Penetration testing for UK small businesses: costs, process, and what to expect

Penetration testing is one of the most misunderstood services in the UK cyber security market. Some SME owners assume it is only for large enterprises with dedicated security teams. Others buy the cheapest automated scan they can find and call it done. Neither approach serves you well. This guide explains what penetration testing actually involves for a business your size, what it costs, how to choose a provider you can trust, and what to do when you get the report back.

What is penetration testing?

Penetration testing -- often called pen testing -- is a structured, authorised attempt to attack your systems, applications, or people using the same techniques a real attacker would use. The goal is to find exploitable weaknesses before someone with malicious intent does.

The key word is "authorised." A pen test is a controlled exercise conducted under a formal agreement that defines the scope, timing, and limits of the test. Unlike a vulnerability scan -- which identifies potential issues based on known signatures -- a pen test involves a human tester actively attempting to exploit those vulnerabilities to understand the real-world impact of a successful attack.

For UK small businesses, pen testing is typically commissioned for one of three reasons: to satisfy a contractual or regulatory requirement, to validate that security controls actually work before handling sensitive data, or to provide an independent assessment after a significant change to infrastructure or applications.

Types of penetration test

Not all pen tests are the same. The scope and methodology depend on what you are trying to assess.

External network penetration test

This tests the security of your internet-facing systems -- your public IP addresses, firewalls, remote access portals, and any services exposed to the internet. The tester starts with no access, simulating an external attacker. This is typically the most common starting point for SMEs and covers the attack surface that directly faces the public internet.

Internal network penetration test

This tests what an attacker could do once inside your network -- either via a compromised employee device, a phishing attack that yields credentials, or physical access to an office network port. The tester starts with a foothold on the internal network and attempts to escalate privileges, move laterally, and access sensitive systems or data. This type of test is increasingly relevant for businesses using flat networks or relying heavily on perimeter-only controls.

Web application penetration test

This specifically targets a web application -- a customer portal, e-commerce site, SaaS product, or internal management system. The tester attempts to exploit application-layer vulnerabilities including authentication weaknesses, injection flaws, insecure direct object references, broken access controls, and business logic issues. Web application tests follow established methodologies such as the OWASP Testing Guide and are scoped per application rather than per network.

Social engineering

Social engineering tests target your people rather than your technology. The most common form is phishing simulation -- the tester sends realistic phishing emails to staff and measures how many click links, submit credentials, or download attachments. More advanced exercises include telephone pretexting (calling staff impersonating suppliers, IT support, or management) and physical access attempts. Social engineering tests are a valuable complement to technical testing because people remain one of the most reliable attack vectors regardless of how well your systems are secured.

Cyber Essentials Plus versus a standalone pen test

If you are pursuing Cyber Essentials certification at the Plus level, you will undergo an independent technical audit. It is worth understanding what this does and does not cover.

Cyber Essentials Plus verifies that the five Cyber Essentials controls are correctly implemented: boundary firewalls and internet gateways, secure configuration, access control, malware protection, and patch management. The auditor runs scans and checks configurations to confirm these controls are in place and functioning. It is controls-based verification, not active exploitation.

A penetration test goes further. A tester will attempt to chain together multiple weaknesses -- a misconfigured service combined with a default credential, for example -- to achieve something the automated scan would not flag as critical. Cyber Essentials Plus and penetration testing are complementary rather than alternatives: Cyber Essentials Plus gives you a recognised certification baseline; pen testing gives you a deeper, more adversarial view of real exploitability. You can read more about how the two compare in our guide to ISO 27001 versus Cyber Essentials.

What does penetration testing cost for a UK SME?

Pricing varies based on scope, complexity, and the standing of the provider. The ranges below are based on typical market rates for reputable CREST-accredited providers working with UK SMEs:

External network penetration test: £1,500 to £5,000 for a typical small business environment with a modest number of public-facing IP addresses. A simple environment with one or two internet-facing servers will sit at the lower end. Larger external attack surfaces with multiple applications and services will cost more.

Internal network penetration test: £2,000 to £6,000 depending on network size and segmentation. Testing a flat network is straightforward; a more complex environment with multiple VLANs, Active Directory, and cloud integration will take longer.

Web application penetration test: £2,000 to £10,000 or more, depending on the size and complexity of the application. A simple marketing website is different from a customer-facing portal with authentication, payment processing, and back-end API integrations. Applications with a large number of functions and input fields require proportionally more testing time.

Social engineering (phishing simulation): £500 to £2,500 for a basic phishing campaign. More sophisticated multi-vector exercises cost more.

Be cautious of quotes that seem significantly below these ranges. Competent penetration testing takes time -- it is not something that can be done properly in a few hours. Very cheap options typically involve automated scanning repackaged as a pen test, which gives you false confidence without real security benefit.

How to choose a CREST-accredited provider

CREST is the UK's primary professional body for technical cyber security services. CREST-accredited companies have demonstrated that they have the methodologies, processes, and technical competence to conduct penetration testing to a professional standard. Their testers have typically passed rigorous examinations and hold individual certifications such as CREST Registered Tester (CRT) or CREST Certified Infrastructure Tester (CCT INF).

For UK government work and many regulated sectors, CREST accreditation is a minimum requirement. For SMEs, it is the clearest signal that the provider is operating to an established professional standard rather than relying on unverified claims.

When evaluating providers, ask:

• Are you CREST-accredited for this type of test?
• What certifications do the individual testers hold?
• Can you provide a sample report from a previous engagement (anonymised)?
• What is included in scope and what is excluded?
• What does your retesting process look like after remediation?
• What happens if you discover a critical vulnerability during the test?

A reputable provider will answer these questions readily. They should also conduct a scoping call before quoting -- a fixed price without understanding your environment is a warning sign.

What happens during a pen test?

A typical engagement follows a defined methodology:

Scoping and planning. You agree the scope with the provider: what systems are in scope, what timing is acceptable (some tests are conducted out of hours to minimise business impact), what constitutes an emergency stop condition, and what the rules of engagement are.

Reconnaissance. The tester gathers information about your environment -- publicly available information, domain registrations, exposed services, technologies in use. This mirrors what an attacker would do before launching an attack.

Testing and exploitation. The tester actively attempts to identify and exploit vulnerabilities within the agreed scope. This may involve scanning, manual testing, attempting to authenticate with weak or default credentials, exploiting known software vulnerabilities, or chaining together multiple low-severity issues to achieve a higher-impact result.

Reporting. You receive a written report covering: an executive summary for non-technical stakeholders, a technical finding for each identified vulnerability with its severity, evidence, and recommended remediation, and an overall risk rating for the engagement.

Debrief. A good provider will walk you through the findings and answer questions. This is worth making time for -- it helps your team understand the context and prioritise the remediation list.

What to do with the report

A pen test report that sits in a folder is money wasted. The purpose of the exercise is to drive remediation.

Triage by severity. Most reports use a severity rating (critical, high, medium, low, informational). Address critical and high findings first -- these represent exploitable weaknesses with significant potential impact. Do not wait until you have fixed everything before starting.

Set remediation owners. Each finding should have a named owner and a target date. If findings span multiple teams or suppliers, someone needs to coordinate the overall remediation plan.

Verify fixes before retest. Confirm internally that each fix has been applied correctly before inviting the provider back for retesting. Retests are usually cheaper than the original engagement but they are wasted if the fix has not actually been implemented.

Treat it as a baseline. Your first pen test establishes a baseline. Running tests annually (or after significant changes to your environment) lets you track progress and demonstrate to clients and insurers that your security posture is actively managed.

For ongoing security oversight, a managed security service provider can help you manage remediation, track your vulnerability position between tests, and respond to incidents when they occur.

Getting started

If you have never commissioned a penetration test before, the most practical starting point for most SMEs is an external network test. It covers the attack surface that faces the public internet, it is typically the most cost-effective scope, and it addresses the threats most likely to affect you first.

If you handle customer data, process payments, or operate web-facing applications, adding a web application test is strongly advisable. If you are concerned about insider risk or phishing, add social engineering to your scope.

If you would like to discuss the right scope for your business or get an introduction to CREST-accredited providers we work with, get in touch to book a consultation.