Penetration
Testing

Penetration testing in the UK typically costs between £2,500 and £15,000+. A standard web application penetration test for a small-to-medium application averages £3,750-£6,250 for 3-5 days of testing. External network testing (1-20 IP addresses) starts from £2,500. Internal network testing for mid-sized organisations typically costs £7,500-£12,500. Complex engagements covering multiple applications, large infrastructure, or cloud environments range from £10,000-£15,000+. All engagements are fixed-price, quoted after a free scoping call with no hidden day rates.

Active testing typically takes 2-5 days depending on scope. A standard web application test runs 3-5 days. External network testing (up to 20 IPs) runs 2-3 days. Internal network testing runs 3-5 days. The full engagement including scoping, testing, and report delivery typically spans 2-3 weeks from kick-off. A 30-day retest window is included in every engagement to verify your remediation efforts.

CREST accreditation is required or strongly recommended if you are subject to FCA cyber resilience requirements, NCSC ITHC for public sector and PSN-connected environments, PCI DSS requirements, NHS DSPT obligations, or if your cyber insurance underwriter specifies accredited testing. For ISO 27001 audits and SOC 2 assessments, auditors generally accept CREST-accredited reports as credible third-party evidence. If you are unsure whether your regulatory context requires CREST, contact us and we will advise.

Yes. Precursor holds CREST company accreditation, and our reports are accepted by UK cyber insurance underwriters, FCA-regulated firms, PCI QSA assessors, NHS supply chain organisations, and ISO 27001 auditors. If your underwriter has specific scope or methodology requirements, share them during the scoping call and we will confirm alignment before work begins.

Vulnerability scanning is an automated process that identifies known vulnerabilities by matching software versions against CVE databases. It produces reports with hundreds of potential issues, many of which are false positives or low risk. Penetration testing is a manual, human-led simulation where ethical hackers actively exploit vulnerabilities, chain multiple issues together, and discover logic flaws that scanners miss entirely. Scanners might flag 100 potential issues; penetration testing confirms which 5 are actually exploitable and demonstrates the real-world business impact of successful attacks.

Three things separate Precursor from most UK penetration testing companies: (1) Closed-loop delivery: your pentest findings feed directly into your remediation workflow and, where applicable, our SOC detection rules; (2) Verifiable CREST accreditation at the company and individual tester level (we do not resell testing delivered by uncertified sub-contractors); (3) Fixed-price engagements with no hidden day rates. Your quote is your invoice. We work with mid-market financial services firms, UK legal practices, NHS supply chain organisations, and technology companies requiring reports that satisfy insurers, regulators, and enterprise customer security questionnaires.

External penetration testers provide three critical advantages: (1) Fresh perspective: internal teams develop blind spots and miss vulnerabilities due to familiarity with systems; (2) Specialist expertise: penetration testing requires dedicated skill sets (exploit development, attack chain construction) that internal teams rarely maintain while managing day-to-day security operations; (3) Independent validation: auditors, regulators, and cyber insurance providers require independent third-party testing, not internal self-assessment. Many organisations use both: internal teams for continuous security monitoring, external specialists for annual offensive testing.

Penetration testing is designed to be non-disruptive when conducted by professional testers. We coordinate testing windows with your team, avoid destructive attacks, and maintain abort codes to immediately cease testing if any critical systems are at risk. For web applications, we use test accounts and non-destructive payloads to avoid impacting real users. For critical production systems, we recommend testing in staging environments that mirror production.

Precursor Security penetration testers hold CREST certification (Registered Tester or Certified Tester), the UK's government-endorsed standard for penetration testing competency. Our testers also hold industry certifications including OSCP and OSCE. All testing is conducted under signed legal agreements defining scope and rules of engagement, findings are delivered via encrypted channels, and our testers undergo DBS checks for sensitive environments. You can verify our CREST membership independently at crest-approved.org.

Yes. Our testers work with modern application architectures including single-page applications (React, Angular, Vue), REST and GraphQL APIs, OAuth 2.0 and SAML authentication flows, microservices, and containerised environments. We test for IDOR, SSRF, business logic flaws, JWT weaknesses, and authentication bypass in addition to the OWASP Top 10. For comprehensive API coverage, we recommend combining a web application test with our dedicated API security assessment.

Yes. Unlike automated scanners that only look for syntax errors, our human testers actively look for logic flaws such as bypassing payment gateways, escalating privileges, or manipulating pricing. Logic flaws represent the most critical vulnerabilities in modern applications because they exploit intended functionality in unintended ways, and scanners cannot detect them.

For web applications, we generally recommend grey box (authenticated) testing. Providing credentials allows us to test the deeper logic of the application as a logged-in user, which is where the majority of critical vulnerabilities (such as IDOR) are found. Black box testing simulates an external attacker with no prior knowledge, while white box testing includes source code review. Grey box strikes the optimal balance between realism and thoroughness.

Yes, if the web application communicates with an API, we test the API endpoints exercised by the application. For a dedicated, comprehensive API assessment including unlinked endpoints, authentication flows, and rate limiting, we recommend our specific API security testing service.

We take extreme care with production data. We recommend testing in a staging environment that mirrors production wherever possible. If we must test in production, we use test accounts and non-destructive payloads to avoid impacting real users. All identified vulnerabilities are reported via encrypted channels, and we never exfiltrate or retain customer data.