By EJN Labs · 14 Jun 2026 · 9 min read
A DTAC penetration test report is a CREST-delivered report your NHS buyer’s assessors will accept as technical-security evidence. It pairs a plain-English executive summary with technical detail, maps every finding to the OWASP Top 10, scores it with CVSS, and gives remediation advice plus a retest that confirms fixes. It is built to drop straight into a DTAC submission.
What makes a DTAC penetration test report different
If you sell software to the NHS, sooner or later a buyer asks for a DTAC penetration test report. The request usually arrives during procurement or information governance due diligence: a Trust, an Integrated Care Board or a GP practice has applied the Digital Technology Assessment Criteria to your product, reached the technical security section, and wants proof that you have tested it. We field this exact inbound request from digital health suppliers, and the common thread is that an ordinary scan will not clear the gate.
DTAC is the baseline framework NHS organisations use to assess a digital health product before they buy or deploy it, and DTAC version 2 became mandatory across NHS assessments on 6 April 2026. It is not legislation, so it is required in practice to sell to the NHS rather than legally mandatory, but in procurement it behaves as a threshold you have to clear. Its technical security section is where penetration testing lives, alongside Cyber Essentials and vulnerability management. The original form numbered the pen-testing requirement C3.2, asking for evidence that testing has been carried out on your product, and how often. The v2 form re-flows and shortens the questions, so the exact label may differ, but the expectation is unchanged.
This guide focuses on what makes a report DTAC-compatible. To learn how to interpret a report you already hold, read our guide on how to read a pen test report, and review a redacted example on our sample penetration test report page.
The seven things a DTAC-compatible report must have
A report passes DTAC due diligence when it answers the assessor’s underlying question: has an independent, credible tester examined the live product, and can the supplier show it fixed what was found? In practice that means seven things.
- An executive summary in plain English. A non-technical risk picture for the procurement lead or information governance reviewer, stating the overall posture and the issues needing urgent attention.
- Technical detail for engineers. Each finding written so a developer can reproduce and fix it, with affected endpoints, a description and proof of concept.
- OWASP Top 10 mapping. Findings benchmarked against a recognised methodology rather than an in-house checklist, which makes them defensible to an assessor.
- CVSS scoring. Every issue scored with the Common Vulnerability Scoring System, so severity is consistent and comparable rather than a subjective label.
- Clear remediation advice. Specific, actionable fixes for each finding so your team knows exactly what to change.
- A retest that confirms closure. A follow-up verifying Critical and High issues are resolved is what turns a list of problems into evidence.
- A credible, accredited tester. CREST membership is the quality signal NHS buyers and assessors recognise, so an uncredentialed report carries less weight.
Scope matters as much as structure. The norm assessors expect is an annual external test covering the whole solution architecture, which for most digital health products means the web application, its APIs and the supporting infrastructure, with mobile added where the product has an app. A scan with no manual validation, or a test of a single token component, leaves gaps an assessor will spot. Because DTAC asks how often you test, a one-off report is also weaker evidence than a documented annual cadence.
What we test, and why it maps to NHS due diligence
A DTAC engagement almost always involves a patient-facing application or a clinical SaaS platform that handles identifiable health data, so we test by hand against the risks NHS buyers care about most. From our own engagements, the findings that recur on health-tech products are broken object-level authorisation, where one logged-in user reaches another patient’s records by changing an identifier in an API call, and weak multi-tenant isolation, where data from one care organisation leaks into another’s view. Both are access-control failures a scanner rarely surfaces, because they need a human to understand the data model and try to step across it.
We run a grey-box assessment, testing with valid credentials rather than from the outside only. A black-box test never reaches the authorisation flaws above, and a report that omits them is not a clean bill of health, it is an untested one. We focus on authentication, access control, multi-tenant isolation, data exposure and the injection classes in the OWASP Top 10, then score each finding by real-world risk rather than raw CVSS alone, and explain that reasoning so your buyer can see the judgement behind each rating.
This is the technical security evidence DTAC asks for. Our companion guide on DTAC technical security covers when you need Cyber Essentials, Cyber Essentials Plus and a penetration test, and our selling software to the NHS security checklist walks the whole assurance pack a buyer expects, from DPIA to DSPT.
How the report fits your DTAC submission and IG due diligence
The report does not work in isolation. DTAC’s technical security section also expects a current Cyber Essentials certificate validated against the IASME database, and Cyber Essentials Plus for higher-risk systems that process patient data. Reviewing your submission, an assessor wants a recent report (within twelve months) against the live product, evidence that vulnerabilities were remediated, and certificates that genuinely scope the NHS data-processing environment rather than a head-office-only footprint.
For GP-practice and smaller-Trust due diligence, the executive summary often does the heavy lifting, because the reviewer is an information governance lead rather than a security engineer, so we lead with a plain-English summary and keep the remediation status visible. For larger procurements with a security team in the loop, the technical detail and the OWASP and CVSS mapping carry the assessment. A DTAC-compatible report serves both readers from one document.
What a DTAC penetration test costs and how long it takes
Pricing is driven by your scope in tester days at a flat UK day rate, with every tester senior or principal. A focused DTAC engagement covering a single web application and its API typically runs to four to six days, which works out at roughly £4,800 to £7,200, with the report and retest following shortly after. A larger platform with several APIs, cloud infrastructure and an internal network needs more days and costs more accordingly. The table below is indicative; your exact figure is confirmed in a fixed quote.
| DTAC scope | Typical tester days | Indicative cost (2026, ex VAT) |
|---|---|---|
| Single web application + API | 4 to 6 days | £4,800 to £7,200 |
| Web app + API + external infrastructure | 6 to 9 days | £7,200 to £10,800 |
| Multi-app platform + cloud + internal network | 9 to 14 days | £10,800 to £16,800 |
Cost is set by what is in scope, not by tester seniority, because every engagement is delivered by senior and principal testers. For an exact, scoped price, use our quote form and we return a fixed quote within 24 hours.
Why EJN Labs for your DTAC penetration test report
A DTAC-compatible report has to satisfy two halves of the technical security section at once, and most suppliers end up coordinating two vendors to produce it. We cover both from one engagement. EJN Labs is a CREST member for penetration testing, the accreditation NHS buyers and assessors recognise, and we are a Cyber Essentials and Cyber Essentials Plus certification body through our IASME relationship, so we can certify you directly. That means the pen-test report and the certificates your assessor wants to see beside it come from the same team, scoped together, with no gap between them.
We are also ISO 27001 and ISO 9001 certified, and every report is produced by the senior and principal testers who carried out the work, so the findings, proof and remediation advice come from the people who actually performed the assessment. We are a UK firm fluent in NHS and health-tech supplier assurance: we understand DTAC’s technical security section, how it connects to the DSPT and information governance due diligence, and what a GP-practice or Trust reviewer needs to see to sign. On scope, we deliver the technical-security evidence (penetration testing, Cyber Essentials and Cyber Essentials Plus, vulnerability management). We do not deliver clinical-safety work such as DCB0129 or DCB0160, and we do not hold NCSC CHECK, so we describe ITHC work neutrally rather than offering it. For the money-page view of this offer, see our NHS DTAC penetration testing service.
Frequently Asked Questions
What is a DTAC-compatible penetration test report?
It is a report built to clear DTAC’s technical security section. It pairs a plain-English executive summary with technical detail, maps each finding to the OWASP Top 10, scores it with CVSS, gives clear remediation advice, and confirms that Critical and High findings were retested and closed. It is delivered by a CREST tester and written to drop straight into your DTAC submission and your NHS buyer’s information governance due diligence.
Is penetration testing mandatory for DTAC?
DTAC’s technical security section asks for evidence of penetration testing and how often it is carried out. It is required in practice rather than legally mandatory, but NHS buyers expect an independent test against recognised standards such as the OWASP Top 10 before they progress procurement. The established norm is an annual external test covering the full solution architecture.
Who delivers the report, and does CREST matter?
CREST membership is the quality signal NHS buyers and assessors recognise, so a report from a CREST-accredited provider carries more weight in due diligence than one from an uncredentialed tester. At EJN Labs every report is produced by the senior and principal testers who performed the work, so the findings and remediation advice come directly from the people who ran the assessment.
How much does a DTAC penetration test cost?
Cost is driven by your scope in tester days at a flat UK day rate, with every tester senior or principal. A focused test of a single web application and its API typically runs to four to six days, which is roughly £4,800 to £7,200. A larger platform with cloud and internal network in scope costs more. For an exact, scoped price rather than a range, request a fixed quote and we return it within 24 hours.
Do I also need Cyber Essentials or Cyber Essentials Plus for DTAC?
Yes. DTAC’s technical security section expects a current, valid Cyber Essentials certificate as a baseline, and Cyber Essentials Plus for business-critical or higher-risk systems that handle patient data. We are a certification body for both through our IASME relationship, so the certificates sit alongside your penetration test as one evidence pack.
Get a DTAC-compatible penetration test report
If your NHS buyer has asked for security evidence, we will scope a CREST-delivered test, produce a report your assessors will accept, and pair it with the Cyber Essentials certificate that completes your DTAC technical security section. Request a CREST penetration testing quote and we return a fixed price within 24 hours.
Leave a Reply