A small external engagement (1-20 IPs, ≤10 subdomains) typically takes 2-3 working days. Mid-market (20-100 IPs, cloud edge) takes 5-7 days. Enterprise (100+ IPs, multi-region, hybrid cloud) takes 8-12 days. Test duration is determined during scoping based on attack-surface size.

Small engagements range £4,000-£6,500. Mid-market (most commonly commissioned) £6,500-£14,000. Enterprise £14,000+. All quotes are fixed-price after scoping. Day rate equivalent is £1,000-£1,500 per CREST-certified tester per day.

We follow PTES (Penetration Testing Execution Standard), NIST SP 800-115, and the OWASP Testing Guide. Each engagement starts with passive OSINT before any active testing. We test exactly what’s reachable from the public internet — what an external attacker would actually see. Combined with internal network penetration testing, you get full attack-path coverage.

Yes. Shodan, Censys, FOFA, theHarvester, and certificate transparency log mining are core to our recon phase. We also perform dark-web credential exposure checks for your domain and key personnel. OSINT is included in every external engagement at no additional cost.

Yes — every external engagement checks for dangling DNS records pointing to deprovisioned cloud resources. Subdomain takeover is a common high-impact finding (e.g., GitHub Pages / Heroku / S3 / Azure CDN). We provide safe proof-of-takeover evidence without claiming the resource.

Yes — external testing covers cloud edge surface: load balancers, public S3 / Blob containers, exposed CloudFront origins, lambda function URLs, VPC peering misconfiguration. For full configuration review of cloud control planes we recommend our dedicated AWS, Azure, or GCP cloud security review.

External network penetration testing simulates an attacker with no access — they only see your public-facing services. Internal testing simulates an attacker who’s already on your network (compromised laptop, malicious insider, post-phish foothold). They’re complementary; CREST and NCSC recommend both annually for high-assurance organisations.

Yes — external pen testing maps directly to Cyber Essentials Plus boundary firewall and external scanning scope. We provide the test report, attestation letter, and remediation evidence in the format IASME assessors require. We are an IASME Cyber Essentials Certifying Body ourselves.

External network penetration testing is largely passive at first (banner-grabbing, version detection, OSINT). Active exploitation phases use safe-by-default checks. Any potentially disruptive test (exploit attempts on rare services) is paused for explicit client approval before execution. We do not run DoS attacks against production.

Testing originates from controlled test infrastructure in the UK or EU by default. We can rotate source addresses for scenarios where an attacker would use specific geo origins (Russia, China, etc.) — but only when this matches your real threat model and has been explicitly authorised.

All external infrastructure testers are vetted UK or international engineers. Relevant certifications across the team include CREST CRT and CCT INF (infrastructure), OSCP, OSCE, and protocol-specific specialisms. SC-cleared testers are available for public-sector and regulated-financial engagements.

Yes. Standard NDA before any technical detail is shared, and we operate under a project-specific master agreement that includes data handling, deliverable IP, and breach notification clauses. Custom MSAs and AUP terms are accepted for enterprise and public-sector clients.