Financial Services Penetration Testing for FCA-Regulated Firms

PS21/3 requires regulated firms to identify their Important Business Services, set Impact Tolerances, and demonstrate they can stay within them through severe-but-plausible disruption. Penetration testing is the evidence step: it validates whether the controls protecting those Important Business Services actually hold up under realistic attack scenarios. We scope engagements explicitly around your IBS mapping, deliver findings tagged to the operational-resilience controls they affect, and write executive summaries the operational resilience committee can take to the board.

Article 32 UK GDPR requires “regular testing, assessing and evaluating the effectiveness” of security measures. The ICO has repeatedly cited penetration testing as the canonical evidence of this for personal-data systems. We map every finding to the personal data it could expose, the lawful basis for processing affected, and the breach-notification threshold under Article 33. Reports are structured so your DPO can cite them in the Article 30 record of processing without rewriting anything.

CREST is the UK’s gold-standard penetration testing accreditation. CREST member firms undergo rigorous independent assessment of methodology, governance, technical capability, and individual tester competence. CREST-tested reports are accepted by NCSC, FCA, ISO auditors, and cyber insurers.

Our CREST membership is verifiable directly at marketplace.crest.org/supplier/ejn-labs-ltd. Auditors typically check this URL during compliance reviews.

CREST is for the broader UK private sector and accepted by NCSC. CHECK is specifically NCSC-accredited testing for UK government work. The two have similar methodology rigor; CHECK is required for HMG contracts, CREST is the industry-standard for everything else.

CREST has growing international recognition. CREST is the dominant standard in UK, Australia, Singapore, and the Middle East. In the US, customers more often request OSCP / OSCE individual certifications. Our team holds both: CREST firm membership and CREST/OSCP/OSCE individual certifications.

Small engagements £3,500–£8,000. Mid-market combined engagements (most commonly commissioned) £8,000-£18,000. Enterprise full-stack engagements £18,000+. UK day rates for CREST-certified testers are £1,000-£1,500 per day.

All service types: web app, mobile, API, external infrastructure, internal infrastructure, AWS / Azure / GCP cloud, red teaming, threat intelligence, attack surface monitoring, VAPT, code review, social engineering. Same CREST accreditation standard across every service.

Yes. CREST-aligned testing methodology satisfies PCI DSS Req 11.3 (application and network penetration testing) requirements. Our PCI DSS engagements specifically follow Req 11.3.x methodology.

Yes. CREST-aligned testing satisfies ISO 27001 Annex A.12.6.1 (technical vulnerability management). Our reports include a control-mapping summary that ISO auditors accept as evidence.

UK cyber-insurance underwriters increasingly require CREST-attested annual testing for renewal, particularly above £100k premium tier. While we cannot guarantee a premium reduction, demonstrable CREST testing is now a near-mandatory baseline for many insurance products.

Single-target engagements typically 3-5 working days. Multi-target combined engagements 7-10 days. Enterprise full-stack 12-15+ days. Test duration is determined during scoping based on scope complexity.

Yes. Every consultant working on CREST engagements holds at minimum CREST CRT (Registered Tester) qualifications. Senior consultants hold CREST CCT (Certified Tester) in their specialism: App, Inf, Cloud, Red Team. Many also hold OSCP, OSCE, OSWE for additional rigour.

Yes. Standard NDA before any technical detail is shared. We operate under a project-specific master agreement that includes data handling, deliverable IP, and breach notification clauses. Custom MSAs and AUP terms are accepted for enterprise and public-sector clients.