CREST-Certified Vulnerability Assessment and Penetration Testing (VAPT) for UK Businesses
VAPT combines automated vulnerability scanning with manual penetration testing — broad coverage from automation, depth from human exploitation. CREST-certified, fixed-price, sector-aligned. Suitable for ISO 27001, SOC 2 Type I/II, PCI DSS, and Cyber Essentials Plus compliance evidence.
Vulnerability scans give you breadth. Pen tests give you depth. VAPT combines both.
A pure vulnerability assessment runs Nessus / Qualys / Tenable / OpenVAS across your environment and surfaces hundreds of CVEs. The problem: 50-60% are false positives, dependent on context, or unexploitable. Engineers waste days triaging. Auditors see a hopeless pile of “Critical” findings.
VAPT (Vulnerability Assessment and Penetration Testing) flips the model: automated scanning for breadth (every IP, every endpoint, every service), then manual exploitation for depth (which findings are actually exploitable, what attack chains they enable, what business impact they have). The result is an audit-acceptable evidence pack for ISO 27001, SOC 2, PCI DSS, and Cyber Essentials Plus — not a noise dump.
COMBINED METHODOLOGY
What VAPT Includes
Six layers of coverage spanning automated scan + manual exploitation. Network, application, cloud, and human attack surfaces.
External Vulnerability Assessment
Authenticated and unauthenticated scans of every public-facing IP and subdomain. CVE matching, version fingerprinting, configuration drift.
Internal Vulnerability Assessment
Internal network scan against patch level, weak service configuration, exposed admin panels, and credentialed misconfigurations.
Web Application Scan
Automated DAST against web applications — SQL injection, XSS, broken auth, insecure deserialization, dependency CVEs.
API & Cloud Configuration
Automated checks against API endpoints + cloud configuration baseline (CIS AWS / Azure / GCP Foundations Benchmark).
Manual Penetration Testing
Human-validated exploitation of the highest-priority findings. Attack chains built across multiple findings.
Business Logic Testing
Human-only attacks: authorization flaws, business-logic abuse, racing conditions, OAuth misconfigurations, payment flow attacks.
Network & AD Exploitation
Active Directory attacks (Kerberoasting, AS-REP, BloodHound), lateral movement, privilege escalation chains.
Compliance Evidence
PCI DSS Req 11.3 evidence, ISO 27001 Annex A.12.6.1, SOC 2 CC7.1, Cyber Essentials Plus boundary firewall.
Remediation Validation
Free retest of every remediated finding within 30 days — automated AND manual validation included.
Email Domain Posture
SPF / DKIM / DMARC validation, BIMI / MTA-STS posture, anti-phishing readiness.
Subdomain Takeover Sweep
Comprehensive dangling DNS check across the registered domain space. Safe proof-of-takeover where applicable.
Dark Web Credential Sweep
Cross-reference of company / employee email addresses against dark-web breach corpus.
FOUR-PHASE METHODOLOGY
VAPT — From Discovery to Audit-Ready Evidence
Automated scan first for breadth. Manual exploitation for depth. Combined report for audit-grade compliance evidence.
Discovery + Scoping
Automated Vulnerability Assessment
Manual Penetration Testing
Report & Remediation
Verified Accreditations Auditors Accept
Every accreditation independently issued by a recognised UK certification body. Click CREST to verify our membership.
COMPLIANCE READY
VAPT Reports Mapped to Every Framework
Findings tagged to specific control IDs in your compliance framework. Audit teams submit directly without translation.
ISO 27001 (Annex A)
A.12.6.1 vulnerability management, A.13 network security, A.14 secure development — control evidence ISO auditors accept.
SOC 2 Type I & II
CC7.1 vulnerability identification, CC6.6 logical access, CC7.2 monitoring evidence. Trust Services Criteria coverage.
PCI DSS
Req 11.3 application-layer testing, Req 11.2 vulnerability scanning evidence, Req 6.5 secure development assurance.
Cyber Essentials Plus
Boundary firewall + external scanning + internal client testing scope. IASME audit-grade evidence.
NHS DSPT
Asset 9 standard 7 evidence, vulnerability management workflow, patient-data perimeter.
FCA / PRA / DORA
Operational Resilience evidence, vulnerability management as Important Business Service control.
TRANSPARENT PRICING
Transparent VAPT Pricing
All tiers include the same depth — automated VA + manual PT + audit-grade evidence. Price varies by environment size and compliance scope.
Depends on environment size
≤30 IPs external + ≤30 internal, single web app, basic compliance scope. Typically 5-7 day engagement.
- ✓Free retests included
- ✓Free rescheduling
- ✓No cancellation fees
- ✓24-hour scope to active testing
- ✓Live findings to client portal
- ✓Executive + technical report
- ✓60-min walkthrough call
- ✓Letter of attestation
Depends on environment size
30-100 IPs external + 30-100 internal, 2-5 web apps + APIs, ISO 27001 + SOC 2 evidence. Typically 8-12 day engagement.
- ✓Free retests included
- ✓Free rescheduling
- ✓No cancellation fees
- ✓24-hour scope to active testing
- ✓Live findings to client portal
- ✓Executive + technical report
- ✓60-min walkthrough call
- ✓Letter of attestation
Depends on environment size
100+ IPs, multi-app, Active Directory, cloud configuration, multi-framework compliance evidence. Typically 12-15 day engagement.
- ✓Free retests included
- ✓Free rescheduling
- ✓No cancellation fees
- ✓24-hour scope to active testing
- ✓Live findings to client portal
- ✓Executive + technical report
- ✓60-min walkthrough call
- ✓Letter of attestation
VAPT for Your Sector
Compliance evidence requirements vary by sector. We map VAPT findings to the controls your regulators specifically demand.
Fintech
FCA-regulated firms, Open Banking, payment APIs, PCI scoping.
SaaS
Multi-tenant isolation, SSO/SAML/OIDC, customer-data perimeter, SOC 2 evidence.
Healthcare
NHS DSPT, NHS DTAC, EHR integration, telehealth, patient-data PII.
Insurance
FCA / PRA Operational Resilience, claims data, broker integrations, cyber underwriting evidence.
Law
Privileged-data confidentiality, partner-tier scrutiny, SRA Cyber Standard alignment.
Public Sector
CCS / G-Cloud framework, NCSC-aligned, SC-cleared testers available.
What You Actually Get
Five things that distinguish our service from automated scans and box-tick competitors.
What You Get From VAPT
Automated for Breadth, Manual for Depth
Audit-Grade Evidence Pack
Free Retests Within 30 Days
UK CREST + IASME + ISO 27001 + ISO 9001
Frequently Asked
What does VAPT stand for?
VAPT stands for Vulnerability Assessment and Penetration Testing. It combines automated vulnerability scanning (broad coverage of CVEs and configurations) with manual penetration testing (deep exploitation and business-logic attacks). VAPT delivers audit-grade compliance evidence efficiently.
How is VAPT different from a pure penetration test?
A pure penetration test focuses on manual exploitation. VAPT adds automated vulnerability assessment for breadth — every IP, every endpoint, every service is scanned, then high-priority findings are validated manually. This is faster and more cost-effective for compliance audits where evidence breadth matters.
How long does VAPT take?
Small engagements (≤30 IPs, single app) typically take 5-7 working days. Mid-market (30-100 IPs, multi-app) takes 8-12 days. Enterprise (100+ IPs, AD + cloud) takes 12-15 days. Test duration is determined during scoping.
How much does VAPT cost in the UK?
Small engagements £5,000-£10,000. Mid-market (most commonly commissioned) £10,000-£18,000. Enterprise £18,000-£25,000. All quotes are fixed-price after scoping. UK day rates for CREST-certified VAPT consultants are £1,000-£1,500 per day.
What scanning tools do you use?
Industry-standard tools including Nessus, Qualys, Tenable.io, OpenVAS, Burp Suite Pro, and Acunetix. We tailor tool selection to environment type — Nessus for traditional infrastructure, Burp for web apps, Tenable for cloud configuration. We never rely on a single tool.
Is VAPT acceptable for ISO 27001 audit?
Yes. VAPT directly addresses ISO 27001 Annex A.12.6.1 (technical vulnerability management) requirements. Our reports include a control-mapping summary that ISO auditors accept as evidence — without your team having to translate findings into ISO language.
Is VAPT acceptable for PCI DSS?
Yes. VAPT addresses PCI DSS Req 11.3 (application and network penetration testing) and Req 11.2 (vulnerability scanning). Our PCI DSS engagements specifically follow Req 11.3.x methodology with the additional rigor PCI auditors demand.
Is VAPT acceptable for SOC 2?
Yes. VAPT provides evidence for SOC 2 Trust Services Criteria CC7.1 (vulnerability identification), CC6.6 (logical access controls), and CC7.2 (monitoring of system components). Reports are submitted directly to your SOC 2 auditor.
Is VAPT enough for Cyber Essentials Plus?
VAPT supports the boundary firewall, external scanning, and client device testing scopes of Cyber Essentials Plus. We are an IASME Cyber Essentials Certifying Body — we can issue Cyber Essentials Plus certification directly following VAPT. Combined engagements (VAPT + CE+ certification) are available.
Do you provide remediation guidance?
Yes. Every finding ships with prioritised remediation guidance, CVSS scoring, business-impact context, and where applicable, configuration patches. For high-severity findings we include direct engineer access via our portal during remediation.
Are your testers UK-based and what certifications do they hold?
All VAPT testers are vetted UK or international engineers. Relevant certifications include CREST CRT and CCT (App and Inf), OSCP, OSCE, OSWE, and platform-specific specialisms. SC-cleared testers are available for public-sector and regulated-financial engagements.
Do you sign NDAs?
Yes. Standard NDA before any technical detail is shared. We operate under a project-specific master agreement that includes data handling, deliverable IP, and breach notification clauses. Custom MSAs and AUP terms are accepted for enterprise and public-sector clients.
Book a VAPT Scoping Call
30 minutes with a CREST-certified VAPT consultant. Fixed-price quote within 24 hours. No sales pipeline.
