This website uses cookies. View our cookie policy
United Kingdom
Select regional store:

Penetration Testing

Penetration testing (also referred to as ‘pen testing’) is an effective method of determining the security of your networks and web applications, helping your organisation identify the best way of protecting its assets.

Understanding the vulnerabilities you face allows you to focus your efforts, rather than using broad methods that may need heavy investment without a guarantee that the vulnerabilities in your systems have been addressed.


What is penetration testing?

Penetration testing is a systematic process of probing for vulnerabilities in your applications and networks. It is essentially a controlled form of hacking in which the ‘attackers’ operate on your behalf to find the sorts of weaknesses that criminals exploit.

The process of penetration testing involves assessing your chosen systems for any potential weaknesses that could result from poor or improper system configuration, known and unknown hardware or software flaws, and operational weaknesses in process or technical countermeasures.

An experienced penetration tester can mimic the techniques used by criminals without causing damage. These tests are usually conducted outside business hours or when networks and applications are least used, thereby minimising the impact on everyday operations.

Why IT Governance for penetration testing?

IT Governance is a CREST-accredited provider of security penetration testing services. Our range of pen testing services enable organisations of all sizes to effectively manage cyber security risk by identifying vulnerabilities that could expose infrastructure, applications, wireless networks and people to attack.

IT Governance’s penetration testing team is able to support your organisation and develop your cyber assurance strategy as part of a mature risk management strategy.

Choose IT Governance for penetration testing:

  • CREST-certified penetration testing
  • Experienced across a diverse set of disciplines (web apps, servers, firewalls, Wi-Fi)
  • Expertise in standards such as the Payment Card Industry Data Security Standard (PCI DSS), ISO 27001 and ISO 9001
  • Testimonials from different industries and customers
  • Sample reports available



Advantages of completing a penetration test

By implementing regular penetration tests, you can continually measure and improve the security performance of your systems and networks.

Accurately evaluate your organisation’s ability to protect itself

Get detailed information on actual, exploitable security threats

More intelligently prioritise remediation, apply necessary security patches and allocate security resources

Businesses are exposed to a host of potential threats, and each might be able to exploit hundreds of vulnerabilities. Such vulnerabilities are open to potentially devastating attacks, such as SQL injection. Things as apparently benign as error pages can give attackers enough information to exploit a less obvious and much more harmful vulnerability.

Taken on their own, small vulnerabilities may appear negligible, but hackers often seek out these weaknesses to create intrusion sequences that pry open security gaps into much larger weaknesses. These gaps are often overlooked by the company or automated security systems, but pen testers will be able to identify such points of entry by replicating hackers’ methods.

The final step of a penetration test is reporting the vulnerabilities. Unlike automatically generated reports from tools that offer generic remediation tips, penetration test reports can rank and rate vulnerabilities according to the scale of the risk and the company’s budget.


When should you carry out a penetration test?

  • You are concerned about security attacks on other, similar organisations.
  • You are using a greater number of outsourced services.
  • You are making significant changes to operational processes.
  • You are developing business applications or IT infrastructure.
  • You need an independent assessment to meet legal, regulatory or customer requirements.


Different types of penetration testing


Reduce costs and get accurate results with expert testing

IT Governance uses a tailored approach to ensure the engagement for security testing meets the maturity and expectations of your business. Our fixed-cost packages are ideal for small and medium-sized organisations, or those with no prior experience of security testing. For those with more complex objectives, or that require a more detailed exploration of complex or sensitive environments, our Technical Services team can provide additional expertise through calls or on-site meetings.

Level 1 Penetration Test

Our Level 1 Penetration Test identifies vulnerabilities that your systems may be exposed to. Combining a series of manual assessments with automated scans, our team can assess the true extent of your system or network’s vulnerabilities. Conducted by highly skilled ethical hackers, the Level 1 Penetration Test includes a detailed report providing recommendations for fixing any holes and addressing each of the identified issues.

Level 2 Penetration Test

A Level 2 Penetration Test is a painstakingly detailed process of identifying security holes and vulnerabilities in your software and hardware (including printers, fax machines, workstations), systems or web applications and then attempting to exploit them. Due to the extent of these tests, Level 2 Penetration Tests are usually only recommended to clients that need a complex cyber attack simulation.

Find out more on which level of test you need >>



Level 1

Level 2

Objective Agreed at outset Agreed at outset
Fixed-price package available Yes No
Emulates a real-world attack No Yes
Scoping Available Yes
Skill level required High Advanced
Vulnerability scanning Yes Yes
Can be performed on premise Yes Yes
Can be performed remotely Yes Yes
Exploitation of vulnerabilities No Yes
Detailed report Yes Yes
Manual grading of responsibilities Yes Yes
Facilitates compliance with ISO 27001/the PCI DSS Yes Yes
  See packages and prices Enquire now

Our approach

IT Governance applies robust methodologies to provide a realistic and targeted appraisal of the current state of your security and the risks attackers pose to your business.

We will discuss the results with all relevant audiences and provide recommendations for cost-effective solutions.

1. Initial scoping

Before a test, our account management team will discuss your assessment requirements for your systems, networks or applications in order to define the scope of the test.



2. Reconnaissance

During this phase, we will attempt to gather information about your organisation and how it operates. We will use automated scanning to identify potential security holes that could lead to compromise.



3. Assessment

We will conduct manual tests (e.g. authentication bypass, brute-force attack, public exploits) in an attempt to compromise your system environment and identify attack vectors for your wider network.



4. Reporting

We will provide a detailed breakdown of all your results in an easily interpreted format based on the damage potential, reproducibility, exploitability, number of affected users, and discoverability of each finding.



5. Presentation

In some instances, we will recommend a separate briefing session with your management team, where we will explain the outcomes of the test and what this means for your security posture, and discuss any further recommendations.



6. Remediation support

We can provide access to our testers and the raw test data to support and expedite remediation. We can also retest your systems so that you can be sure all the issues have been successfully resolved.


Penetration testing for compliance

Our expertise in standards such as the PCI DSS, ISO 27001, the General Data Protection Regulation (GDPR) and ISO 9001 means we can offer an integrated approach, and can develop suitable solutions that will help you to reduce your risks and ensure compliance with standards, frameworks, legislation and other business requirements.

ISO 27001 control objective A12.6

Penetration testing is valuable at various stages of implementing and maintaining an ISO 27001-compliant information security management system (ISMS), from initial development through to continual improvement.

ISO 27001 control objective A12.6 (Technical vulnerability management) states that “information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organisation’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk”.

Penetration testing can make a significant contribution to your ISMS project as part of:

  • The risk assessment process: uncovering vulnerabilities in any Internet-facing IP addresses, web applications, or internal devices and applications, and linking them to identifiable threats;
  • The risk treatment plan: making sure that controls actually work as designed; and
  • Ongoing continual improvement processes: making sure that controls continue to work as needed and that new and emerging threats and vulnerabilities are identified and dealt with.


Requirement 11 of the PCI DSS

PCI compliance, especially for Reports on Compliance and some self-assessment questionnaires, requires internal and external vulnerability scans, and frequent penetration tests.

PCI DSS requirement 11.3 addresses penetration testing, which should include network and application layer testing, as well as controls and processes around the networks and applications, and should be conducted from outside and inside the network. The goals of penetration testing in this case are to:

  • The risk assessment process: uncovering vulnerabilities in any Internet-facing IP addresses, web applications, or internal devices and applications, and linking them to identifiable threats;
  • The risk treatment plan: making sure that controls actually work as designed; and
  • Ongoing continual improvement processes: making sure that controls continue to work as needed and that new and emerging threats and vulnerabilities are identified and dealt with.
  • Determine whether and how a malicious user could gain unauthorised access to assets that affect the fundamental security of the system, files, logs and/or cardholder data; and
  • Confirm that the controls required by the PCI DSS are in place and effective.

Our accreditations

Our penetration tests are performed by CREST-accredited security testers, who can test your system defences and websites for vulnerabilities, carry out exploits in a safe manner, and advise on appropriate mitigation measures to ensure that your systems are secure. IT Governance, as a CREST-accredited penetration testing provider, assures that:

  • You are dealing with a trusted organisation;
  • A proven penetration testing methodology will be used;
  • Our processes and procedures have been subject to independent vetting;
  • Your systems and data will be handled carefully, in a professional manner;
  • The penetration testing itself will be kept confidential; and
  • You will be given advice on how to reduce the likelihood of similar vulnerabilities being exploited.


Key resources

Companies using our penetration testing services:



Speak to an expert

Please contact us for further information or to speak to an expert.

Contact us