as pen testing or ethical hacking. It is the systematic process of discovering security weaknesses and vulnerabilities within people, process and technology.

Penetration testing is about viewing your network, application, device, or physical security through the eyes of an attacker. Testing identifies cybersecurity vulnerabilities in people, process and technology. An experienced penetration tester can locate:

    • Where a hacker might target you
    • How they would attack
    • How your defences would fare
    • The possible magnitude of the breach

 

Pen testing seeks to identify flaws and weaknesses in people, process and technology. Most commonly, it identifies security issues in networks, systems and applications. 

It is possible to purchase cheap automated penetration testing. They do exist and these can identify some cybersecurity issues. Proper penetration testing manually considers and confirms all of the automated results. It is the results of real testing that can accurately determine the business’s vulnerability to attack, as well.

In the complex cybersecurity landscape, pen testing has become a must for almost every industry. For many organisations and businesses, it is the law to conduct penetration testing at least annually. For instance:

  • Health organisations under the GDPR and DPA;
  • Financial institutions test for FCA compliance;
  • Businesses accepting or processing payment cards must comply with Payment Card Industry standards;
  • Regional and local governments under the CESG rules; and
  • All companies with personal information of individuals under the GDPR and DPA.
 

Even businesses that might think they don’t have any valuable information to protect could be at risk of someone trying to take over the network, install malware, disrupt services, and more. The rise in ransomware attacks and extortion since the COVID outbreak has been incredible. For many of the victims of these attacks, penetration testing would have identified the cybersecurity weaknesses before the attack. With so many bad actors out there, penetration testing keeps up with evolving technology.

During a penetration test, the attackers, played by our penetration testers, act on your behalf to find and test security weaknesses. The weaknesses that criminals or people with malicious intent could exploit. We do this following a methodology. The best way to think of a methodology is to think of it as a recipe book, and it is the guide that is at the centre of everything we do on penetration tests. Our methodology is the Penetration Testing Execution Standard. We further incorporate the penetration testing methodology for Web Applications, the OWASP testing Guidelines v4.

Hedgehog Security is a CREST approved member company operating in the UK, across Europe, the Middle East and Asia. Hedgehog Security is authorised to conduct Penetration Testing, Vulnerability Assessments and Cyber Security Consulting, as well as carrying out Cyber Essentials assessments through IASME.

Our Testers

Our testing team are all cyber security professionals who spend 25% of their year researching new techniques, understanding the latest attacks and keeping up their professional qualifications. A lot of time is spent going to conferences, speaking at conferences, helping teach youngsters and working within out mentoring project.

Their skills are honed over time to mimic the methods used by criminals. They do this without causing you damage. All of our testing staff have one thing in common, and that is the level of qualification they must possess prior to conducting any form of penetration testing on clients assets.

At Hedgehog, we recognise the OSCP and the CREST CRT as the minimum level of qualification to carrying out any pentesting. This means that all staff involved in your penetration test will be very well qualified for the job at hand.

7 Steps of Penetration Testing

There are a total of seven steps in our methodology:

Our Approach

Our approach to every test follows the Penetration Testing Execution Standard and the OWASP Testing Guidelines in their current form. These methodologies are then wrapped into our CREST approved testing methodology.

Pentesting can be performed as black box tests where the tester has zero knowledge of the environment. A grey box penetration test is where the tester has minimal information. A white box test is where the tester has a starting knowledge of the environment. For the ultimate in penetration testing, we can perform a comprehensive Red Team style test.

All tests performed by highly qualified penetration testers. All testers are OSCP, OSWE and CREST CRT qualified. We simulate real world attacker techniques and our testing covers, comprehensively, all necessary aspects to satisfy FCA, PCI-DSS and Government requirements for a penetration test.

Whats does a Pentest cost?

There is what appears to be much secrecy in the cybersecurity and pentesting industry over to the cost of penetration testing.  We removed the mystery.

Types of Penetration Testing Performed

In the table below, you can see our core areas of penetration testing along with the common objectives and the benefits the testing brings to the business. Along with this, we have included an example price. The example price is based around a typical small engagement for a small business with outsourced IT systems, 2 web applications and 50 staff.

For an accurate price on your pentesting needs, simply call or email us and we will be more than happy to have a scoping call and provide you with an accurate cost and timescale.

Our Test Type Objective Benefit
External Test
Identify and exploit vulnerabilities on systems, services and applications exposed to the internet.
Understand risks to assets exposed to the internet. Identify each vulnerability and determine the need for fixing.
Internal Test
Simulate a malicious insider or an attacker that has gained access to an end-user system, including escalating privileges, install custom malware or extracting critical data.
Understand risk to business from a breach. Identify each vulnerability and determine the need for fixing.
Web Application Testing
Comprehensively assess web or mobile applications for vulnerabilities that can lead to unauthorised access or data exposure.
Understand the security of applications that grant access to critical data. Identify each vulnerability and determine the need for fixing.
Mobile Device Testing
Comprehensively asses the security of mobile devices and installed applications.
Understand risk introduced through mobile applications. Identify each vulnerability and determine the need for fixing.
Social Engineering
Assess the security awareness and general security controls with respect to human manipulation, including email, phone, media drops and physical access.
Understand how an organisation reacts to exploitation of human assets.
Wireless Testing
Assess the security of your deployed wireless solutions, including traditional 802.x networks, Bluetooth, Zigbee, Sub 1Ghz, infrared and satellite networks.
Understand how secure data in transit and systems communication via wireless technology actually are. Identify each vulnerability and determine the need for fixing.
Embedded / IoT Device Testing
Assess the security of your device(s) by attempting to exploit the embedded firmware, control the device by passing or injecting malicious commands or modify data sent from the device.
Understand the security of devices and the ability to guarantee that the commands issues to and information received from the device are safe.
Industrial Control System Testing
Combine penetration testing and exploitation experience with ICS expert knowledge to prove the extent an attacker can access, exploit or otherwise interfere with critical ICS/SCADA systems.
Understand the vulnerabilities in an ICS/SCADA environment before an attacker is able to exploit them.
Test your internal and external networks along with your Cardholder Data Environment against requirement 11.3 of the PCI-DSS
Identify areas of your systems that do not meet the requirements of 11.3 of the PCI-DSS and fix them prior to your audit.

Frequently Ask Questions

It is amazing how many different ways we see a penetration test being titled. It really does not matter is you can it a pen test, a pentest, a PEN test or a penetration test. They all mean the same thing and really they are all penetration testing.

A Penetration test should be performed for a variety of reasons. Some of the more common reasons why companies perform a penetration test include:

  1. Most relevant regulatory standards require a penetration test to be performed.
  2. A penetration test can identify vulnerabilities inadvertently introduced during changes to the environment, such as a major upgrade or system reconfiguration.
  3. The penetration test can be integrated into the QA process of the Software Development Life Cycle to prevent security bugs from entering into production systems.
  4. Organizations, especially those acting as data custodians, are being required to have testing performed by their customers, and by law. A penetration test can demonstrate a commitment to security from a customer perspective and provide attestation that their assets or services are being managed securely.
  5. Penetration Testing is required as part of GDPR.
  6. A penetration test is a common requirement for internal due diligence as part of ongoing efforts to manage threats, vulnerabilities, and risks to an organization. Results can be used as input into an on-going Risk Management process.
  7. Penetration testing allows companies to assess the security controls of potential acquisition targets. Most organizations preparing to acquire an organization seek insights into the vulnerabilities they may introduce in doing so and plan for the costs they may be incurring to remediate.
  8. Penetration testing should be conducted to support your annual data protection audit.
  9. To support a breach investigation, penetration testing may tell an organization where the other vulnerabilities may exist in order to have a comprehensive response to the incident.
  10. A regular penetration test allows companies to proactively assess for emerging or newly discovered vulnerabilities that were not known or have not yet been widely published.
  11. Penetration testing serves as an aid to development teams who are writing new web applications. Many development lifecycles include penetration testing at key stages of the process. Correcting flaws are typically less costly the earlier in the development lifecycle that they are discovered. Additional testing prior to go-live on a production-ready build can identify any remaining issues that might require attention before loading users on the application.

Penetration testing duration and costs can vary significantly depending on multiple variables.  

Scoping details such as network IP addresses, complexity (and number) of applications, and employees for social engineering are key factors to determining project size.  Accounting for these variables, our team works diligently to match the scope details with the security needs of your organization.

With that said, there are trends and ranges for projects we tend to see.  Penetration testing generally start around the £8,000 range, but can grow into six figures for large, in-depth projects.  

We also offer discounts for multiple-year contracts, ensuring your organization both has a consistent pentesting partner and can stretch security budgets further.

Similar to the above question on pricing, the length of penetration tests depend on multiple variables. Penetration testing is a hands-on assessment not suited for short, quick sprints. At Hedgehog we tend to see projects starting at about one week, but most projects go multiple weeks or even months. Some tests can take much longer than others, depending on the number of vulnerabilities identified and whether or not those vulnerabilities are exploitable.

Both penetration tests and automated vulnerability scans are useful tools for identify and locating vulnerabilities and then enabling the successful management of those vulnerabilities. While these are penetration testing and vulnerability scanning are different, it is impossible to perform a penetration test without performing any form of vulnerability scanning. They are also complementary and while a penetration test should be performed at least yearly, it not every 6 months, a vulnerability scan should be performed monthly.

A vulnerability scan is an automated, low-cost method for testing common network and server vulnerabilities. This is sometimes referred to as an automated pen test. Many automated tools are available and most are easily configured by the end user to scan for published vulnerabilities on a scheduled basis. While an automated vulnerability scan is very efficient and cost-effective in identifying common vulnerabilities such as missing patches, service misconfigurations, and other known weaknesses, they are not as accurate in validating the accuracy of vulnerabilities nor do they fully determine the impact through exploitation. Automated scanners are more prone to reporting false positives (incorrectly reporting weaknesses) and false negatives (failing to identify vulnerabilities, especially those impacting web applications). Automated Vulnerability Scanning is mandated by the Payment Card Industry Data Security Standard (PCI DSS) as noted in requirement 11.2.

A penetration test focuses on the environment as a whole. In many ways, it picks up where the scanners leave off to provide a comprehensive analysis of the overall security posture. While scripts and tools are leveraged by a penetration tester, their use is largely limited to reconnaissance activities. The bulk of a penetration test is manual by nature. A penetration test identifies vulnerabilities scanners cannot, such as wireless flaws, web application vulnerabilities, and vulnerabilities not yet published. Further, pen testing includes attempts to safely exploit vulnerabilities, escalate privileges, and ultimately demonstrate how an attacker could gain access to sensitive information assets. Penetration testing frequently applies “test scenarios” specific to an organization as well. For example, a university may grant access to student workers, a hospital may leverage third party service providers, or a consultancy may have unique access rights for their engineers. Each of these scenarios would require different positioning of the penetration tester within the environment and requires adjustments to the methodology. Penetration testing is also mandated by the PCI DSS as noted in requirement 11.3.

Penetration testing and automated vulnerability scans both serve a purpose and both types of testing belong in a comprehensive vulnerability assessment program. Automated vulnerability scanning should be scheduled to run on a frequent basis, ideally at least weekly, with network penetration tests scheduled quarterly or when significant changes are planned to an environment.

If the pen test is not properly planned and coordinated, it can be disruptive. This is why it is imperative that the planning is done properly, and comprehensively, to identify potential risks for disruption and adjust the approach accordingly. This planning should be conducted well in advance of any testing start date in order to ensure adequate time for communication to project stakeholders. The communication and monitoring should continue throughout the pen testing schedule.

We understand that clients often have hard deadlines that they’re trying to meet.


Whether you’re trying to meet client requirements which rely on pentest results or have an annual requirement, we do best to accommodate your timelines. Unfortunately, manual penetration testing takes some planning & preparation for our assessment team and our schedule can be filled as much as 2-6 weeks out.

With that said, if you have an urgent project feel free to contact us about timelines.  Depending on needs and timelines, we may have the ability to pull resources off of a research project & get started immediately.  

A question not enough people ask is how much of the testing is automated vs. manual. While automated tools are a brief step early in our process, a large majority of our testing is manual. The amount of manual work varies project-to-project, but around 95% of the pentest is hands-on.

This isn’t to say automated vulnerability scanners don’t have a place; Vulnerability scans are quick and simple tools that should be used on a regular basis to identify missing patches or outdated software in larger unknown environments.

Early in the process we try to familiarize ourselves with your company & the scope of work so that we’re able to create an accurate proposal. We intentionally gather this information so that we never come back requesting for more testing time (and additional costs.) The more information you’re willing to share, the better assessment we can provide.

With that said, some clients may be seeking a blackbox approach where little information is provided, simulating a real world attack and response. In this case scenario, we still need to grasp the size/complexity needed for testing and therefore have some basic questions to scope.

A question we hear often is can we meet compliance requirements. While this certainly requires a deeper discussion, our testing is in compliance with multiple pentesting compliance standards including PCI, HIPAA, SOC2, and others.  That said, each compliance standard is different and should be discussed before moving forward. Contact us for more details.

Download our Brochure

Penetration Testing News

The Spartacus Connection Attack

One of the cool things about my job is that I get to blue-sky think some crazy ideas. Today started like nothing out of the ordinary. I was working on an engagement for a client, with the express goal of joining their company.

Read More »

Installing OpenVAS

Lets get down and dirty installing OpenVAS. OpenVAS is a free to use vulnerability scanner that was originally forked from the opensource Nessus project. One of the most common complaints I receive from my students is that OpenVAS is next to impossible to install.

Read More »

Installing Metasploit

Lets get down and dirty installing Metasploit. One of the most common complaints I receive from my students is that they can not get Metasploit to install so revert to Windows. If you have been following along in my Pentest Workstation series you will have built your Ubuntu workstation.

Read More »