Co-delivered and white-label penetration testing, in true partnership

Penetration Testing for MSPs

Your clients are being asked for penetration tests. By their auditors, their insurers, their customers, their boards. You can say yes without hiring and retaining a team of CREST-qualified testers. We work as a true partner alongside you: qualified, in-house, defence-grade. We deliver the testing jointly with your team, or white-label where a client needs it, and we fit your existing processes so nothing slows down. You keep the client relationship throughout.

  • A true partner, co-delivered
  • CREST and Cyber Scheme qualified testers
  • In-house, never offshored
  • NDA-backed under your agreement
  • Free retest included
The basics

Why MSPs partner for penetration testing

Penetration testing has moved from nice-to-have to contractual. Cyber insurance asks for it. ISO 27001 and Cyber Essentials Plus lean on it. Enterprise customers demand it of their suppliers. So your clients turn to you.

But credible testing needs testers who hold individual CREST and Cyber Scheme qualifications, kept current, plus tooling, methodology and indemnity. Hiring, training and retaining that in-house rarely stacks up against the volume a single MSP generates. Sending clients elsewhere risks the relationship.

Partnering closes the gap. You offer penetration testing as part of your portfolio; we deliver it with you, as a true partner, and white-label it where a client needs us out of sight. Either way your client never has to leave you to get tested.

White-label penetration testing lets a Managed Service Provider (MSP) offer penetration testing to its clients under its own brand, while a specialist partner carries out the testing. In a co-delivered model both firms work together with both names visible. In both cases the MSP keeps the client relationship; the partner supplies the qualified testers, methodology and findings.

How we work with you

The partner model

We prefer to work as a true partner, alongside your team. Where a client needs us out of sight, we white-label instead. Pick the model that fits each engagement; you can mix both across your client base.

Our preferred model

Co-delivered

We work jointly, with both names visible: a true partnership. Your client gets an independent, qualified specialist on the engagement, and your team stays close to the work and the relationship. This is how we like to partner.

Where a client needs it

White-label

We test in the background and deliver a report you present as your own. Your branding, your client relationship, our testers. We stay invisible to the end client. The right choice when a client expects everything to come from you.

Either way, you own the commercial relationship and the renewal. We never approach your client directly without your say-so, and we integrate with your existing delivery processes so nothing slows down.

Build vs partner

The honest comparison

Build in-house Partner with Layer 7
Qualified testers Build in-house Recruit, vet and retain CREST / Cyber Scheme talent Partner with Layer 7 Included, day one
Cost model Build in-house Salaries, tooling, training, indemnity, downtime Partner with Layer 7 Transparent, tailored, fixed per engagement
Utilisation risk Build in-house You carry the bench between jobs Partner with Layer 7 We carry it
Methodology & QA Build in-house You build and maintain it Partner with Layer 7 CREST-aligned, already in place
Time to offer Build in-house Months to hire and stand up Partner with Layer 7 Live as soon as the partnership is signed
Client relationship Build in-house Yours Partner with Layer 7 Stays yours

Takeaway: for most MSPs the testing volume does not justify a permanent in-house team, but the demand is real and growing. Partnering turns penetration testing into a margin line you can switch on now, without the fixed cost or the recruitment risk.

Our services

What we test

The full range, scoped per engagement: web applications, external and internal infrastructure, cloud (AWS, Azure, Google Cloud), APIs, mobile apps, and goal-based offensive security and red teaming.

For the detail of each test type, see our penetration testing service.

The deliverable

What your client gets

The same deliverable as our direct engagements, presented jointly with you or as yours alone.

  • An executive summary

    Makes the business risk clear to a non-technical client.

  • Risk-rated findings

    Evidence, impact and likelihood for each issue.

  • Practical remediation guidance

    What to fix and how, prioritised.

  • A free retest

    Of remediated findings, so your client can prove the issues are closed.

  • A report they can share

    With auditors, insurers and customers as proof of assurance, branded jointly or as yours.

The process

How we work with you

A partnership runs on a clear, repeatable process, mapped onto the way you already work, so engagements add capability without adding friction.

  1. 01

    Partner onboarding

    We agree the model, co-delivered or white-label, sign our standardised partner NDA and agreement, and set how reports are branded and delivered. We map our work to your existing delivery process, so engagements run inside your workflow, not around it.

  2. 02

    Scoping, with you or your client

    You bring us the requirement; we scope the test, agree rules of engagement and a testing window, and give you a fixed price to quote on. No surprises mid-engagement.

  3. 03

    Testing & exploitation

    Our in-house, qualified testers do the work, combining tooling with manual technique against recognised frameworks such as OWASP and NCSC guidance. Same testers throughout.

  4. 04

    Reporting

    You receive a clear, client-ready report: an executive summary plus detailed, risk-rated findings and remediation guidance, branded jointly or as yours alone.

  5. 05

    Remediation & free retest

    Once the client has fixed the issues, we retest the affected findings, included as standard, so you can hand back proof the risks are closed.

The difference

Why partner with Layer 7

In-house, not outsourced

You work with our own qualified testers from scoping to retest. No subcontractors, no hand-offs, nobody you and your client never meet. What you sell is what we deliver.

CREST and Cyber Scheme qualified testers

Our testing is delivered by testers who hold individual CREST and Cyber Scheme qualifications, independently assessed and recognised by the NCSC.

Defence and central-government grade

We deliver security to defence, public-sector and regulated clients, including work for a major UK central government department and MOD-accredited cloud, through G-Cloud 14, DOS 7 and CCS frameworks. The same rigour goes into every partner engagement, whatever the client size.

A true partner who fits your process

We integrate with your existing delivery workflow, so partner engagements add no delays. Co-delivered by preference; white-label where a client needs it.

We protect your relationship

Your renewal, your client, your call on branding. We do not approach them directly without your agreement.

A certification body too

We are a Cyber Essentials Certification Body. So when your client's pen test points to a certification need, we can support Cyber Essentials and Cyber Essentials Plus as well, all through you.

Cross-pillar

One partner for the test and the certification

Most penetration tests your clients ask for trace back to a compliance or assurance driver: Cyber Essentials Plus, ISO 27001, cyber insurance, or a customer's supply-chain requirement.

Because we are also a Cyber Essentials Certification Body, partnering with us covers both sides of that conversation, the test and the certification, under one roof and your brand. See Cyber Essentials for MSPs and our penetration testing service.

Cost & engagement

Partner pricing

Clear, transparent pricing, tailored to you. We do not hide the numbers behind a portal or a rate card you have to reverse-engineer.

Test pricing depends on scope: the type of test, the size of the environment and the depth required. Once scope is agreed we quote a fixed price per engagement with no hidden extras and a free retest included, so you can quote your client with confidence. We set partner pricing around how you work and what your clients need, not a one-size-fits-all wholesale list.

FAQ

Partner questions

Can the penetration test report carry our branding?

Yes. By preference we co-deliver, with both names on the report; or we white-label it as yours alone where a client needs us out of sight. It is your call, per engagement.

Who owns the client relationship?

You do, always. We deliver the testing with you and never approach your client directly without your agreement. The renewal stays yours.

Do you work under an NDA and our client agreement?

Yes. We sign our standardised partner NDA and agreement at onboarding and work within your client agreement and rules of engagement.

What's the difference between co-delivered and white-label?

Co-delivered, our preferred model, means we work together with both names visible, so your client gets a named independent specialist alongside your team. White-label means we stay invisible and the report is yours alone, for clients who expect everything to come from you.

What qualifications do your testers hold?

Our testers hold individual CREST and Cyber Scheme qualifications, both recognised by the NCSC. Testing is delivered in-house, never offshored or subcontracted.

Will partner engagements slow down our delivery?

No. We integrate with your existing processes, so testing runs inside the way you already work, and we agree a testing window that fits your client's deadline.

How does partner pricing work?

Clear, transparent pricing, tailored to you. Once scope is agreed we quote a fixed price per engagement with no hidden extras and a free retest included, so you can quote your client with confidence.

Can you also support our clients' Cyber Essentials Plus or ISO 27001?

Yes. We are a Cyber Essentials Certification Body and can handle Cyber Essentials and Cyber Essentials Plus directly, and our testing supports ISO 27001 and a range of assurance needs, all through you.

Offer penetration testing without building a team

Tell us about your clients and the kind of testing they need. We will set up a partnership and give you CREST and Cyber Scheme grade testing, co-delivered with your team or white-labelled where needed, that fits your existing processes, with a free retest included.