Cybercrime is one of the world’s biggest threats. According to Verizon’s Business 2020 Data Breach Investigations report, there was a 100% increase in web app breaches, and in this, stolen credentials were used in over 80% of these cases. These statistics highlight the risk for businesses.
The risk should encourage companies to run regular tests to determine weak spots in their network and software, exposing security loopholes. One way of doing this is through penetration testing, commonly known as pen-testing, helping to safeguard important data from the attackers out there.
We have put together our top 10 penetration testing companies in the UK, as well as some additional, great penetration testing companies in London, the UK and USA as well as Europe, helping you to compare their services.
Number 1 – ThreatSpike Labs
- Founded: 2011
- Location: London- UK
- Number of employees: 11-50
- Clients: RAC, Claridges, Inchcape Shipping Services, HSS Hire, Hg Capital
ThreatSpike (https://www.threatspike.com/offensive) offers the most cost effective and highest quality penetration testing service in the UK. Rather than variable priced, one-off testing engagements, ThreatSpike is the first company to offer an all year round, fixed price penetration testing service. This subscription based service provides customers with unlimited testing of web applications, on-premise infrastructure, cloud services, mobile applications and IoT devices, all carried out by its expert team of offensive security testers.
ThreatSpike’s service also includes red team assessments, something which is rarely undertaken by companies due to the high prices charged by other testing firms. In red team assessments, the ThreatSpike team emulates an advanced persistent threat actor who wants to gain access to a company’s network and data.
They review any Internet facing infrastructure and applications, attempting to exploit their vulnerabilities whilst targeting the company’s staff through social engineering. They also review the physical security of offices, attempting to slip in undetected. If ThreatSpike manages to gain access, they then move within the environment to high value assets to see what damage could be caused. The output of these assessments are comprehensive reports with recommendations for improvement.
Most impressively, ThreatSpike’s service is competitively priced and offers year round testing for the same amount that most testing firms would typically charge for a one-off assessment.
Features of ThreatSpike:
- Unlimited penetration tests and red team exercises
- Internal and external infrastructure testing
- OWASP aligned web application testing
- Mobile application, IoT device and cloud service testing
- Engagements led by certified specialists
- Detailed finding reports
- Manual and automated testing
- ISO 27001, SOC 2, PCI-DSS and Cyber Essentials aligned tests
- Vulnerability scanning
- Physical on-site testing
- Monthly account meetings
Number 2 – JUMPSEC
- Founded: 2012
- Location: London, UK
- Number of employees: 11-50
- Clients: AA, Corestream, Greggs, Playtech, QIC Global and more!
JUMPSEC has a unique UK based team of expert ethical hackers and security analysts. Since 2012, JUMPSEC has been helping businesses to overcome the continuously evolving cyber threat landscape through penetration testing and other services.. JUMPSEC does this by offering a suite of services catering to different needs and risk profile. By working in partnership with an organisation, JUMPSEC is able to help defend against cyber threats, tailoring their services to different organisation’s needs, budgets and desired security posture.
The company does this via their assurance services, where they assist organisations who are testing their IT infrastructure – while their Managed Security Services help to protect organisations continuously around the clock. As well as this, JUMPSEC offers Cyber Strategy and Transform Consultancy Services to help organisations improve their overall cybersecurity position and knowledge.
Why JUMPSEC is a Top Penetration Testing Company:
- They are dedicated expert ethical hackers
- They have a UK based team of ethical hackers and security analysts and JUMPSEC invests in them to ensure that they can develop personally and professionally.
- They understand the hacker mindset
- By understanding the hacker mindset, objectives, capabilities and techniques, JUMPSEC is able to interpret threat events more effectively and simulate real-world attacks that exploit vulnerabilities.
- They have industry-leading tools and technology
- In addition to using industry-leading tools and technology, they actively develop their own in-house toolsets so that their Security Operation Centre (SOC) and services are states of the art.
- They have a global threat intelligence network
- They have created their own global threat intelligence network to collect data to expand their knowledge base. This helps improve their understanding of the cyber risk landscape in order to help companies defend against real-world cyberattacks.
Get in Touch with JUMPSEC >>
Number 3 – Intruder
- Founded: 2015
- Location: London, UK
- Number of employees: 2-10
- Clients: DataTiger, Litmus, Marvel, Ometria, Ravelin and more!
Intruder was founded in 2015 to help solve the information overload crisis in vulnerability management. Founder Chris Wallis worked both as an ethical hacker for tier one companies, and for blue teams defending critical national infrastructure, Chris noticed that while vulnerability management tools were great at finding issues, they were less useful when it came to prioritising them, tracking them, and timely alerting when problems arose.
Intruder’s mission is to focus on what matters, making penetration testing easy. Intruder is an online vulnerability scanner that finds cybersecurity weaknesses in business’s digital infrastructure, to avoid costly data breaches. Intruder’s powerful scanning tool is uniquely designed to deliver highly actionable results. Their specific features include:
- Enterprise-grade scanning technology with over 9,000 automated checks.
- Infrastructure and web-layer checks, such as SQL injection and cross-site scripting.
- Automatically scans your systems when new threats are discovered.
- Multiple integrations: AWS, Azure, Google Cloud, API, Jira, Teams, and more.
Get in Touch with Intruder >>
Number 4 – Mitigate Cyber
- Founded: 2012
- Location: Lancaster, UK
- Number of employees: 11-50
- Clients: BT, EY, Manchester City Council, NHS, Totalmobile and more!
Mitigate Cyber was founded in 2012 by a team of specialists in cybersecurity, consultancy and information security. The company was founded to provide dynamic cybersecurity services and training that extends beyond technology to encompass people, culture, processes and even the physical environment. Mitigate Cyber aims to make all their clients as resilient as possible to prevent or mitigate cyber-attacks in the ever-changing digital world.
By constantly learning and adapting their skills, Mitigate Cyber is able to deliver services that respond to market developments. Mitigate’s technical knowledge is supported by experts who have first-hand experience of the key drivers at play in specific market sectors.
Number 5 – Dhound
- Founded: 2015
- Location: Leeds, UK
- Number of employees: 11-50
- Clients: 12Go Asia, Operware, UXPressia and more!
Dhound is a cybersecurity company providing web application penetration testing, focused on manual approach and comprehensive delivery, helping IT companies be secure and compliant. Since 2015, Dhound has been pen testing their own systems as well as other companies helping to keep data safe.
By staying up to date, Dhound is helping companies with pen test techniques including Open Web Application Security Project (OWASP), Testing Guide Double-blind testing Penetration, Testing Execution Standard (PTES), and more!
By having a security assessment with Dhound you are able to assess your risks, take certain security measures, allow your business to stay on track. This enables your system health to be on guard to new threats by identifying security cracks, spots security threats to sensitive data, assess business risks of discovered vulnerabilities, and offer potential solutions and recommendations.
Number 6 – Acunetix
- Founded: 2004
- Location: London, UK
- Number of employees: 50-200
- Clients: American Express, AVG, Coca-Cola, HSBC, NASA and more!
In 2005, not many people saw the need to secure their web and focused on protecting the network. Acunetix were the pioneers, realising this was not enough and companies were still vulnerable. Their solution was to develop an automated tool to scan web applications to identify and resolve security issues.
Since then, Acunetix grew both the company and the product. In 2014, Acunetix launched an online (cloud) solution, in 2018 – a Linux version, and in 2019 – Acunetix 360 for enterprises. In 2018, the company was acquired by Turn/River Capital.
Today, Acunetix is a global web security leader, carrying unparalleled experience in the field. Acunetix mission is to provide their clients with a trustworthy web security solution that protects all your assets, aligns with all your policies, and fits perfectly into your development lifecycle.
More specifically, Acunetix is a fully automated tool that frees up security team resources. Acunetix reports very few false positives so your team does not waste time trying to find nonexistent issues. Additionally, Acunetix can detect vulnerabilities that other technologies would miss because it combines the best of dynamic and static scanning technologies and uses a separate monitoring agent.
Number 7 – CyberQ Group
- Founded: 2016
- Location: Birmingham, UK
- Number of employees: 11-50
- Clients: BHSF, Citizen, DPD, Logicalis, Social Work England and more!
Established in 2016, CyberQ Group’s international team of cyber experts and business professionals have decades of combined experience within the cyber and technology sectors. CyberQ Group helps keep businesses protected 24/7, 365 days a year.
With cyberattacks increasing rapidly, CyberQ Group’s offers different services to keep businesses safe. Today, CyberQ Group continues to monitor the surface of the web to identify data to prevent a breach. More specifically, CyberQ Group specialities include:
- Advanced Threat Protection (APT)
- Behavioral Analytics
- Big Data Security
- Data Audit
- Data Breach Prevention
- Mobile Security
- Network Security
- Penetration Testing, and more!
Number 8 – Cyber Tec Security
- Founded: 2018
- Location: Bristol, UK
- Number of employees: 11-50
- Clients: Bland Group, Qwil Messenger, Vvast and more!
Since 2018, Cyber Tec is aiming to help small to medium enterprises (SME) in the UK to become cyber safe and secure. Before 2018, SME’s did not have a reliable and trustworthy solution to knowing they are safe on the web. To reduce the risk of breach, Cyber Tec Security offers different plans from just £299 annually. Through these plans, SME’s are able to have free cyber insurance, 80% risk reduction, 12 month certification, and more!
More specifically, Cyber Tech specialises in antivirus, compliance, bata breach prevention, data protection, data security, firewall, incident and breach response, network security, penetration testing, and more!
Number 9 – Logically Secure
- Founded: 2006
- Location: Cheltenham, UK
- Number of employees: 11-50
- Clients: Medical Retailed, Software Development, and more!
Logically Secure was founded in 2006 to provide penetration testing services to the music industry, computer game organisations and technical advice to HMG departments. Since 2006, the company has grown to offer consultancy, digital forensics, training, incident response, CTFs, Red Teaming and any other cyber support their customers require.
The team at Logically Secure are passionate about what they do, and want to keep their customers as secure as possible. Whilst the company is small, they are large and experience in what they do. Logically Secure’s expert team have extensive experience and knowledge, understanding client’s needs, exceeding expectations.
Logically Secure’s technical services include bespoke IT Security penetration testing of networks, web applications, mobile apps and wireless infrastructure; carefully scoping each individual’s requirements to recommend and deliver testing that is most appropriate for their customers. Locally Secure can support and assess businesses wanting to achieve certification and recognition in their first or continued steps in effective cybersecurity.
Their services are available to customers both in the UK or overseas, with many of their services available for remote delivery.
Number 10 – Protection Group International (PGI)
- Founded: 2013
- Location: Bristol, UK
- Number of employees: 51-200
- Clients: Unknown
Since 2013, PGI have been demystifying cybersecurity and intelligence, making it accessible to organisations of all types and sizes. With a team of talented and passionate people, they are helping to reduce the risks to organisations’ finances, physical assets and, most of all, people.
Their clients are some of the most well-known global brands, as well as innovative growing businesses, meaning their projects are varied. PGI is constantly helping to tackle the threats of the 21st century, managing digital risk. From cybersecurity services to business intelligence, their team of world-class experts help companies reduce the risks to your finances, reputation, physical assets and people.
More specifically, PGI builds nation and corporate security resilience, turn information into intelligence and help organisations under the risk they face.
Other Penetration Companies in London, UK and US to Consider
Netsparker
- Founded: 2009
- Location: London, UK
- Number of employees: 50-200
- Clients: Cisco, Ford, NFL, Starbucks, Verizon and more!
Back in 2006, Ferruh Mavituna became frustrated spending hours and days manually verifying the results of automated web security scans, weeding out false positives and managing vulnerability assessments. This fueled his ambition to create an end to end security solution, one that integrates into the SDLC and greatly reduces the number of reported false positives, allowing teams to scale their efforts without expanding their head count.
Netsparker, today, is a young and enthusiastic UK based company focused on developing automated web security products, mainly the false positive web application security scanners Netsparker Desktop and Netsparker Cloud. The company specialises in application security, data breach prevention, data security, penetration testing, website security and more!
What is Penetration Testing?
Penetration Testing or Pen Test, also known as ethical hacking, is the authorised attempt to break into networks or software programs to prevent the risk of cyber criminals hacking it. Once the system is explored, vulnerabilities are detected and are then evaluated and improved, inhaling the security of the system. The network professionals have a large understanding of cybersecurity, illustrating clear links between penetration testing and network defence and then fixing any security issues.
Through this planned “attack” on a computer system, companies use the same process a hacker would use to hack into a business network or website. Once the vulnerability is found, it is used to exploit the system to gain access to the featured data.
How does Penetration Testing work?
Penetration testing differs depending on the unique needs of different organisations. Although IT specialists of a specific company could perform penetration testing, the test should be carried out by someone who thinks like a hacker but has the clients best interests at heart. To ensure this, well-trained testers will follow a checklist to ensure that the test is carried out at full and no vulnerabilities are left.
Many companies are now providing customers with penetration testing, and with this there are two distinct types of penetration testing available. These include:
- Blackbox Testing – This requires testers to attempt to enter the network from an external location from the one of the network, with no previous knowledge of the network, and this is typically used.
- Whitebox Testing – This involves having insider knowledge and is typically used following blackbox testing.
Most companies will perform both Blackbox and Whitebox Testing to ensure a highly secure network. During the process there are four different phases of penetration testing:
- Network Enumeration / Discovery – Testers will gather information about the network in this phase which will help during the next couple of phases.
- Vulnerability Assessment – This phase identifies any common and uncommon breach points.
- Exploitation – After gaining understanding about the network and identifying the vulnerabilities, the person testing will exploit the identified vulnerabilities, hacking into the network.
- Reporting and Repair – This phase highlights the results of the different phases showing the vulnerabilities found, and how they can be resolved to prevent future exploitations.
How much does Penetration Testing cost?
Penetration testing protects companies from being hacked and are carried out by highly trained professionals with credentials behind their name, meaning you would want it carried out with the highest quality. This means that prices vary depending on the company and what needs to be done and different variables, including:
- Complexity: the size and complexity of your environment and network, with larger and complex environments requiring more labour.
- Methodology: every companies methods vary, with some using more expensive tools than others, however this could reduce the time of the test and produce higher quality results.
- Experience: pen testers with more experience are more expensive.
- Onsite: with large and complex environments, onsite visits may be needed especially if you request a physical security or social engineering penetration test.
- Remediation: Some pen testers offer resetting in their price.
