Cyber Essentials & Penetration Testing
EJN Labs is an IASME-approved Cyber Essentials certification body and a CREST-certified penetration testing company. Get baseline certification and deep security testing from one vendor.
EJN Labs is one of the few UK companies that delivers both Cyber Essentials and Cyber Essentials Plus certification (as an IASME-approved certification body) and full CREST-certified penetration testing. This means we can advise honestly on what your business actually needs — and deliver both under a single engagement.
Cyber Essentials Penetration Testing Services
The relationship between Cyber Essentials and penetration testing is widely misunderstood. Cyber Essentials Plus is not a penetration test, and a penetration test is not a substitute for Cyber Essentials. They serve different purposes, target different threats, and are often required together for UK businesses.
We offer three coordinated services to cover the full spectrum:
1. Cyber Essentials Self-Assessment Certification
The entry-level certification. We provide guidance through the IASME assessment portal and certify your submission. Suitable for small businesses establishing baseline cybersecurity hygiene, businesses entering the UK government supply chain, and organisations starting their security maturity journey.
2. Cyber Essentials Plus Hands-On Verification
The audited version of Cyber Essentials. As a certifying body, EJN Labs conducts the technical assessment ourselves: external vulnerability scanning, internal device sampling, configuration verification, and patch management evidence review. The result is a verified pass certification you can submit to your auditors, customers, or insurers.
3. CREST Penetration Testing
Where Cyber Essentials Plus stops, penetration testing begins. We offer the full range of CREST-certified penetration testing: web applications, mobile applications, APIs, internal and external infrastructure, cloud environments, and red team exercises. This is what surfaces the application-layer, business-logic, and lateral-movement vulnerabilities that baseline certification cannot find.
Why Choose EJN Labs for Both
- One vendor, coordinated delivery — Single point of contact, single procurement process, aligned scoping. We schedule both engagements so they don’t conflict and so the findings reinforce each other.
- Honest advice on scope — Because we deliver both services, we have no incentive to over-sell either. We’ll tell you when Cyber Essentials Plus alone is sufficient, and when targeted penetration testing is essential.
- UK team, UK data — All work is performed by our in-house UK team. No offshore delivery. Important for data sovereignty, NDA enforceability, and the practical ability to have a discovery call at a reasonable hour.
- Aligned reporting — Cyber Essentials Plus certification and penetration testing reports are structured to satisfy the same audit and procurement requirements where they overlap.
- Faster procurement — One supplier onboarding, one set of NDAs, one project manager. Saves weeks for businesses navigating procurement bureaucracy.
Which Do You Need?
| Your Situation | Recommended Approach |
|---|---|
| Small business, no regulatory pressure | Cyber Essentials self-assessment |
| Bidding for UK government contracts | Cyber Essentials Plus (often required as procurement minimum) |
| SaaS / web app handling user data | Cyber Essentials Plus + Web Application Penetration Test |
| FCA-regulated firm | Cyber Essentials Plus + Full CREST Pen Test (CBEST/TIBER alignment) |
| Pursuing SOC 2 or ISO 27001 | Penetration Testing required; Cyber Essentials Plus complementary for UK procurement |
| Cyber insurance renewal | Both — many policies require Cyber Essentials Plus + penetration testing for full coverage |
| Post-incident hardening | Penetration Testing first, then Cyber Essentials Plus to verify baseline |
Cyber Essentials Penetration Testing: Process
For coordinated Cyber Essentials Plus + penetration testing engagements, the typical timeline is:
- Week 0 — Scoping: Joint scoping call covering both engagements. Confirm Cyber Essentials boundary, identify in-scope assets for penetration testing, define rules of engagement.
- Week 1–2 — Cyber Essentials Plus: Hands-on technical assessment, vulnerability scanning, configuration review, evidence collection.
- Week 3–4 — Penetration Testing: Active testing of in-scope applications and infrastructure with daily portal updates and critical-finding alerts.
- Week 5 — Reporting: Cyber Essentials Plus certification (pass or remediate), penetration testing report with executive summary and technical findings.
- Week 6+ — Remediation & Retest: Address findings; retest validation pass conducted at agreed point.
Pricing
Cyber Essentials self-assessment certification typically costs £300–£500. Cyber Essentials Plus typically costs £1,500–£3,000 depending on the size of your environment. Penetration testing pricing depends on scope — see our UK penetration testing cost guide for detailed ranges.
For coordinated Cyber Essentials Plus + penetration testing engagements, we typically offer a 10–15% discount compared to procuring separately. Tell us what you need at the scoping stage and we’ll provide a combined quote.
Frequently Asked Questions
Is Cyber Essentials Plus the same as a penetration test?
No. Cyber Essentials Plus is a baseline cybersecurity certification covering five core controls. It includes vulnerability scanning but not full penetration testing. A penetration test goes deeper, manually exploiting application and infrastructure vulnerabilities. Read our full comparison.
Can EJN Labs certify my business for Cyber Essentials?
Yes. EJN Labs is an IASME-approved Cyber Essentials certification body. We can deliver both Cyber Essentials and Cyber Essentials Plus directly.
Do I need penetration testing if I have Cyber Essentials Plus?
It depends on what you’re trying to achieve. If you’re meeting a UK government procurement requirement and have no other obligations, Cyber Essentials Plus may be sufficient. If you handle customer data, process payments, are pursuing SOC 2/ISO 27001, are FCA-regulated, or have specific cyber insurance requirements, you typically need both.
What’s the difference between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is a self-assessment questionnaire reviewed by a certifying body. Cyber Essentials Plus adds a hands-on technical verification by the certifying body, including vulnerability scanning of internet-facing systems and a sample of internal devices.
Get Started
30-minute scoping call. We’ll confirm what you need (Cyber Essentials, Cyber Essentials Plus, penetration testing, or a combination) and provide a fixed-price quote for the right scope.
