Penetration Testing Services

Every attack surface, tested from an attacker's perspective.

Consultant-led penetration testing across applications, APIs, networks, and infrastructure. UK-based consultants, fixed pricing, and reports delivered within 2 business days.
Book a Scoping Call View Pricing
CREST Pathway UK Cyber Security Council member Cyber Essentials certified
Offensive security and penetration testing services for web applications, infrastructure, and networks

Pentest Requirements

Which type of penetration test do you need?

Not every organisation has the same requirements. Here are the most common situations we see, and the testing we’d typically recommend.

Not sure what's right for you?

Book a free scoping call and we’ll help you identify the right type of assessment for your environment, compliance requirements, and budget.

Speak to an expert

You're preparing for ISO 27001 certification or renewal

Your ISMS audit will expect evidence of independent security testing. We’d typically recommend an external network penetration test as a starting point, combined with web application testing if you have customer-facing systems in scope.

You're working towards PCI DSS compliance

Requirement 11.4 mandates penetration testing of your cardholder data environment at least annually and after significant change. We scope CDE-focused engagements to meet PCI DSS requirements and provide evidence-ready reporting for your QSA.

You're launching or significantly updating a web application or API

Pre-launch is the right time to test. Application penetration testing identifies authentication flaws, data exposure risks, and business logic vulnerabilities before they reach production - using the same techniques a real attacker would apply.

You're building or shipping a mobile or desktop application

Client-side products introduce a different category of risk: reverse engineering, insecure local storage, weak cryptography, and backend API vulnerabilities that standard web testing alone won’t surface.

Your development team ships frequently and point-in-time testing isn't keeping up

When teams deploy weekly or continuously, annual testing creates blind spots. PTaaS provides ongoing offensive coverage, on-demand consultant access, and unlimited retesting without repeated re-scoping.

You've never had a penetration test before or aren't sure what you need

That’s what scoping calls are for. Tell us about your environment, compliance obligations, and specific concerns. We’ll recommend an assessment that fits your risk profile and budget, and provide a fixed quote within 24 hours.

Application Security Testing

Offensive security testing for your applications and APIs

Web Application Testing

Manual offensive testing that goes well beyond automated scanning. We approach your application the way a real attacker would - chaining weaknesses across authentication, authorisation, and business logic to identify what’s genuinely exploitable.

Covers the OWASP Top 10 and beyond, across all user privilege levels.

OWASP Top 10Authenticated TestingAPI Testing Included

Recommended for:

  • SaaS companies
  • E-commerce platforms
  • Customer portals
  • Startups with newly deployed MVPs
Get a quote Learn more

Website Security Testing

A focused, practical security assessment for public-facing business websites, corporate sites, and CMS-driven platforms. Covers the external attack surface: CMS and plugin exposure, TLS configuration, security headers, admin panel exposure, and common misconfigurations.

The right starting point for organisations that need assurance their website is not presenting unnecessary risk.

CMS & WordPressSecurity HeadersMisconfigurations

Recommended for:

  • Corporate and brochureware websites
  • CMS-based and WordPress sites
  • Marketing and agency-managed sites
  • Organisations new to security testing
Get a quote Learn more

API Security Testing

Secure your REST, GraphQL, and SOAP APIs against data exposure and unauthorised access.

OWASP API aligned testing covering broken authorisation, excessive data exposure, rate limiting issues, and parameter tampering vulnerabilities in your microservices, public APIs, and mobile backends.

REST APIsGraphQLSOAP

Recommended for:

  • Public API services
  • Microservices architectures
  • Mobile app backends
  • Third-party API integrations
Get a quote Learn more

Mobile Application Security

iOS and Android penetration testing covering insecure data storage, weak cryptography, improper platform usage, and API security. We perform reverse engineering, runtime manipulation, and backend API testing to assess the full attack surface.
iOS & AndroidOWASP MASVSBackend API Testing

Recommended for:

  • Consumer mobile apps
  • Fintech and banking apps
  • Healthcare mobile applications
  • Apps handling sensitive user data
Get a quote Learn more

Desktop Application Testing

Identify critical vulnerabilities in Windows and macOS applications including privilege escalation, insecure data storage, and code injection flaws - tested through both source code review and black-box techniques.
Windows & macOSBlack-box & White-boxPrivilege Escalation

Recommended for:

  • Enterprise desktop software
  • Client-installed tools handling sensitive data
  • Electron and cross-platform applications
  • Internal tooling and admin portals
Get a quote Learn more

Network & Infrastructure Testing

Test your network perimeter and internal trust boundaries

External Network Penetration Testing

Map and exploit your external attack surface from an attacker’s perspective. We perform OSINT reconnaissance, identify exposed services, and test firewalls, VPNs, and remote access infrastructure for exploitable weaknesses.
Black-box TestingOSINT ReconFree Retesting

Recommended for:

  • Organisations with internet-facing services
  • Pre-audit compliance testing
  • Businesses undergoing ISO 27001 or PCI DSS
  • Teams preparing for a red team engagement
Get a quote Learn more

Internal Network Penetration Testing

Simulate insider threats and assumed-compromise scenarios. We assess Active Directory security, lateral movement opportunities, privilege escalation paths, and access to critical systems from an attacker already inside your network.
Active DirectoryLateral MovementAssumed Breach

Recommended for:

  • Organisations with on-premise infrastructure
  • Businesses with hybrid AD environments
  • Post-breach validation and hardening
  • Compliance-driven internal security reviews
Get a quote Learn more

Wi-Fi Security Assessment

Wireless penetration testing covering corporate and guest networks. We test encryption strength, identify rogue access points, assess network isolation, and evaluate captive portal security.
WPA2/WPA3Rogue AP DetectionNetwork Segmentation

Recommended for:

  • Office-based organisations with wireless infrastructure
  • Businesses with guest Wi-Fi networks
  • Retail and hospitality environments
  • Organisations with BYOD policies
Get a quote Learn more

Vulnerability Assessment

Automated vulnerability scanning with manual validation and prioritisation. We identify known vulnerabilities, misconfigurations, and missing patches and provide actionable remediation guidance - a useful foundation before a full penetration test.
Authenticated ScanningFalse Positive RemovalRemediation Guidance

Recommended for:

  • Organisations new to security testing
  • Teams needing rapid vulnerability insight
  • Compliance-driven periodic assessments
  • Pre-pentest hygiene reviews
Get a quote Learn more

Specialist & Continuous Offensive Security

Go further with testing that keeps pace with your environment

Pentest as a Service (PTaaS)

Continuous offensive security testing with unlimited retesting, on-demand consultant access, and real-time vulnerability tracking. Your security posture keeps pace with your release velocity, without traditional testing delays.
Continuous TestingUnlimited RetestingOn-demand Access

Recommended for:

  • Teams shipping weekly or continuously
  • SaaS companies with fast release cycles
  • DevSecOps-driven organisations
Get a quote Learn more

OSINT Reconnaissance

Understand your attack surface from the outside in. We identify publicly available information across your infrastructure, personnel, and online footprint - the same reconnaissance an attacker would perform before a targeted engagement.
Passive ReconBreach DataAttack Surface Mapping

Recommended for:

  • Pre-assessment reconnaissance
  • Organisations assessing their exposure
  • Executive and personnel threat profiling
Get a quote Learn more

Embedded Device & IoT Testing

Full-stack offensive security testing of hardware products and IoT devices - hardware interfaces, firmware analysis, wireless protocols, and the complete ecosystem including mobile apps, web dashboards, and cloud backends.
Firmware AnalysisHardware InterfacesFull Ecosystem

Recommended for:

  • IoT product manufacturers
  • Connected device companies
  • Smart home and industrial hardware
Get a quote Learn more

Not sure which assessment you need?

Book a free scoping call and we’ll help you identify the right type of offensive security assessment for your environment, compliance requirements, and budget.

Book a Scoping Call View Pricing

Key Deliverables

What's included in every engagement?

Our offensive security engagements are designed to support both technical remediation and executive-level decision-making. Every Exploitr assessment includes the following as standard.

Executive Report

A non-technical summary of findings with risk ratings and recommendations suitable for board and senior management stakeholders.

Technical Report

A detailed report for your technical team covering each vulnerability, reproduction steps, severity scoring, remediation guidance, and mappings to CVE, CVSS, and MITRE ATT&CK where applicable.

Debrief Session

A debrief call to walk through findings, discuss remediation priorities, and answer questions from both technical and executive stakeholders.

Retesting

Free focused retesting of any remediated vulnerabilities for externally-based assessments - including web application, API, and external network penetration testing.

Attack Surface Center Access

Complimentary access to our Attack Surface Center ASM platform to review, track, and collaboratively remediate findings in real time throughout and beyond the engagement.

Consultant-led From Start to Finish

All testing is performed by in-house consultants. Your assigned consultant works with you from scoping through to debrief. Nothing is outsourced or subcontracted.

Our Approach

Offensive security led by consultants, not scanners

Every engagement is scoped individually, priced transparently, and delivered directly by the consultant assigned to you from the very beginning. Our offensive security methodology draws from OWASP WSTG and NIST SP 800-115, with adversary-informed techniques aligned to the MITRE ATT&CK framework and NCSC guidance.

Whether your goal is meeting a compliance requirement, validating a pre-launch application, or understanding your real-world attack exposure, we focus on finding vulnerabilities that matter to your business, not padding a report.

How It Works

Our Penetration Testing Process

Our process is designed to replicate realistic attacker behaviour while remaining safe, transparent, and aligned with your business context from initial scoping through to final reporting.

01

Scope & Objectives

Every engagement starts with a scoping session where we work with you to define the targets, rules of engagement, and testing objectives ensuring the assessment is threat-led and relevant to your specific risk profile.

The agreed scope is documented as part of our working agreement and reflected in the final report deliverables.

We balance depth with safety, ensuring testing delivers meaningful offensive insight without unnecessary disruption to your production systems.

Each scope of work is tailored to your business requirements, security maturity, and risk appetite, and outlines:

  • Exact systems and applications in scope
  • Offensive methodology and approach
  • Rules of engagement and constraints
  • Success criteria and deliverables
  • Fixed pricing with no surprises
02

Reconnaissance & Attack Surface Mapping

We identify exposed assets, technology stacks, trust relationships, and likely entry points - building an attacker-realistic picture of your environment before exploitation begins.

Reconnaissance is adapted to the engagement type. For external network testing, we profile exposed services and perimeter infrastructure to understand what an attacker would target first.

For application and API testing, we map authentication models, privilege boundaries, and business logic paths from both unauthenticated and authenticated attacker perspectives.

This approach gives broad, accurate coverage while avoiding the false positives common in scanner-only workflows.

  • Asset discovery and service identification
  • Technology stack fingerprinting
  • Attack surface mapping
  • Vulnerability and misconfiguration identification
  • Initial access path analysis
03

Exploitation & Attack Chaining

We validate exploitability and chain weaknesses where possible to demonstrate realistic attacker objectives - privilege escalation, lateral movement, and unauthorised data access - not just a list of theoretical findings.

Where initial access is achieved, we perform scoped post-exploitation to understand blast radius and downstream risk. Chained attack paths often reveal compounding weaknesses that point-in-time vulnerability scanning misses entirely.

All offensive activity is coordinated with your team, and we do not take disruptive actions without explicit approval.

  • Privilege escalation attempts
  • Data access validation
  • Lateral movement testing (for internal assessments)
  • Authentication bypass validation
  • Business logic exploitation
04

Reporting, Debrief & Retest

Findings are made available in Attack Surface Center throughout testing so your team can begin remediation before the engagement closes. Final reports are delivered within 2 business days of testing completion.

Every engagement includes a detailed report and a debrief session tailored to both technical and executive stakeholders. We walk through exploit paths, business impact, and a prioritised remediation roadmap.

Free retesting of remediated findings is included for externally-based assessments.

  • Detailed technical report with evidence and reproduction steps
  • Executive summary with risk ratings and business impact
  • Remediation guidance with specific recommendations
  • Severity scoring and prioritisation framework
  • Debriefing call with technical and executive stakeholders

Common Questions

Penetration testing & offensive security - frequently asked questions

Everything you need to know about how our offensive security assessments are scoped, priced, and delivered before you request a quote.

All testing is carried out by our in-house consultants, and nothing is outsourced or subcontracted. You’ll be assigned a named consultant before testing begins, and they’ll remain your point of contact from scoping through to debrief.

Our consultants hold industry-recognised OffSec certifications including OSCP (Offensive Security Certified Professional) and OSCE (Offensive Security Certified Expert).

Pricing is based on scope, complexity, and your organisation’s context. We publish realistic price ranges so you can quickly assess fit before requesting a quote.

For bespoke engagements, we tailor methodology and consultant time to your objectives. Each quote factors in:

  • Scope of testing (e.g., number of IPs, applications, or cloud resources)
  • Technical and architectural complexity
  • Testing methodology (black box, grey box, white box, or blended)
  • Depth of exploitation, reporting, and retest support required

To ensure accurate pricing by not over or under-scoping an assessment, we aim to learn as much about your business and the target(s) as possible.

A scoping call reduces back-and-forth over email, allows for quick walkthroughs of applications or infrastructure, and gives us the context we need to tailor an offensive assessment to your specific risk concerns.

We’re able to support scoping discussions via email if preferred.

Most engagements range from 3-5 days depending on the type of assessment and the complexity of your environment. To get accurate timelines, speak with us to scope out a project with no obligation.

Retesting is available and can be bundled or quoted separately. For certain assessments, including external network, web application, and API penetration testing, we include free spot-check retesting of remediated findings at no additional charge.

Yes, we can provide a discount for multi-service engagements and repeat, long-term engagements. If you are a charity, start-up, or public services organisation, let us know and we can discuss how we can work together within your budget.

Our methodology is based on your objectives, environment, and threat model, not a one-size-fits-all approach.

As an example, a public B2C SaaS platform may be assessed black-box to emulate an untrusted external attacker, while authenticated workflows are tested grey-box to validate deeper privilege abuse paths.

We also support blended engagements that apply different offensive approaches across reconnaissance, exploitation, and post-exploitation to give a more realistic perspective.

Yes, Exploitr is VAT registered under GB VAT 476701277. Prices displayed or provided within a quote exclude VAT unless otherwise noted.

Yes, Exploitr is fully insured for public and products liability, professional indemnity, cyber, and more.

Ready to test your defences from an attacker's perspective?

Our team are on hand to discuss your security requirements and provide a tailored, fixed-price proposal within 24 hours.

Scope Your Assessment Speak With Our Team