Security Controls Insurers Require
Network Penetration Testing UK: Cost, Types and CREST Testers
A network penetration testing engagement is a controlled, manual attack on your own systems, run by a tester you have paid and authorised, to find the holes a real attacker would use before one does. The NCSC defines it as “a method for gaining assurance in the security of an IT system by attempting to breach some, or all, of that system’s security, using the same tools and techniques as an adversary might.” This guide covers what you actually get for your money, the real 2026 UK price ranges, the difference between external and internal tests, and how to find a credible tester without paying for an automated scan dressed up as the real thing.
Penetration testing meaning: a manual attack, not a scan
The most expensive mistake UK buyers make is treating a vulnerability scan and a pen test as the same product. They are not.
A vulnerability scan is automated. A tool crawls your systems, compares what it finds against a database of known weaknesses, and prints a list. It is cheap, fast, and useful as a regular hygiene check, but it does not prove anything can actually be exploited, and it generates false positives a human has to sift.
A penetration test is a person. A qualified tester takes those findings, plus their own reconnaissance, and tries to chain weaknesses together into a working breach, the way an attacker would: gaining a foothold, escalating privileges, moving sideways, reaching the data that matters. The deliverable is not a raw scanner dump but a report that says what they got into, how, what it would let a real attacker do, and the order in which you should fix things.
That distinction is also your sharpest tool for spotting a bad supplier. If a quote is built around a scanner with a thin human review on top, you are buying a scan. The tell-tale signs and the day rate to expect are below.
How much does network penetration testing cost in the UK?
There is no single official price list for pen testing in the UK. The figures below are aggregated from UK provider pricing pages in 2026, so treat them as ranges, not quotes. The honest driver of cost is not a fixed fee: it is the number of tester-days the work needs, which comes straight from your scope.
A manual UK tester’s day rate sits at roughly £1,000 to £1,500 per tester per day, with a fair-market midpoint near £1,200. Wider quotes run from about £800 to £2,500 a day depending on the firm, the seniority of the tester, and the complexity of the target.
Typical full-engagement totals look like this:
| Engagement type | Typical length | Indicative UK range (2026) |
|---|---|---|
| External network test | 3 to 5 days | ~£3,000 to £6,000 |
| Internal network test | 5 to 8 days | ~£5,000 to £12,000 |
| Web application test | 2 to 5 days | ~£2,500 to £8,000 |
| Basic small-business external infra test | short scope | from ~£1,500 to £5,000 |
| Large or compliance-driven full assessment | 10 to 20 days | £20,000 to £25,000+ |
Most mid-market engagements land somewhere around £3,750 to £8,000.
Why is one quote £900 and another £6,000?
Because they are not the same product. A manual day costs the supplier real money in a skilled person’s time, so a day rate under about £500 almost always means the “test” is an automated scan with a report template, not hands-on exploitation. When you compare quotes, normalise them: ask how many tester-days are included, who the named tester is, and whether the exploitation is manual. A cheap number with no tester-days behind it is the expensive option once you account for the breach it misses.
External penetration testing vs internal penetration testing
These two tests answer different questions, and serious buyers usually need both.
External penetration testing simulates an attacker on the internet with no access and no inside knowledge. The tester probes only your internet-facing assets: websites, VPNs, firewalls, email servers, and your public IP ranges. The question it answers is “can someone get in from outside?” This is the test that maps most directly to the perimeter exposure insurers worry about.
Internal penetration testing assumes the perimeter has already failed. The tester works as if they are a malicious insider or a laptop that has been compromised by phishing, sitting on your LAN. From there they look for privilege escalation, lateral movement, weak network segmentation, and routes to sensitive data. The question it answers is “once someone is in, how much damage can they do?”
Running only the external test tells you how good your front door is while ignoring whether the internal doors are all propped open. The two find different classes of problem, which is why best practice is to scope both, often in the same engagement.
Cloud penetration testing services: who is even allowed to test?
Testing cloud infrastructure adds a third party to the authorisation question. With on-premise kit, it is you and your tester. In the cloud it is you, your tester, and the cloud provider’s own rules, because you do not own the underlying hardware. The practical effect is that the tester must scope strictly to your own tenant or account and follow the provider’s policy.
The major providers have published positions worth knowing before you commission work:
- Microsoft Azure and Microsoft 365: no pre-approval needed, but you must follow Microsoft’s published Penetration Testing Rules of Engagement. Test only your own tenant, no denial-of-service or DDoS testing, and no phishing or social engineering of Microsoft staff.
- AWS: customers may run security assessments and pen tests against a list of permitted services without prior approval, within AWS’s policy.
- Google Cloud: no prior approval or formal notification is required to test your own resources, provided you comply with Google’s Acceptable Use Policy and terms of service.
The recurring rule across all three: you can test what is yours, you cannot touch shared infrastructure or other tenants, and your tester needs to write that boundary into the scope before they start.
CREST vs CHECK: is there a “licensed” penetration tester?
People search for a “licensed penetration tester,” but there is no UK pen testing licence as such. The real signals of credibility are accreditation schemes, and the two names that matter are CREST and CHECK.
CREST (the Council of Registered Ethical Security Testers) is the international body that accredits both companies and individuals for penetration testing, incident response, and threat intelligence. For a typical private-sector UK business, CREST accreditation is the standard you should be asking for. CREST penetration testing from an accredited firm gives you a recognised baseline for methodology and tester competence.
CHECK is the NCSC’s own scheme, and it is narrower than most buyers realise. It exists for testing UK public-sector and Critical National Infrastructure systems. A company cannot apply for CHECK unless it is already CREST-accredited; CHECK then layers on tester security clearance and an NCSC-aligned methodology. The NCSC recommends government bodies use CHECK-accredited companies, set out in its information for buyers. If you are a private SME, you almost certainly want CREST, not CHECK; asking for CHECK when you do not need it just shrinks your supplier pool and raises the price.
Individual credentials to ask for
Accrediting the firm is not the same as knowing who turns up. Ask for the named testers’ qualifications. The credentials worth seeing include the CREST Registered Penetration Tester (CRT) or Certified Tester (CCT), OSCP, and GXPN. Senior testers typically hold CRT or CCT.
How to verify a tester before you sign
- Check the CREST member directory and confirm the firm’s accreditation is current, not lapsed.
- Ask for the specific named testers on your job and their certifications.
- Request a redacted sample report so you can see the quality of the findings and remediation advice, not just a logo.
- Agree a written scope and rules of engagement before any testing starts. This is also what makes the test legal (see below).
Is penetration testing legal in the UK?
Yes, with one condition that is not optional: the asset owner’s prior written authorisation. The governing law is the Computer Misuse Act 1990, and its “authorised acts” principle is what separates a legitimate test from a criminal offence. The technique can be identical; without your written authorisation, accessing a system is potentially a crime. You can read the Act itself on legislation.gov.uk.
There is movement here. In May 2026 the government announced proposed reform of the Computer Misuse Act as part of a new National Security Bill, expected before Parliament later in 2026. It is worth being clear that this is a proposal, not enacted law, and the proposed statutory defence has been criticised as narrow: reporting suggests it would apply mainly to British nationals holding active UK Cyber Security Council chartered status, a group of only around 300 people, and largely cover scanning of internet-facing systems rather than the full range of defensive work. Whatever lands, the practical rule for a business does not change: only ever engage a reputable accredited firm under a signed scope and authorisation. That signed scope is what keeps everyone on the right side of the law.
Is penetration testing required for Cyber Essentials or my cyber insurance?
No, and pages that imply otherwise are wrong. Cyber Essentials and Cyber Essentials Plus do not require a penetration test. Cyber Essentials Plus is verified through vulnerability scanning and a hands-on assessor check, not an attacker-simulation test. If a supplier tells you that you “need a pen test for Cyber Essentials,” they have misunderstood the scheme.
The accurate framing is that pen testing is optional but valuable. Insurers anchor on Cyber Essentials as their baseline control, not on a pen test. A pen test is the next tier of assurance: it strengthens insurance applications, answers the harder questions in client security questionnaires, and demonstrates security maturity beyond the certification floor. For context on where the insurer baseline sits, our guide to the free £25,000 cyber insurance bundled with Cyber Essentials explains that the IASME-arranged cover is tied to certification, not to testing, and our piece on whether you need cyber insurance at all walks through how those controls fit a real buying decision.
Frequently asked questions
What is the difference between a penetration test and a vulnerability scan? A vulnerability scan is an automated tool that lists known weaknesses. A penetration test is a qualified person who manually tries to exploit and chain those weaknesses into a real breach, then reports what an attacker could actually do. A day rate under about £500 usually signals a scan being sold as a test.
Do I need both external and internal penetration testing? Usually, yes. External testing checks whether an outsider can get in through your internet-facing assets. Internal testing checks how far an attacker could spread once inside. They find different problems, so most serious engagements scope both, often together.
Should a private UK business look for CREST or CHECK? CREST. CHECK is the NCSC scheme for public-sector and Critical National Infrastructure systems, and a firm must already be CREST-accredited before it can hold CHECK. A typical private SME should ask for CREST accreditation and named tester certifications such as CRT, CCT or OSCP.
Is penetration testing required for Cyber Essentials Plus or for cyber insurance? No. Cyber Essentials Plus uses vulnerability scanning and assessor verification, not a pen test, and insurers anchor on Cyber Essentials as the baseline. A pen test is an optional maturity step that helps with higher insurance limits and security questionnaires.
How often should we run a pen test? The accepted answer is at least annually and after any significant change, such as a new application, a network redesign, or a major cloud migration. For cardholder data environments, PCI DSS v4.0 requires testing at least every 12 months and after major changes.
Can we legally have our AWS, Azure or Microsoft 365 environment tested? Yes, with two layers of permission. You must give your tester written authorisation under the Computer Misuse Act, and the test must stay inside the cloud provider’s rules of engagement, scoped only to your own tenant or account. Microsoft, AWS and Google all permit testing of your own resources without pre-approval, subject to their published policies.
