SECTOR — PUBLIC SECTOR
CREST-certified penetration testing for UK public sector and government suppliers. Crown Commercial Service supplier, G-Cloud framework, central and local government, NHS supply chain, MOD partners. UK-cleared testers available.
CCS
G-Cloud Supplier
CREST
Approved Provider
IASME
Cyber Essentials Body
UK
Testers Available
REGULATORY CONTEXT
What UK Government & NCSC Expect
NCSC Guidance
NCSC penetration testing guidance defines minimum standards for UK government-related testing. Our methodology aligns to NCSC published guidance for in-scope public sector engagements.
Cyber Essentials Plus
Cyber Essentials Plus is mandatory for many UK public-sector procurement gates and central government supplier requirements. Our IASME body status means single-vendor delivery.
CCS Framework Procurement
Crown Commercial Service supplier status allows public-sector customers to engage EJN through G-Cloud and Digital Outcomes frameworks without separate procurement processes.
SCOPE
What We Test for UK Public Sector & Government Suppliers
CITIZEN-FACING
Web Applications
Citizen-facing service portals, gov.uk-style services, digital identity flows. Accessibility (WCAG) plus security; OWASP Top 10 manual exploitation, IDOR, business-logic flaws.
SERVICE INTEGRATION
API Testing
Cross-government API integration (DWP, HMRC, GOV.UK Verify successors, OneLogin). REST and GraphQL with public-sector data-flow scrutiny.
INFRASTRUCTURE
PSN / Internal Network
Public Services Network connectivity scrutiny, internal segregation, AD attacks. PSN compliance, IL0-IL4 boundary testing where applicable.
CLOUD
AWS / Azure / GCP
Government-cloud configuration review (UK-region only options scrutinised). IAM, encryption, audit-logging, data-residency compliance.
SOCIAL
Phishing Assessments
Targeted phishing simulation against public-sector staff. Specific to government-aware patterns: impersonating gov.uk, supplier-payment fraud, MoJ / DfE / DWP-style scenarios.
ADVANCED
IT Health Check
PSN-pattern IT Health Checks for organisations with PSN connectivity requirements. Service-restoration scoping, segregation evidence.
OUR ACCREDITATIONS
Verified Credentials That Matter to UK Public Sector & Government Suppliers
Public sector procurement and supplier-management functions require penetration testing evidence to come from accredited, UK-based providers. Our credentials below are individually verifiable, support Cyber Essentials Plus mandatory procurement gates, and accelerate G-Cloud / Digital Outcomes engagement onboarding.
CREST Member
CREST membership is the UK accreditation NCSC, central government supplier-management functions, and public-sector procurement teams consistently cite as a baseline pen testing rigour requirement.
IASME Cyber Essentials Body
Cyber Essentials Plus is mandatory for many UK central government procurement gates (PPN 09/14, MoD JSP 656). Our IASME-approved certification body status means we deliver Cyber Essentials Plus certification and pen testing in a single engagement.
ISO 27001 (BSI)
ISO 27001 (BSI-audited) is referenced in many public-sector supplier requirements. Our certificate satisfies central government supplier-cyber-control verification clauses, accelerating onboarding.
ISO 9001 (BSI)
ISO 9001 (BSI-audited) covers our delivery quality management system. UK public-sector procurement teams cite ISO 9001 evidence in supplier-quality assessments and Crown Commercial Service framework re-applications.
UK Cyber Security Council
Corporate Membership of the UK Cyber Security Council confirms our testers operate to the UK government-backed professional standard, important for engagements involving CDDO / Cabinet Office or where chartered-professional evidence is requested.
Crown Commercial Service
We are a Crown Commercial Service supplier (G-Cloud framework). Public sector customers can engage EJN through G-Cloud purchasing routes, avoiding separate procurement processes and accelerating delivery start.
OUR PROCESS
From Scope to Attestation in 4-6 Weeks
Scoping Call
30-minute technical scoping call. Define attack surface, methodology, rules of engagement, and timeline. Fixed-price quote within 24 hours.
Active Testing
3-15 days of hands-on testing by CREST-certified pen testers. Daily status updates and live findings delivered to your client portal.
Reporting
Executive summary plus full technical report with CVSS scores, reproduction steps, screenshots, and specific remediation. 60-minute walkthrough call.
Free Retest
After remediation, we retest at no extra charge. Letter of attestation provided for audit, regulator submission, or insurance underwriting.
COMPLIANCE READY
Reports Aligned to Every Framework
Findings map to specific control references in each framework, so your audit team submits the report directly without translation work.
NCSC Guidance
Penetration testing guidance alignment for in-scope public-sector engagements.
Cyber Essentials Plus
Mandatory for many central government procurement gates.
PSN Compliance
PSN connectivity and segregation evidence where applicable.
UK GDPR
Article 32 with citizen-data special-category protocols.
ISO 27001
Annex A.12.6.1 plus public-sector A.18 controls.
NHS DTAC / DSPT
Where public-sector suppliers also serve NHS partners.
PRICING
Indicative Engagement Pricing
Fixed-price quotes confirmed during scoping. Free retest, executive summary, walkthrough call, and letter of attestation included.
Single citizen-facing service
£5,000 – £18,000 depending on data sensitivity and integration complexity.
Network + AD + Phishing
£10,000 – £30,000 covering internal infrastructure plus staff-targeted phishing campaign.
Full IT Health Check
£20,000 – £55,000 across applications, network, cloud, citizen data flows, supplier risk.
FAQ
Frequently Asked
Are EJN testers SC-cleared?
Yes. EJN has SC-cleared testers available where engagement scope requires it. Cleared-tester engagements are scoped during the initial scoping call, with vetting status verified pre-engagement.
Can we engage you through G-Cloud?
Yes. EJN is a Crown Commercial Service supplier on the G-Cloud framework. Public sector customers can engage EJN through G-Cloud purchasing routes, avoiding separate procurement processes.
Do you test PSN-connected services?
Yes. EJN delivers PSN-pattern IT Health Checks for organisations with PSN connectivity. Engagement covers PSN connectivity scrutiny, internal segregation, and IL0-IL4 boundary testing where applicable.
How do you handle citizen data during testing?
Citizen data is special-category-equivalent under UK GDPR. We test in non-production environments with synthetic citizen data. Production testing requires explicit Information Governance approval and ICO pre-notification where applicable.
Can you test our gov.uk Pattern Library service?
Yes. Government Design System (gov.uk Frontend) services are tested with specific awareness of common patterns: form-handler vulnerabilities, address-lookup integration, OneLogin / Verify-successor authentication, and accessibility-vs-security tension points.
MOD / Defence-tier engagements?
EJN delivers civil-MOD-tier engagements (LIST X, Defra-equivalent). Direct MOD engagements operating under STRAP / Industry Security Notice / DefStan-05-138 require specific pre-engagement vetting; please scope directly.
Do you provide CDDO / Cabinet Office reporting formats?
Yes. Our reports can be delivered in Cabinet Office / CDDO-aligned reporting formats for central government engagements, including GovAssure-relevant evidence packaging.
Book a Public Sector Scoping Call
30 minutes with a CREST-certified pen tester. Fixed-price quote within 24 hours.
