Penetration testing by CREST and Cyber Scheme qualified testers

Penetration Testing

We test the systems that matter the way a real attacker would, then give you a clear, prioritised path to fixing what we find. Defence-grade rigour, testers qualified by CREST and The Cyber Scheme, and a free retest included. Serving the North East and the wider UK.

Scope your test
  • CREST and Cyber Scheme qualified testers
  • Defence and central-government grade
  • Free retest included
The basics

What is penetration testing?

A penetration test is an authorised, simulated cyber attack against your systems, carried out by qualified security testers to find the weaknesses a real attacker would exploit, before they do.

Unlike an automated vulnerability scan, a penetration test combines tooling with human expertise: our testers chain together flaws, test business logic, and confirm what's genuinely exploitable rather than just flagging theoretical issues.

The output is a clear, evidence-backed report: what we found, how serious each issue is, and exactly how to fix it.

Our services

What we test

We scope each engagement to your environment and risk. Common assessments include:

Web application testing

Testing of your websites, portals and web apps against the OWASP Top 10 and beyond: authentication, access control, injection, business logic and more.

Infrastructure & network testing

External and internal testing of your networks, servers and devices to find exposed services, missing patches, weak configuration and routes an attacker could take.

Cloud security testing

Configuration and security review of your cloud platforms across AWS, Azure and Google Cloud, covering identity, access, storage and exposed services.

API testing

Assessment of your APIs for broken authentication, authorisation flaws, data exposure and abuse cases.

Offensive security & red teaming

Goal-based, real-world attack simulation that tests detection and response across people, process and technology: the offensive testing trusted by central-government clients.

Mobile application testing

Testing of iOS and Android apps and their back-end services for data leakage, insecure storage and weak controls.

Our methodology

How we test

Every engagement follows a structured, CREST-aligned methodology, so you get consistent, defensible results, and you deal with the same testers throughout.

  1. 01

    Scoping

    We agree exactly what is in scope, the rules of engagement and the testing window, so the test reflects real risk without disrupting your operations.

  2. 02

    Reconnaissance & discovery

    We map your attack surface: the systems, services and entry points exposed to an attacker.

  3. 03

    Testing & exploitation

    Our testers combine industry tooling with manual techniques to find and safely confirm vulnerabilities, drawing on recognised frameworks such as OWASP and NCSC guidance.

  4. 04

    Reporting

    You receive a clear report: an executive summary for leadership, and detailed, risk-rated findings with practical remediation guidance for your technical team.

  5. 05

    Remediation & free retest

    We talk you through the findings, and once you've fixed them we retest the affected issues, included as standard, so you can prove they're closed.

The deliverable

What you get

Every report turns technical findings into a clear, prioritised plan your team can act on, and the free retest confirms the fixes have worked.

  • An executive summary

    Makes the business risk clear to non-technical stakeholders.

  • Risk-rated findings

    Evidence, impact and likelihood for each issue.

  • Practical remediation guidance

    What to fix and how, prioritised.

  • A free retest

    Of remediated findings, to confirm they are resolved.

  • A report you can share

    With clients, auditors and insurers as proof of assurance.

The difference

Why test with Layer 7

Trusted by central government

We have been engaged by a major UK central government department to deliver offensive security testing and capability building.

Defence and government-grade rigour

We deliver security to defence, public-sector and regulated clients, including MOD-accredited cloud work, through G-Cloud 14, DOS 7 and CCS frameworks. The same rigour goes into every test, whatever your size.

CREST and Cyber Scheme qualified testers

Our testing is delivered by testers who hold individual CREST and Cyber Scheme qualifications, independently assessed and recognised by the NCSC.

In-house, not outsourced

You work with our own qualified testers from scoping to retest. No subcontractors you never meet, no hand-offs.

Free retest as standard

We don't consider the job done until your fixes are verified. Retesting of remediated findings is included.

Part of a full security lifecycle

Penetration testing sits alongside our Cyber Essentials and Cyber Essentials Plus certification and our wider assurance work, so testing connects to certification and ongoing defence, not a one-off PDF.

Cost & engagement

What a penetration test costs

The price of a penetration test depends on scope: the type of test, the size of the environment, and the depth required. We quote a fixed price once scope is agreed, with no hidden extras and a free retest included.

As a guide, a focused web application or infrastructure test typically starts from £5,000 + VAT; larger or multi-system engagements are scoped individually. Tell us what you need tested and we'll give you a clear, all-in quote.

Local & UK-wide

Penetration testing across the North East

We test for organisations throughout the North East, and across the UK. Testing is carried out remotely or on site depending on scope; for local organisations that means testers who can be with you quickly when it matters.

If you're a North East business facing a contract requirement, compliance deadline or board mandate for penetration testing, we can scope and deliver it.

  • Newcastle
  • Gateshead
  • Sunderland
  • Durham
  • Northumberland
  • Tees Valley
FAQ

Penetration testing questions

How much does a penetration test cost?

It depends on scope: the type of test and the size of the environment. We quote a fixed price once scope is agreed, with a free retest included.

What's the difference between a penetration test and a vulnerability scan?

A vulnerability scan is automated and flags potential issues. A penetration test adds human expertise, confirming what's genuinely exploitable, chaining weaknesses together, and testing business logic a scanner can't.

How often should we run a penetration test?

At least annually, and after any significant change to your systems, such as a new application, a major release or an infrastructure change. Some compliance regimes require it on a set schedule.

Will testing disrupt our systems?

No. We agree rules of engagement and a testing window during scoping to avoid operational impact.

Do you retest after we fix the issues?

Yes. Retesting of remediated findings is included as standard, so you can prove the issues are closed.

Can penetration testing support ISO 27001 or Cyber Essentials?

Yes. Testing supports a range of compliance and assurance needs. We can also handle your Cyber Essentials and Cyber Essentials Plus certification directly.

What qualifications do your penetration testers hold?

Our testers hold individual CREST and Cyber Scheme qualifications, both recognised by the NCSC.

Find your weaknesses before an attacker does

Tell us the shape of what needs testing and we'll give you a fixed-price quote and a clear scope: defence-grade testing from CREST and Cyber Scheme qualified specialists.

Scope your test