Penetration testing

We find the gaps before attackers do.

A penetration test is a controlled, authorised attempt to break into your systems using the same tools and techniques real attackers use. Our testers think like adversaries, not auditors — and they document every finding in a prioritised report your team can act on. Findings are mapped to NIST CSF 2.0 Identify and Protect functions, and a pen test report is a common requirement for ISO 27001 certification and enterprise procurement.

What's included

Scoping call to define targets, rules, and objectives
External network and web application testing
Internal network testing (where scoped)
Social engineering and phishing simulation (optional)
Full technical report with proof-of-concept evidence
Executive summary for board or management review
Findings mapped to NIST CSF 2.0 and ISO 27001 Annex A controls
Re-test of critical findings included

On methodology: We conduct pen tests to CREST-equivalent standards following OWASP, PTES, and NIST methodologies. We're always transparent about our testers' credentials before you engage.

Book a penetration test →

How a pen test works

01

Scoping & authorisation

We agree what's in scope and you give written authorisation. Nothing happens without it.

02

Reconnaissance

We gather intelligence on your environment — the same way an attacker would, with your knowledge.

03

Exploitation

We attempt to exploit vulnerabilities and document every step with evidence.

04

Reporting & debrief

A clear, prioritised report — technical for your IT team, executive summary for leadership. Mapped to NIST CSF 2.0 and ISO 27001.

05

Re-test

Once critical issues are fixed, we verify the fixes worked. Included for critical findings.

Common questions

What businesses ask us before booking.

How long does a pen test take?

Most SMB engagements run 3–5 business days of active testing, followed by 2–3 days for report preparation. Larger environments take longer — we scope this clearly before starting.

Will it disrupt our operations?

Rarely. External testing has no impact on your operations. Internal testing is carefully managed — we discuss any potentially disruptive tests before running them.

Do we need a risk assessment first?

If you've never done either, start with a risk assessment. If a client or insurer has specifically requested a pen test, go straight to that.

Is a pen test required for ISO 27001?

ISO 27001 Annex A control 8.8 strongly implies it. Most auditors and enterprise procurement teams expect to see evidence of penetration testing.

Risk Assessment

Not ready for a pen test yet? Start here to understand your full security posture.

Microsoft 365

Many pen test findings originate in M365 misconfigurations — assess both together.

Compliance

A pen test report is often required for ISO 27001, NIST CSF 2.0 alignment, and SOC 2.

Our Workflow…

Free conversation
We talk about your business, your concerns, and your goals. No sales pitch.
We scope and quote
A clear proposal arrives within two business days. Exact scope, fixed price — no surprises.
We get to work
We handle the heavy lifting. We’ll only contact you when we need something or have something to show you.
We debrief clearly
Every engagement ends with a plain-English walkthrough of findings, recommendations, and next steps.

What you need to provide…

About an hour of your time
For the initial conversation and the final debrief. We do the rest.
Access to the right people
Usually your IT contact (or you, if that’s the same person) and whoever owns the systems in scope.
Read-only access where needed
For most assessments, we only ever need read access — never admin credentials or the ability to make changes.
An honest picture of where you are
The more candid you are about your current setup, the more useful our findings will be. There’s no judgement here.

That’s genuinely it. You don’t need a dedicated IT team, a security background, or any preparation beyond booking the first call.

Not sure which service you need?

Start here.

A free 30-minute conversation. We’ll tell you honestly what your business needs — and what it doesn’t.

Book a free conversation

What others say about us…

We’d always had a family member looking after our IT, and while we trusted them completely, we hadn’t realised how much risk we were quietly carrying. KIS came in and overhauled our entire security setup, got us properly configured with multi-factor authentication, and went through our Microsoft 365 environment to make sure the right people had the right access and licensing. It wasn’t just a technical fix, it was genuine peace of mind. We now know our systems are actually secure, not just looked after by someone who means well.

Jeremy T.Owner, Auto Services

As a financial services firm, protecting client data isn’t optional. We had no formal security management framework in place and knew we needed to get serious. KIS assessed where we stood and mapped out a practical path toward NIST and ISO 27001 compliance, grounded in what was realistic for our size and structure. Their advice was prioritised and clear, and we came away with a credible roadmap and the confidence that we’re taking the right steps in the right order.

Pam K.CIO, Financial Services Firm

We were rolling out AI across the organisation and our internal IT team is great, but this was new territory. We needed someone to close the gaps fast and set us up to manage things ourselves going forward. KIS delivered on all of it. They implemented data loss prevention, a document classification scheme, and Microsoft Purview, and the uplift in our security and compliance posture has been significant. The best part? They didn’t just fix things and leave. We came out of it actually understanding the system and capable of running it ourselves.

Abby S.Compliance Officer, Telecommunications Company

We’re a small non-profit focused on young people, and like many organisations like ours, we were running largely on goodwill and volunteers. We had a website collecting significant personal information and, honestly, we hadn’t fully grasped the risk we were sitting on. KIS conducted a penetration test, walked us through every finding, and worked through remediation of all critical vulnerabilities with our budget in mind the whole time. They treated our mission as if it mattered to them too, and that made all the difference.

Elizabeth C.Senior Leader, Youth Organisation