Penetration Testing Engagement Overview


We will work with you to understand your requirements in detail. We can typically scope a relatively simple penetration test over the phone however, for more complex environments we will ask you to complete a scoping form.

Once the scope is understood we will generate a proposal for your review outlining our approach, effort and costs. If you are happy and financial authorisation is granted we will agree dates to deliver the work and book it into our schedule.

Prior to testing we’ll need a Test Authorisation Form (often referred to as a Letter of Authority) to be completed and signed by a duly authorised representative of your company. This grants permission for us to conduct activities that would normally be illegal under the Computer Misuse Act.

Typically there are other prerequisites to testing such as test accounts or IP address whitelists. These will all be discussed in the lead up to the test to ensure everything is ready for us to begin.


Security assessment is both a creative process and a methodical one. Our consultants are all experienced and innovative manual security testers with a track record of finding the chink in an application’s armour. Complementing this are our rock solid security testing methodologies, aligned to the OWASP Security Testing Guide, Penetration Testing Execution Standard (PTES), OWASP ASVS and OWASP Mobile Security Guides.

A formal methodology ensures consistently high quality across engagements and across team members, while manual security testing allows our testers the creative space to truly think like an attacker and find the flaws that a vulnerability scanner just couldn’t.


During the reporting phase, we categorise all findings so it’s easy for our clients to identify root cause and work on solving issues at their core. Often if you find one SQL injection vulnerability in an app, you’re going to find ten, or twenty, or more. The root cause of all these could be one single bug in an ORM layer rather than twenty individual issues. By categorising findings together it supports our consultants in making more meaningful recommendations about how to address issues.

Following an internal QA process our report is delivered to you as a PDF by encrypted email. If you would like your report in a different format please ask. Many organisations copy and paste penetration testing reports into a spreadsheet or bug tracking system, we can save you hassle and deliver it in a more workable format for you if required.


Once you have had an opportunity to review the report, you can arrange an optional wash-up call (free of charge) with our consultants to discuss the findings and go over any questions you may have. We can also discuss whether you would like to schedule a retest of any issues once the relevant fixes have been applied.

Clients on a Managed Security Testing contract benefit from complimentary retesting.

Next Steps

Ready to discuss your requirements? Give us a call or complete the form below and we’ll get right back to you.

  • Confirmation of scope
  • Escalation process agreed
  • Test Authorisation
  • Communication requirements agreed
  • Enumeration
  • Vulnerability Identification
  • Exploitation
  • Post-Exploitation
  • Regular Testing Updates As Agreed
  • Report Completed By Lead Tester
  • Issues Rated By Impact & Exploitability
  • Root Cause Analysis
  • Internal QA Prior To Issue
  • Optional Wash-up Call
  • Post-Test Support For Recommendations
  • Arrange Re-testing If Required