Skip to content
Cyvex Security
CREST-accredited · UK team

Penetration testing with named testers, not a black box

CREST-accredited penetration testing delivered by the same UK consultants from scoping call to retest. Daily updates, one-hour critical escalation, and a retest included.

Book a scoping callRequest the sample report

Test types we cover

External network

Black-box and grey-box testing of your internet-facing perimeter — firewalls, VPNs, remote services, and exposed APIs.

Web application

OWASP Top 10 coverage with authenticated role-based testing, business logic abuse, and client-side attack chains.

Internal network

Simulated insider and assumed-breach scenarios across Active Directory, cloud workloads, and flat network segments.

Cloud configuration

IAM, network, and workload review across AWS, Azure, and GCP, mapped to CIS Benchmarks and provider guidance.

API & mobile

REST/GraphQL API fuzzing, token and session abuse, plus iOS and Android app testing including runtime inspection.

Red team & phishing

Objective-led engagements against detection and response, with optional social engineering and phishing payloads.

CREST credentials

  • CREST-accredited company (CREST Pen Test)
  • All testers hold CREST CRT or OSCP (minimum)
  • Lead testers hold CCT INF or OSCE
  • UK-based team — DBS checked and SC-cleared on request
  • Cyber Essentials Plus certified

Sanitized sample report

See exactly what your report will look like. We send a redacted external-network and web-application report — CVSS scoring, reproduction steps, and remediation guidance included — in exchange for a work email.

Request the sample report

Our methodology

  1. 1

    Scoping

    We run a 30-minute scoping call, issue a fixed-fee proposal, and sign an MSA + rules of engagement.

  2. 2

    Kick-off

    Named lead tester introduces themselves, confirms scope, targets, and comms channels, and agrees testing windows.

  3. 3

    Testing

    Daily stand-ups, a live findings channel, and critical-issue escalation inside one hour of discovery.

  4. 4

    Reporting

    Draft report within five working days of test end, including executive summary, CVSS-scored findings, and reproduction steps.

  5. 5

    Retest

    Free retest of all High and Critical findings within 90 days, with an updated attestation letter.

Frequently asked questions

Are your pen tests CREST accredited?

Yes. Cyvex is a CREST-accredited company for CREST Pen Test. Every lead tester holds CREST CRT or OSCP, and most hold CCT INF or OSCE.

Can I see a sample pen test report before I buy?

Yes. Request a sanitized sample report using the form below — we will share a redacted external-network and web-application report so you can see our writing, CVSS scoring, and remediation detail before committing.

How long does a penetration test take?

A typical SME external + web-app test runs 5–10 working days end-to-end, with a further 5 working days for reporting. Larger or red team engagements run 3–6 weeks.

How much does a penetration test cost?

Most UK SME engagements land between £6,000 and £18,000 depending on scope and test type. We issue a fixed-fee proposal after a 30-minute scoping call.

What happens if a critical issue is found mid-test?

We escalate Critical and High findings through an agreed comms channel within one hour of discovery, with enough detail for your team to triage immediately — you do not have to wait for the report.

Do you offer a retest?

Yes. A retest of all High and Critical findings is included within 90 days of the final report, with an updated attestation letter for customers, auditors, and insurers.

Related work

Book a 30-minute scoping call

Fixed-fee proposal within 48 hours. Named lead tester, CREST-accredited methodology, and a free retest of High and Critical findings within 90 days.

Book a scoping call