VULNERABILITY & TECHNICAL
Penetration testing — what it is, when you need it, and what to do with the results.
Penetration testing is frequently misunderstood — confused with vulnerability scanning, assumed to be required for Cyber Essentials, or treated as a one-time exercise. Here is what it actually is and when your organisation needs it.
What penetration testing is
A penetration test — or pen test — is a structured, authorised attempt to compromise your systems by a qualified security professional. Unlike a vulnerability scan, which identifies weaknesses automatically, a pen test involves a human assessor actively attempting to exploit those weaknesses.
A pen test answers a different question to a vulnerability scan. A scan asks: what weaknesses exist? A pen test asks: can those weaknesses be exploited, and what could an attacker actually do?
Penetration testing is not required for Cyber Essentials
This is one of the most common misconceptions. Cyber Essentials does not require a penetration test. Cyber Essentials Plus requires a vulnerability scan and hands-on verification of controls — but that is conducted by an accredited assessor as part of the CE Plus process, not by a separate penetration tester.
If a buyer has asked for "Cyber Essentials and a penetration test", those are two separate requirements. CE Plus does not include a pen test. If they need both, they need to specify both.
When penetration testing is appropriate
Penetration testing is appropriate when you need to understand the real-world exploitability of vulnerabilities, when a buyer or regulator specifically requires it, when you have made significant changes to your environment, or when you are assessing the security of a specific application or service before launch.
What to do with the results
A pen test report will include findings categorised by severity, descriptions of how each was exploited, and remediation recommendations. Prioritise critical and high findings, understand the context, and remediate systematically. Do not file the report — the value is in the remediation.
PENETRATION TESTING AND CYBER ESSENTIALS ARE DIFFERENT THINGS
Cyber Essentials does not require a penetration test. If a buyer has asked for both, they are separate requirements. If you are not sure whether your buyer is asking for a pen test or a vulnerability scan or CE Plus, ask them to clarify in writing.
BEEN ASKED FOR A PEN TEST?
Start with a conversation.
Our initial consultation is a working call — typically 30 minutes — in which we understand your organisation, your certification objectives, and your current security posture. You will leave with a clear picture of what is required and what it will cost.