Hedgehog Security
Penetration Testing2022-08-10T05:51:28+01:00

Penetration Testing

CREST Approved Penetration Testing: identify your Cyber Security weaknesses

CREST Approved Penetration Testing: our testing service is approved and regulated by CREST, the Council for Ethical Security Testers, in the UK and is fully aligned with the CREST Defensible Penetration Test standard. We offer a full-scope, multi-layered attack simulation orchestrated from the perspective of a malicious threat actor. We design our penetration tests to measure how prepared your organisation is to withstand an attack from adversaries. Our end goal is to uncover risks and vulnerabilities.

What is Penetration Testing?

Penetration Testing, Pentesting or Pentest, have all been defined by the UK’s NCSC (National Cyber Security Center) as “A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might.” CREST Approved pen testing is where a testing firm such as ourselves has completed a rigorous quality and technical assessment to ensure that we meet the standards set down by CREST, the UK regulator for pen testing in a manner that is called Defensible Penetration Testing. We remain one of the few independent CREST accredited penetration testing companies in the UK and Europe.

Pentesting is similar to a financial audit

Your finance team tracks expenditure and income day to day. An audit by an external group ensures that your internal team’s processes are sufficient. A well-structured and scoped pentest needs to be more than a simple point-in-time test.

Penetration Testing evolved

Our pentesting offering has evolved to a service-led offering, enabling regular repeated testing quickly and easily. There are seven stages of testing that forms the backbone of our comprehensive penetration testing methodology. You can read more about our seven steps of a pentest here, and to find out what to expect from your penetration test here.

In a perfect world, a pentest will highlight known issues. It will also find subtle problems that, when chained together, evolve into significant risks.

CREST Defensible Penetration Test

All of our Penetration Testing engagements are aligned and comply with the CREST Defensible Penetration Test standard. We put Cyber Security First in all things we do and we have published our penetration testing methodology here on our site.

Why CREST Approved Pen Testing?

It is actually very logical. With a CREST approved firm, you know that they are ISO27001, ISO9001 and Cyber Essentials Plus certified. You know that they hold all the required insurance to perform high risk work. And you know that their staff meet a technical training and experience level that ensures every pentest is completed to a high standard.

CREST accredited penetration test uk does take long, and it does cost more, but you are guaranteed a professional and thorough test.

crest approved pen testing

What makes up a CREST Defensible Penetration Test?

CREST Defensible Penetration Test


We start by working with clients to define a very detailed scope. The scoping phase is essential for ensuring that the penetration test aligns with the assurance goals and objectives. This is achieved by working a detailed as possible scope. Sometimes this can be as high level as “do a web application penetration test against x” or it could be as detailed as going into specifics on what should be tested. The outcome though is a very detailed work sheet for the testers to work through as per our pentesting methodology. At the end of the day, the scoping will always be performed by one of our senior test team or our CISO, all of whom have signed the CREST Code of Conduct. This is why our CREST Defensible Penetration Test is not cheap penetration testing. A CREST Defensible penetration test is vastly more in depth and complicated, using specific highly qualified individuals.

Delivery and Execution

The delivery phase is carried out inline with CREST Accredited methodology. All of the testers involved in your penetration test will be at least OSCP or CRT qualified and will have specialisms in particular sub-cultures of penetration testing. For example, if Wireless, OT or IoT is involved, you can be certain that Peter Bassill will be the one carry out the testing. Regardless, all of the test team have signed the CREST Code of Conduct.

Penetration Test Signoff

The sign off phase is conducted by Peter and Leticia. Both are CISSP qualified and work on the virtual CISO side of the business managing security teams and multiple test cycles for clients. It is their job to ensure that the test has completed everything listed in the scope and more, and that the testers have deep dived into any areas of interest.

Depending on the size of the test, signoff can take between one and three days. There is test evidence to review and screen casts to watch. One the test report is signed off, it is published as a PDF report on our testing portal and a remediation workbook is created as an Excel workbook.

Our Penetration Testing Services

Standard Penetration Testing

A standard pentest can be a one-off, whether it is a single web application or external infrastructure all the way to complex internal infrastructure testing for PCI-DSS annual compliance. Or it can be part of a series of pentests. We offer total flexibility to meet your testing needs and far beyond what you would traditionally receive in a penetration test. Our client portal provides additional services that enhance your CREST accredited penetration testing engagement to give that next generation of security testing coverage. But if you still need that single point in time, our standard penetration test, then we can still help.

A team leader leads each penetration test from in the uk. Our team leaders ensure your testers’ narrative helps you understand how we got the results. The tester uploads the description to the test portal, where customers can interact with the findings rather than reading from an extensive static report. You can also export the results as CSV files, integrate the portal into Jira and download PDF reports.

We can test multiple assets, from your people and internal business processes to web and mobile applications, brochure sites, industrial control systems, internal and external infrastructure, cloud services, and more.

Pentesting as a Service

Pentesting-as-a-Service takes our testing service to a new level. With our pentesting as a service offering, we use service tokens to allow clients to create their testing projects and mini engagements. Each token is the equivalent of a half-day test time and can be used for anything from monthly or weekly vulnerability management to red-team testing. You purchase several tokens and then use them in the test portal as you need them.

Pentesting as a Service Cost

With the service based around tokens, the service’s pricing is relatively simple. You start with 20 tokens at £9,500. Further tokens are then purchased at £400 per token. If you are looking for cheap penetration testing, then purchasing the pentest tokens is by far the lowest cost way forward.

Purchase Pentest Tokens

How does it work?

Once you have purchased tokens, your assigned test team leader will be in touch. They will be set you up on our test portal and arrange a short 30 minute training session for you so you know where everything. From there you can request testing projects directly with your assigned test team.

Talk To A Security Specialist

Book a free consultation with a security specialist to discuss your current concerns or security requirements.

Hedgehog Security needs the contact information you provide to us to contact you. You may unsubscribe from these communications at any time.  By clicking "Request Callback" below you agree for us to store and process your data.  For information on how to unsubscribe please review our Privacy Policy.

Common Types of Penetration Test







Standards of Training for Pentesters

The standards of training, and experience, for pentesters are Hedgehog is high. All of our qualified penetration testers must hold the OSCP (Offensive Security Certified Professional) qualification and be at least a CREST Registered Tester.

For testers engaged in CREST approved pen testing, they will hold the CREST CPSA and CRT qualifications and will have a relevant specialism. That specialism may be in infrastructure testing, web application testing or in industrial control systems. Only these testers are every authorised to deliver CREST accredited penetration testing for clients.

Our Testers Know their Vulnerability Classes

crest accredited penetration testing

What Is the Difference Between Vulnerability Scans and Pen Tests?

Vulnerability scanners are automated tools.  Scanners examine an environment and, upon completion, create a report of uncovered vulnerabilities. These scanners often list these vulnerabilities using CVE identifiers that provide information on known weaknesses. They commonly score vulnerabilities out of 10 using the CVSS scoring system. With the CVSS system, the lower the score, the less risk.

Scanners can uncover thousands of vulnerabilities, so there may be enough severe vulnerabilities that further prioritization is needed. Additionally, these scores do not account for the circumstances of each IT environment. Penetration testing does.

While vulnerability scans provide a valuable picture of potential security weaknesses, penetration tests can add additional context by testing if vulnerabilities can access your environment. Pentests can also help prioritize remediation plans based on what poses the most risk.

Why is Pen Testing Important?

Pen testing evaluates an organization’s ability to protect its networks, applications, endpoints and users from external or internal attempts to circumvent its security controls and gain unauthorized or privileged access to protected assets.

Pen tests provide detailed information on actual, exploitable security threats. By performing a penetration test, you can proactively identify which vulnerabilities are most critical, which are less significant, and which are false positives. This allows organization to more intelligently prioritize remediation.

These days, there’s no one solution to prevent a breach. Organizations must now have a portfolio of defensive security mechanisms and tools. Even with these vital security tools, it’s difficult to find and eliminate every vulnerability in an IT environment. Pen testing takes a proactive approach, uncovering weaknesses so that organizations know what remediation is needed.

Without the proper visibility into your environment as a whole, changing your security posture may result in you eliminating something that was not actually problematic. Pen tests don’t only tell you what isn’t working. They also serve as quality assurance checks, so you’ll also find out what policies are most effective, and what tools are providing the highest ROI. With these insights an organization can also intelligently allocate security resources, ensuring that they are available when and where they are needed most.

How can you be confident in your security posture if you do not effectively test it? By regularly putting your security infrastructure and your security team through their paces, you won’t have to wonder hypothetically what an attack will look like and how you’ll respond. You’ll have safely experienced one, and will know how to prepare to ensure your organization is never caught off guard.

Penetration testing helps organizations address the general auditing and compliance aspects of regulations and industry best practices. By exploiting an organization’s infrastructure, pen testing can demonstrate exactly how an attacker could gain access to sensitive data. As attack strategies grow and evolve, periodic mandated testing makes certain that organizations can stay one step ahead by uncovering and fixing security weaknesses before they can be exploited.

Additionally, for auditors, these tests can also verify that other mandated security measures are in place or working properly. The detailed reports that pen tests generate can help organizations illustrate ongoing due diligence to maintaining required security controls.

Frequently Asked Questions (FAQ)

What is Penetration Testing?2022-07-24T09:31:26+01:00

penetration test, also known as a “pen test” is a method for evaluating the effectiveness of an organization’s security controls. Testing is performed under controlled conditions, simulating scenarios representative of what a real attacker would attempt. When gaps are identified in a security control, a penetration test goes beyond basic vulnerability scanning to determine how an attacker would escalate access to sensitive information assets, confidential information, personally identifiable information (PII), financial data, intellectual property or any other sensitive information. Penetration testing utilises pen test tools and techniques, guided by a disciplined and repeatable methodology, resulting in a report containing detailed findings and recommendations that allow an organization to implement counter measures and improve the security posture of the environment. These improvements ultimately reduce the likelihood an attacker could gain access.

Consider a Penetration Testing similar to an MOT on a car, or a financial audit of your accounts. 

What are the different options for pen testing?2022-07-24T10:10:31+01:00

The most common areas selected for pentesting scope typically include external networks, internal networks, web applications, wireless networks, and employee security awareness (through social engineering). These are typically all performed as part of a single engagement, but differ in their testing approach.

Web Application Pentest: Based on the sensitivity or value of a web application, an in-depth review is appropriate. There are over 100 specific areas reviewed within each web application. Testing initially begins with conducting information gathering followed by testing configuration and deployment management, identity management, authentication, authorization, session management, data validation, error handling, cryptography strength, business logic, client side security, and other development language specific tests as appropriate. Hedgehog Security’s approach to assessing web applications provides a flexible framework for comprehensively identifying and evaluating technical vulnerabilities. Testing is typically performed with prior knowledge to ensure a deep understanding of the purpose of the application. Credentials are provided to facilitate a review not only from the perspective of an unauthorized user, but also to identify potential authenticated risks such as privilege escalation from an authorized user’s perspective.

External Network Pentest: External network penetration tests focus on the internet facing network as a whole. It begins with reconnaissance to identify potential targets. Any responding network, host, or service may be targeted as a potential entry point into the secured network. While web applications identified may be utilized to gain entry, network penetration testing goes much broader to explore any exposed service and the relationships between them. Vulnerabilities leveraged are pursued to exploit weaknesses and escalate privileges into the internal network.

Internal Network Pentest: Internal network penetration tests are very similar to external penetration tests with the exception of perspective. While an external penetration test is performed remotely to simulate an external attacker, an internal penetration test is performed internal to the network from behind the perimeter firewalls. The general approach is the same as an external penetration test, however the target systems and networks are very different. Performing onsite testing allows the penetration tester to target hosts not exposed externally such as file servers, user workstations, domain controllers, internal application servers, databases, and other connected devices.

Wireless Pentesting: Wireless penetration tests assess the adequacy of multiple security controls designed to protect unauthorized access to your wireless services. Testing analyzes and attempts to exploit wireless vulnerabilities to gain access to private (protected) wireless SSIDs authorized for testing. Additional test scenarios may be performed, such as when guest wireless access is provided to visitors with expectations that access is limited in some way.

Social Engineering (Human Pentesting): Remote social engineering is a remote assessment performed under controlled conditions designed to validate the effectiveness of user security awareness and incident response processes. Testing includes leveraging a carefully crafted fictitious “malicious” website, email campaigns to targeted employees, phone contact, or through other customized attack scenarios. This is commonly performed shortly after security awareness training or education campaigns to validate their effectiveness.

CREST Approved Pen Testing: CREST approved pen testing is typically needed within regulated market places such as healthcare, local government, financial services etc. Any type of test can be delivered as a CREST approved pen testing engagement, it needs to be defined well before hand so that the appropriate resources are available. All crest accredited penetration testing engagements use CREST CRT qualified staff.

Remediation Verification: Remediation verification testing validates identified vulnerabilities have been successfully remediated, providing independent confirmation that corrective measures have been implemented in a manner that prevents exploitation.

Consider a Recurring Pentesting program to assess your safeguards throughout the year for a proactive security approach and manage your risks.

How often should we conduct a penetration test?2022-07-24T10:13:47+01:00

It depends, as a variety of factors should be thought-through when considering the frequency to conduct penetration tests. When determining what is appropriate include considerations such as:

  • How frequently the environment changes: Tests are often timed to correlate with changes as they near a production ready state.
  • How large the environment is: Larger environments are frequently tested in phases to level the testing effort, remediation activities, and load placed on the environment.
  • Budgetary factors: Testing should be scoped to focus on the most critical assets according to a timeline that is supported by the allocation of security budgets.

Remember that the frequency of the pentesting needs to be adjusted to meet the unique needs of the organization; and it’s important that those needs are understood and incorporated into the testing approach from the beginning.

Performing a Pentest too infrequently allows for a window that increases an organization’s exposure to risks. On the other hand, if testing is done too frequently, there is inadequate time to remediate before testing resumes. Therefore it is important to strike a balance.

Companies that recognize the importance of pentesting, especially crest accredited penetration testing, will implement testing on a recurring basis. Recurring pentest programs allow the schedule to be more adaptable and is better suited to take these factors into consideration. Recurring pen testing programs also allow companies to spread the tests out over a longer horizon and increase frequency to narrow the window for exposure. Explore Recurring PenTesting for your organization to have ongoing verification of your safeguards and to proactively manage your risks.

Is pen testing disruptive to our environment? Will our systems go down? What is the pen testing plan?2022-07-24T10:14:54+01:00

If the pentest is not properly planned and coordinated, it can be disruptive. This is why it is imperative that the planning is done properly, and comprehensively, to identify potential risks for disruption and adjust the approach accordingly. This planning should be conducted well in advance of any testing start date of any pentest in order to ensure adequate time for communication to project stakeholders. The communication and monitoring should continue throughout the pen testing schedule.

Does your Pentest satisfy ‘x’ Compliance Requirements?2022-07-24T10:00:00+01:00

A question we hear often is can we meet compliance requirements. While this certainly requires a deeper discussion, our testing is in compliance with multiple pentesting compliance standards including PCI, HIPAA, SOC2, and others.  That said, each compliance standard is different. For example CREST Approve pen testing requires specific tester qualifications. These requirements should be discussed before moving forward. Contact us for more details.

How much of your Penetration Testing is Automated vs. Manual?2022-07-24T10:01:10+01:00

A question not enough people ask is how much of the testing is automated vs. manual. While automated tools are a brief step early in our process, a large majority of our testing is manual. The amount of manual work varies project-to-project, but around 80% of the pentest is hands-on for large infrastructure pentests. For web application penetration tests, it is around 95% of the pentest that is hands-on. It is safe to assume that for CREST approved pen testing, the hands on level is higher still.

This isn’t to say automated vulnerability scanners don’t have a place; Vulnerability scans are quick and simple tools that should be used on a regular basis to identify missing patches or outdated software in larger unknown environments.

What is CREST accredited penetration testing?2022-07-26T10:45:57+01:00

CREST accredited penetration testing (also referred to as pentesting, pen testing and the often confusing PEN testing. (No, we do not know why people capitalise the shortening of Penetration either)) is a type of ethical or white hat hacking engagement designed to identify and address security vulnerabilities in your people, processes and technology. Most often a penetration test is focused on an element of your technology, such as networks, systems and applications. Pen testing takes different forms and can cover many areas. However, not all penetration testing companies work to the same standards, so there can be an inherent risk in allowing a provider to access important assets and data.

CREST penetration test is an assessment conducted by a CREST-accredited provider. CREST accreditation demonstrates that a company conducts and documents penetration testing in accordance with the highest legal, ethical and technical standards.

In order to perform CREST accredited testing, a testing company must have in place the following:

  • ISO9001 certification
  • ISO27001 certification
  • Cyber Essentials certification
  • Cyber Essentials Plus certification
  • Professional Liability insurance
  • Public Liability insurance
  • Crest Registered Testers on staff
  • A fully documented complaints process

This all takes time and investment which is why you will find that CREST accredited penetration testing costs more than run-of-the-mill, off-the-shelf penetration testing that can be purchased from the unregulated testing market.

How do we prepare for a penetration test?2022-07-24T10:02:17+01:00

In general, there is no need for anything special to prepare for a penetration test with respect to how security controls are managed on a day-to-day basis. Remember that a penetration test is a point in time review of the environment. The test is going to assess the security posture at that particular point in time. If patches are deployed every Wednesday, for example, there is no need to change this behavior to accommodate the penetration test itself. If the results of the infrastructure penetration test determine this process requires attention, then that would be the appropriate time to adjust.

An organization should expect to participate in preparation activities related to planning the penetration test itself to ensure the test can be performed under controlled conditions. Some preparation related to positioning the tester may also be needed, specifically when testing is being performed onsite.

The hiring company should be prepared to participate in the planning and coordination activities and be ready to have documentation available that details the in-scope IP ranges for testing when pen testing is being performed. Also be ready to prepare test environments and to support test scenarios defined in the scope. During internal infrastructure penetration tests, oftentimes visitor access badges are required for the penetration testers. Otherwise, there is not much else that is needed to be done prior to the test.

Should we fix all of the vulnerabilities that are reported?2022-07-24T09:52:49+01:00

You should evaluate all of the vulnerabilities using a risk-based model first. Each vulnerability should be evaluated for business impact and probability of being exploited to ultimately assign a risk rating. Companies should have risk criteria defined in order to determine thresholds for remediation. Vulnerabilities above the threshold should be remediated or appropriately compensated for in order to bring them within tolerable risk levels. A vulnerability that is within an acceptable threshold may not require remediation and instead may simply be monitored over time in case the risk level changes. The penetration test or vulnerability scan deliverables should contribute to this process. In certain compliance situations, specific vulnerabilities may be viewed as compliance gaps; and those gaps typically are either remediated or compensating controls are put in place when remediation is not possible.

How is the scope of a penetration test defined?2022-07-24T09:41:42+01:00

Collaboratively, the scope of a penetration test should always be customized to suit the unique nature of the business and understanding of their risk profile. A variety of considerations, both internal and external to an organization, impact and guide the scope of a penetration test:

  • The nature of the business and types of products/services offered
  • Compliance requirements and deadlines
  • Geographic considerations
  • Organizational structure
  • The organization’s strategic plans
  • Customer expectations, especially when an organization acts as a custodian of that customer’s data
  • The value of the company’s assets
  • Redundancy in the environment that may impact sampling thresholds
  • Network segmentation and connectivity
  • The age of different components of the environment
  • Recent or planned changes to the environment

All of these factors need to be discussed and understood to make sure that the scope is appropriate and to ensure that the testing is focused in the areas of the environment that warrant it.

From our blog

Go to Top