CREST-Certified External Penetration Testing for UK Businesses
External network and infrastructure penetration testing aligned to PTES, NIST SP 800-115, the OWASP Testing Guide, and OSSTMM / SANS methodologies. Manual exploitation of exposed services, weak SSL/TLS, leaked credentials, subdomain takeover, and patch-level RCE. Fixed-price quotes within 24 hours.
- Unlimited retesting
- Unlimited pre-retesting
- No hidden fees
“I would highly recommend EJN Labs to any organisation seeking reliable, detailed, and well-managed penetration testing services, particularly for government or enterprise-level projects.”
“There wasn’t another company we could find that could deliver what we needed in the timeframe we needed. The client loved it, and we got instant ROI from the engagement.”
is how long it takes an attacker to find your exposed RDP server on Shodan. External infrastructure pen testing finds it first.
Your attack surface is bigger than you think.
Modern UK businesses run a sprawling attack surface, and effective attack-surface management requires more than passive scanning. Public IP ranges, forgotten subdomains, third-party hosting, leaked credentials on paste sites, exposed admin panels with default credentials, and dev / staging environments left routable. External attackers don’t ask for an asset list; they enumerate it.
Our external infrastructure penetration testing combines OSINT (Shodan, Censys, theHarvester, dark-web credential scanning) with manual exploitation against every reachable service, mapped to PTES, NIST SP 800-115, the OWASP Testing Guide, and OSSTMM.
Reports satisfy ISO 27001 Annex A.13.1, PCI DSS Req 11.3, NCSC vulnerability-management guidance, and Cyber Essentials boundary firewalls, without translation work.
12 EXTERNAL ATTACK CATEGORIES
What We Test in External Penetration Testing
Aligned to PTES, NIST SP 800-115, and the OWASP Testing Guide. Each category is exploited manually with industry-standard tooling: Nmap, Burp Suite Pro, custom scripts, and OSINT platforms.
Exposed Services & Open Ports
Discovery and verification of every reachable port, banner-grabbing service identification, and version fingerprinting across the public IP range.
Outdated Software / Unpatched CVEs
Manual exploitation of unpatched services. Validated proof-of-concept rather than scanner false positives.
Weak SSL/TLS Configuration
Cipher-suite analysis, certificate validation, downgrade attacks, expired certificates, weak DH parameters, deprecated protocol versions.
Credential Leakage & Defaults
Dark-web credential scans, paste-site hits, and default-credential testing on every reachable management interface.
Subdomain Takeover
Dangling DNS records pointing to deprovisioned cloud resources. Identification plus safe proof-of-takeover via a test record.
Email Security (SPF / DKIM / DMARC)
Domain-spoofing exposure, SPF / DKIM / DMARC validation, BIMI / MTA-STS posture, and anti-phishing posture review.
VPN / RDP / SSH Exposure
Brute-force resilience, MFA enforcement, version exploits (for example CVE-2019-19781 Citrix), and credential-stuffing tolerance.
Cloud Edge Misconfiguration
Exposed S3 / Blob containers, leaked CloudFront origins, misconfigured WAFs, and SaaS edge endpoints with weak authentication.
Web Admin Panels Exposed
phpMyAdmin, Jenkins, Kibana, GitLab, Grafana, and Prometheus discovered through hostname enumeration and tested for default or weak credentials.
Information Disclosure
Verbose error messages, exposed git repositories, .DS_Store files, server-status pages, /metrics endpoints, and robots.txt secrets.
Forgotten Dev / Staging
Discovery of dev, staging, test, qa, and uat subdomains routable from the public internet, typically with weaker controls than production.
Bypass of WAF / DDoS Edge
Origin-IP exposure via SSL certificate logs, historical DNS, and mail-server identification: bypass of CloudFlare / AWS Shield / Akamai protection.
FOUR-PHASE METHODOLOGY
External Penetration Testing: From OSINT to Attestation
Discovery before exploitation. External network penetration testing starts where attackers start: open-source recon. We never test what we don’t know, and we never miss what is reachable.
OSINT & Recon
Passive footprinting via Shodan, Censys, and FOFA. Subdomain enumeration, certificate-transparency log mining, dark-web credential scan, and theHarvester for exposed addresses.
Active Discovery
Port scanning across the IP range, service identification, version fingerprinting, CVE matching, SSL/TLS configuration assessment, and subdomain DNS validation.
Manual Exploitation
CVE proof-of-exploit, default-credential testing, subdomain-takeover validation, information-disclosure exploitation, origin-IP bypass testing, and configuration-weakness chains.
Report & Retest
CVSS-scored findings, attack-path narrative, executive plus technical reports, free retest within 30 days, and direct engineer access via portal.
CREDENTIALS
Verified Accreditations Auditors Accept
Every credential below is independently verifiable. UK procurement teams, FCA supervisors, ISO 27001 / SOC 2 auditors, and cyber insurance underwriters all recognise these standards.
GET YOUR QUOTE
Get a fixed External Penetration Testing quote in 24 hours
A fixed-price quote back in one business day, from a named CREST assessor. No sales pipeline, no chasing.
- CREST and IASME accredited. Testing your auditors and clients already recognise.
- Fast-track testing within 24 hours where required. Free retest of every fix included.
- Live findings via your client portal, not a four-week PDF.
- Fixed price from £3,500 for a single-role, single-app scope, agreed up front. Most engagements run £5,000 and up. No day-rate surprises.
Under NDA Further named references available on a scoping call.
- We reply within one business day with a fixed-price quote from a named CREST assessor.
- You approve the scope and we book a start date, usually within 24 hours.
- Live findings land in your client portal as we test, with a free retest of every fix.
Get your fixed pen test quote in 24 hours
Quote request received
We will reply within one business day with your fixed-price quote from a named CREST assessor.
Your data stays with us. No newsletter signup.
or book a 20-min scoping call first
We reply within one business day. Your data stays with us. No newsletter signup.
COMPLIANCE READY
External Reports Mapped to Every Framework
Findings tagged to specific control IDs in your compliance framework. Audit teams submit directly without translation.
ISO 27001 (Annex A)
A.13.1 network security, A.13.2 information transfer, and A.12.6.1 vulnerability-management evidence.
SOC 2 Type I & II
CC7.1 vulnerability identification and CC6.6 logical-access controls evidence for SOC 2 audits.
PCI DSS
Req 11.3.1 / 11.3.2 external network testing, required for all PCI-scoped environments processing payment data.
NCSC Vulnerability Management
External-facing assets validated against NCSC vulnerability-management guidance, public-sector aligned.
NHS DSPT & UK GDPR Art 32
External attack-surface evidence for NHS supply-chain partners and any regulated processor of UK personal data.
Cyber Essentials Plus
Boundary firewall and external testing scope, aligned with IASME audit-grade evidence requirements.
PRICING
Transparent External Penetration Testing Pricing
All tiers include the same depth of testing. Price varies by attack-surface complexity: number of public IPs, subdomain count, cloud-edge breadth, and exposed services.
Depends on app complexity
1-20 public IPs, single subnet, up to 10 subdomains. Standard external posture review. Typically 2-3 day engagement.
Get a fixed quoteDepends on app complexity
20-100 IPs, multi-subnet, cloud edge, up to 50 subdomains, mixed VPN / RDP / SaaS exposure. Typically 5-7 day engagement.
Get a fixed quoteDepends on app complexity
100+ IPs, hybrid cloud, multi-region, 50+ subdomains, regulated workloads, Cyber Essentials Plus scope. Typically 8-12 day engagement.
Get a fixed quoteBY SECTOR
External Penetration Testing for Your Sector
External attack-surface risk varies by sector. We test the controls your regulators and auditors specifically require.
Fintech & FCA-Regulated
Open Banking edge, FCA SYSC exposure, payment-platform DNS, Cloudflare-protected origin scrutiny, PCI scoping.
Fintech sector pageSaaS Companies
Multi-tenant cloud edge, SSO endpoints, customer subdomain takeover, exposed admin / metrics endpoints, SOC 2 evidence.
SaaS sector pageLaw Firms
Privileged-data perimeter, partner-portal exposure, document-management edge, SRA Cyber Standard alignment.
Law firm sector pageHealthcare
NHS supply-chain perimeter, telehealth edge, EHR integrations, DSP Toolkit external evidence.
Healthcare sector pageInsurance
Claims-portal exposure, broker-VPN scrutiny, cyber-underwriter evidence, FCA / PRA Operational Resilience.
Insurance sector pagePublic Sector
Citizen-facing edge, GOV.UK integrations, NCSC-aligned, SC-cleared testers available, CCS / G-Cloud evidence.
Public sector pageWHY EJN LABS
What You Actually Get
What distinguishes our external testing from automated scans and box-tick competitors.
What You Get From External Penetration Testing
OSINT-driven attack-surface discovery, manual exploitation of every reachable service, and free retests until validated.
Discovery-First Methodology
We start with passive recon: Shodan, Censys, and certificate-transparency mining. We test what attackers actually find, not your asset list.
No Scanner-Only Reports
Every CVE flagged on automated scanners is manually validated. False positives are eliminated before reporting. You get real risk, not noise.
Boundary Firewall + Cyber Essentials Aligned
External pen testing maps directly to Cyber Essentials Plus boundary scope and IASME audit-grade evidence.
Free Retests Within 30 Days
Verify remediation of every external finding before close-out. Attestation letter for audit submission included as standard, no per-retest charge.
UK CREST + IASME + ISO 27001 + ISO 9001
Independently accredited and verifiable on the CREST marketplace. Reports accepted by FCA, NCSC, NHS, ICO, SOC 2 auditors, and cyber insurers.
FAQ
Frequently Asked
How long does an external penetration test take?
A small external engagement (1-20 IPs, up to 10 subdomains) typically takes 2-3 working days. Mid-market (20-100 IPs, cloud edge) takes 5-7 days. Enterprise (100+ IPs, multi-region, hybrid cloud) takes 8-12 days. Test duration is determined during scoping based on attack-surface size.
How much does external infrastructure penetration testing cost in the UK?
Small engagements range £3,500-£6,500. Mid-market (most commonly commissioned) £6,500-£12,000. Enterprise £12,000-£22,000. All quotes are fixed-price after scoping. Day rate for CREST-certified testers is £1,100-£1,400 per day.
What methodology do you follow?
We follow PTES (Penetration Testing Execution Standard), NIST SP 800-115, and the OWASP Testing Guide. Each engagement starts with passive OSINT before any active testing. We test exactly what is reachable from the public internet: what an external attacker would actually see. Combined with internal network penetration testing, you get full attack-path coverage.
Do you use Shodan, Censys, and OSINT tools?
Yes. Shodan, Censys, FOFA, theHarvester, and certificate-transparency log mining are core to our recon phase. We also perform dark-web credential-exposure checks for your domain and key personnel. OSINT is included in every external engagement at no additional cost.
Do you check for subdomain takeover?
Yes: every external engagement checks for dangling DNS records pointing to deprovisioned cloud resources. Subdomain takeover is a common high-impact finding (for example GitHub Pages, Heroku, S3, or Azure CDN). We provide safe proof-of-takeover evidence without claiming the resource.
Can you test our cloud edge (AWS / Azure / GCP)?
Yes: external testing covers the cloud-edge surface: load balancers, public S3 / Blob containers, exposed CloudFront origins, lambda function URLs, and VPC peering misconfiguration. For full configuration review of cloud control planes we recommend our dedicated AWS, Azure, or GCP cloud security review.
What is the difference between external and internal pen testing?
External network penetration testing simulates an attacker with no access; they only see your public-facing services. Internal testing simulates an attacker already on your network (a compromised laptop, malicious insider, or post-phish foothold). They are complementary; CREST and NCSC recommend both annually for high-assurance organisations.
Do you provide evidence for Cyber Essentials Plus?
Yes: external pen testing maps directly to Cyber Essentials Plus boundary firewall and external scanning scope. We provide the test report, attestation letter, and remediation evidence in the format IASME assessors require. We are an IASME Cyber Essentials Certifying Body ourselves.
Will testing impact production?
External network penetration testing is largely passive at first (banner-grabbing, version detection, OSINT). Active exploitation phases use safe-by-default checks. Any potentially disruptive test (exploit attempts on rare services) is paused for explicit client approval before execution. We do not run denial-of-service attacks against production.
Do you test from the UK or internationally?
Testing originates from controlled test infrastructure in the UK or EU by default. We can rotate source addresses for scenarios where an attacker would use specific geographic origins, but only when this matches your real threat model and has been explicitly authorised.
Are your testers UK-based and what certifications do they hold?
All external infrastructure testers are vetted UK or international engineers. Relevant certifications across the team include CREST CRT and CCT INF (infrastructure), OSCP, OSCE, and protocol-specific specialisms. SC-cleared testers are available for public-sector and regulated-financial engagements.
Do you sign NDAs?
Yes. We sign a standard NDA before any technical detail is shared, and we operate under a project-specific master agreement that includes data handling, deliverable IP, and breach-notification clauses. Custom MSAs and AUP terms are accepted for enterprise and public-sector clients.
20+ CREST-certified testing services in one place
Web, mobile, API, cloud, AI, infrastructure, red team. Pick the test that fits your environment.
Get a fixed External Penetration Testing quote in 24 hours
A CREST-certified infrastructure tester will contact you within one business day with a fixed price, a realistic timeline, and the named consultant. No sales pipeline.



