Penetration Testing Practice
Run web app + network pen tests for SMEs needing CREST / CHECK assurance
Run web app + network pen tests for SMEs needing CREST / CHECK assurance.
In a typical day, you'll conduct penetration tests on client web applications and networks, identifying vulnerabilities and suggesting mitigations. You'll also spend time preparing reports that detail your findings, which are essential for demonstrating compliance with CREST or CHECK standards. Interacting with clients, particularly their Chief Information Security Officers (CISOs), to discuss findings and recommendations will also form a key part of your work, alongside continuous learning to stay updated on the latest cyber threats.
The increasing number of cyber threats and the rise in data breaches have made penetration testing a critical need for SMEs. Many are now seeking CREST or CHECK certifications to assure clients and stakeholders of their security posture. The UK government’s focus on cybersecurity and the introduction of stricter data protection regulations further amplify the demand for these services, making this a timely business opportunity.
As a founder, you’ll need a solid understanding of cybersecurity principles and experience with penetration testing methodologies. Realistically, you should be prepared to invest around 20-30 hours a week in the initial stages, balancing between obtaining your CREST certification and building client relationships. You’ll also need to be adaptable and willing to learn, as the cybersecurity landscape is ever-evolving.
With effective marketing and strong service delivery, you could see revenues of £36,000 to £120,000 within 12 to 24 months. Building a solid client base and possibly expanding services can lead to consistent repeat business and referrals. As your reputation grows, you might also consider hiring additional testers to scale your operations.
- Security
- Code
£3k–£15k per engagement
You can expect a gross margin of around 60-70% on your services, depending on your operational efficiency.
The UK’s growing focus on cybersecurity due to increasing cyber threats and data protection regulations creates a ripe environment for penetration testing services. SMEs are prioritising security assurances, making this an opportune time to enter the market.
Your primary customers are small to medium-sized enterprises (SMEs) across various sectors needing to demonstrate compliance with CREST or CHECK standards. These businesses typically have limited internal cybersecurity resources, making outsourced services highly valuable.
The UK cybersecurity market is projected to grow significantly, with a reported 40% increase in demand for cybersecurity services over the last two years. With over 5.5 million SMEs in the UK, the potential client base for penetration testing services is substantial.
Revenue & pricing
You will charge clients on a project basis, with fees ranging from £3,000 to £15,000 per engagement depending on the size and complexity of the tests. Recurring contracts or retainer agreements can provide additional revenue stability.
- Basic web application penetration test: £3,000
- Network penetration test for small businesses: £5,000
- Full security assessment package: £10,000
- Annual retainer for ongoing testing and support: £15,000
Costs
- CREST certification fees£1,000
- Basic penetration testing tools£500
- Marketing materials and website£300
- Insurance (professional indemnity)£500
- Company registration with Companies House£100
- Website hosting and maintenance£30
- Professional indemnity insurance£50
- Marketing campaigns (ads and outreach)£200
- Software subscriptions (tools)£70
First steps
- 1Get CREST cert
- 2Build tooling
- 3Pitch via CISOs
Your first 90 days
- Register your business with Companies House.
- Apply for your CREST certification.
- Research and select your penetration testing tools.
- Develop your marketing plan, including a website.
- Network with local SMEs and cybersecurity professionals.
- Complete your CREST certification.
- Launch your website and social media channels.
- Begin outreach to potential clients and schedule meetings.
- Conduct your first penetration tests and gather client feedback.
- Refine your service offerings based on initial experiences.
How to get customers
Network with CISOs and promote your services.
Local business networking events
Attend and present your services to SMEs.
Content marketing
Publish articles on cybersecurity issues relevant to SMEs.
Email campaigns
Reach out to SMEs with tailored offers and insights.
Tools you'll actually use
| Tool | Cost | Why |
|---|---|---|
| Tide | £0 | For business banking with no monthly fees. |
| Xero | £30/month | For accounting and invoicing management. |
| Notion | £8/month | For project management and documentation. |
| Calendly | £8/month | To schedule client meetings easily. |
| Stripe | 2.9% + 20p per transaction | For handling payments securely. |
Common mistakes to avoid
- Neglecting to build a robust portfolio before pitching.
- Underestimating the time required for certification.
- Failing to keep up with the latest cybersecurity trends.
- Not adequately marketing services to potential clients.
- Overlooking the importance of client follow-up and feedback.
How to scale this
- 1Start as a solo practitioner providing basic penetration testing.
- 2Expand your services to include security training and consulting.
- 3Hire additional certified testers to increase capacity.
- 4Develop a comprehensive suite of cybersecurity services over time.
Risks & mitigations
High competition in the cybersecurity market.
Focus on niche sectors or specific compliance certifications.
Potential client data breaches during testing.
Ensure thorough client agreements and insurance coverage.
Staying current with evolving cyber threats.
Invest in ongoing training and industry certifications.
Initial cash flow challenges.
Secure a small line of credit for early operational costs.
UK legal & compliance
- Register your business with Companies House and adhere to UK regulations.
- Obtain professional indemnity insurance to protect against claims.
- Ensure compliance with GDPR when handling client data.
- Follow best practices for data security in your testing processes.
FAQ
What qualifications do I need to start?
You should ideally have experience in cybersecurity and obtain relevant certifications.
How long does it take to become CREST certified?
Typically, it takes 3-6 months depending on your preparation.
Can I work remotely?
Yes, most of the testing can be done remotely with proper tools.
What type of clients should I target?
Focus on SMEs that require compliance with CREST or CHECK standards.
How do I manage client relationships?
Regular communication and follow-up are key; consider using CRM tools.
Ready to start this one?
Every business idea on this site needs two things from day one: a separate business bank account and a way to float expenses. Here are the two we recommend.
Tide Business Bank Account
The UK's most popular digital business bank account — free, opens in 5 minutes.
Free cash when you spend £100 in your first 30 days + deposit £5k in a Tide Instant Saver.
- Free business current account — no monthly fee
- £200 free cash (spend £100 in 30 days + deposit £5k)
- No credit check required to open
- Open your account in under 5 minutes
- Free bank transfers for your first year
Capital on Tap Business Credit Card
The UK's highest-rated business credit card — 1% cashback, up to £250k credit, no annual fee.
Worth £75. Awarded after your first card transaction within 30 days.
- 7,500 bonus reward points (worth £75) on first transaction within 30 days
- 1% uncapped cashback on every pound you spend
- Credit limits from £1,000 to £250,000
- No joining fee or annual fee
- Free additional employee cards