Certification to prove the basics. Testing to prove the rest.
Every engagement is led end-to-end by a Cyber Scheme Team Leader (CSTL) qualified tester, scoped to a fixed price, and reported in plain English your whole team can act on.
Cyber Essentials & Cyber Essentials Plus
The UK government-backed scheme covering the five technical controls that stop the large majority of common internet-based attacks. It's the credential customers, insurers and public-sector tenders increasingly expect.
We don't just hand you a questionnaire. We review where you stand against the current scheme, help you close the gaps, and take you through to certification — including the hands-on technical audit required for the Plus level.
What's assessed
- Firewalls and internet gateways
- Secure configuration
- User access control
- Malware protection
- Security update management
Cyber Essentials is self-assessment verified by us; Cyber Essentials Plus adds an independent hands-on test of those same controls.
What we look at
- Public IP ranges and exposed services
- Web, mail and VPN gateways
- Cloud edges and forgotten assets
- Patch levels and misconfigurations
- Credential exposure and weak authentication
External infrastructure
Everything an attacker can reach from the internet, tested the way a real adversary works — not just scanned.
We enumerate your internet-facing footprint, hunt for the exposures automated tools miss, and safely demonstrate real impact where we find a way in. You get a clear picture of your perimeter and a prioritised list of what to fix first.
Covered by the infrastructure specialism of the CSTL qualification (CSTL-INF).
Internal infrastructure
If an attacker got a foothold — a phished laptop, a rogue insider — how far could they go? Internal testing answers that.
Working from inside your network, we map what's reachable and methodically escalate: lateral movement, privilege escalation, and the Active Directory weaknesses that turn one compromised machine into domain-wide control. The report shows the chain step by step, so the fixes are obvious.
Covered by the infrastructure specialism of the CSTL qualification (CSTL-INF).
What we look at
- Network segmentation and reachable services
- Active Directory and identity weaknesses
- Privilege escalation paths
- Lateral movement and credential reuse
- Server, workstation and patch hygiene
What we look at
- OWASP Top 10 and beyond
- Authentication, sessions and access control
- Business-logic and authorisation flaws
- APIs and integrations
- Injection, SSRF, and data exposure
Web application
Authenticated, role-aware testing of your apps and APIs — including the logic flaws a scanner will never understand.
We test as different user roles to find broken access controls, probe your business logic, and chain issues into real-world attack scenarios. Findings come with reproduction steps your developers can follow and fixes mapped to your stack.
Hands-on, methodology-led testing aligned to the OWASP standards — not just an automated scan.
Many teams combine all three.
External, internal and web app testing answer different questions — and together they give the fullest picture. Tell us your environment and we'll recommend the right scope, not the biggest one.