Frequently asked questions

A vulnerability scan is automated. A scanner checks your assets against a database of known weaknesses and produces a list. A penetration test is manual: a human consultant attempts to actually exploit weaknesses, chains them together, and reports what an attacker could realistically achieve. Vulnerability scanning is necessary; penetration testing is what tells you whether the scanner's findings actually matter.

Related: Pentiq vulnerability scanning · Penetration testing services

Yes. Penetration testing is delivered in-house by Pentiq consultants based across the UK and Canada. We don't offshore delivery to lower-cost regions.

Related: About Pentiq

Scope depends on the number of IPs, applications, complexity, and depth required. We don't publish a list rate for one-off engagements because honest scoping varies too much. What we do commit to: a quote within two working days of a scoping conversation, transparent scoping, and no surprise scope creep mid-engagement. Continuous Security Assurance (CSAS) and Vulnerability Scanning are subscription products with published tiers - see those pages for what's included.

Related: Get a quote · Vulnerability Scanning · Continuous Security Assurance

A one-off pen test is a point-in-time engagement scoped specifically to your environment, delivered manually by a Pentiq consultant. Continuous Security Assurance (CSAS) is a managed service running on a monthly cadence across three tiers - Visibility, Resilience, and Assurance - combining autonomous platform-driven testing with progressively more Pentiq consultant involvement at higher tiers. CSAS fills the gap between annual pen tests; at the Assurance tier the four included manual pen tests usually replace your annual engagement, and at Visibility and Resilience CSAS sits alongside it.

Related: Continuous Security Assurance

Honest answer by tier. Visibility: Pentiq sets you up at onboarding with the right configuration and risk-appetite settings, then the platform runs autonomously each month - no ongoing human review of findings. Resilience: onboarding plus one Review Credit per month, a contiguous four-hour Pentiq consultant block used to review findings, prioritise remediation, and provide guidance. Assurance: all of Resilience, plus four manual penetration tests per year, monthly operation reviews, and quarterly executive reviews.

Related: Compare CSAS tiers

A typical mid-market external infrastructure penetration test runs 3–5 working days of testing plus reporting; web application tests vary more depending on scope. We'll tell you the realistic duration during scoping, not after you've signed.

Related: Penetration testing services

Three things: a technical report your IT team can act on (with reproduction steps and remediation guidance), an executive summary for leadership and the board, and a sanitised customer-facing summary you can share with a customer's procurement team, an auditor, or an insurer. The customer-facing summary is included by default - not an add-on.

Yes. Retests are typically scoped within the original engagement so you can validate fixes and update your evidence. We'd rather you close findings properly than leave a report half-actioned.

Yes, both ways. Pentiq signs client NDAs, and we'll provide our standard Authorisation to Test alongside. Both can be signed in days, not weeks.

Yes. We deliver Cyber Essentials Plus certification through our partnership with CyberSmart, an IASME-appointed Certification Body. A single Pentiq engagement covers the pre-assessment pentest, the IASME-aligned audit, and any remediation between them - one point of contact, one timeline.

Related: Cyber Essentials Plus certification and pre-assessment testing