Security Assessments & Pen Testing
Attacker-perspective security assessments. Understand your real exposure before attackers do.
Written by Simon Lynge, Director DFIR — ChCSP, CREST IR | Last updated: March 2026
Security Reviews Written by People Who Break In for a Living
Most security assessments tell you what controls you have. Ours show you what an attacker targeting your sector would do with the access they can get.
Our assessors come from incident response. They've seen what attackers do after they get in — and they build assessments around those real-world attack patterns.
Assessment Types
- External attack surface review — enumerate your internet-exposed assets, identify misconfigurations, exposed credentials, and vulnerable services an attacker would find before your team does
- Internal network assessment — assume-breach review of your internal environment; lateral movement paths, Active Directory weaknesses, and privilege escalation routes
- Cloud security review — M365, Azure, AWS, and GWS configuration review; identity, storage, logging, and access control gaps
- Email security assessment — SPF, DKIM, DMARC configuration; phishing simulation; M365 anti-phishing and safe links evaluation
- IR readiness assessment — evaluate your detection, response, and recovery capabilities against a defined threat profile; identify gaps before an incident finds them
- Cyber Essentials / Essentials Plus — assessment and preparation support for NCSC certification
Our Approach
We scope every assessment against your actual threat profile — the specific threat actors likely to target your sector, your size, and your data. We prioritise findings by real-world exploitability, not theoretical severity scores.
We work with your team, not against them. We brief findings before the final report so nothing in the written output is a surprise.
Report Standards
Every finding includes confirmed evidence of exploitability, business impact in plain language, and a clear remediation path. No padding with low-value theoretical findings. Executives get a dashboard summary; your technical team gets the detail they need to act.
Frequently Asked Questions
What's the difference between a vulnerability scan and a security assessment?
A vulnerability scan identifies known software vulnerabilities using automated tools. A security assessment combines automated tooling with human analysis — we look at configuration, logic flaws, access control design, and attack chaining that automated scanners can't detect.
Do you do penetration testing?
Yes — internal and external penetration testing is part of our assessment capability. We scope the engagement type based on your objectives: a scoped pentest has clearly defined rules of engagement; a red team exercise is more open-ended and simulates a realistic targeted attack.
How long does an assessment take?
External attack surface reviews typically complete in 3–5 days. Internal assessments and cloud reviews are typically 5–10 days depending on scope. We scope timing at engagement start and keep you informed throughout.
Can you help us achieve Cyber Essentials certification?
Yes. We can assess your current state against the five Cyber Essentials controls, identify gaps, support remediation, and prepare you for the formal certification assessment.
Do you provide remediation support?
We provide detailed remediation guidance in every report. For organisations that want hands-on remediation support, we can provide that as a follow-on engagement or refer you to appropriate specialists.