Manual, CREST-quality penetration testing
See what an attacker could really do — before they do it.
We run controlled, ethical penetration tests to show real-world impact, not just a long list of issues. You get clear scenarios, evidence and next steps your team can act on.
- In-house CREST-certified penetration tester.
- External, internal and web application testing options.
- Clear, risk-based reporting for technical and non-technical stakeholders.
- Collaborative approach with your IT / security team — no “gotcha” testing.
Short form, then we come back with a sensible scope and quote based on your environment.
Mitchell Munday
CREST-certified Penetration Tester
In-house lead on all penetration testing engagements.
Real tester, not a black box. You work directly with the person doing the testing — someone who can talk to both engineers and the board.
What a pen test actually does.
Penetration testing is a controlled, ethical attempt to find and exploit weaknesses in your systems — in the same way an attacker might, but with guardrails.
Instead of just listing vulnerabilities, a pen test looks at how those issues can be chained together, what data or access they lead to, and how far someone could realistically get.
The result is a small number of clear scenarios that help you prioritise fixes, justify investment and give stakeholders confidence.
Evidence for boards, customers and insurers that testing is actually happening.
Realistic attack paths instead of theoretical risks.
Validation that your controls work the way you think they do.
Concrete scenarios that drive focused remediation work.
Types of penetration testing we can provide.
Scope is always agreed with you in advance, but most engagements fall into one or more of these areas.
External network
Tests your internet-facing services (firewalls, VPNs, portals, etc.) to see what an external attacker can reach and exploit.
Internal / assumed breach
Looks at what happens if an attacker gets a foothold inside — for example via phishing or a compromised account.
Web application
Manual testing of key web apps and portals, going beyond automated scanners to look for logic flaws and chained issues.
Remote access / VPN & more
Focused tests on remote access paths, VPNs or specific components that are high-risk for your organisation.
Meet your lead penetration tester.
Every engagement is led by an in-house, CREST-certified penetration tester — not a rotating cast of anonymous offshore contractors.
You work directly with the person doing the testing. That means clear reasoning, real-world attack paths and explanations that land with both engineers and board members.
Mitchell Munday
CREST-certified Penetration Tester & lead for all Cyber Trust pen tests
Mitchell leads our penetration testing work at Cyber Trust. He combines a rigorous, CREST-aligned methodology with a pragmatic, attacker's mindset — focusing on how real attackers chain issues together to reach systems, data and business impact.
The result is not just a list of vulnerabilities, but a small number of clear attack scenarios, with exactly what was done, what it means and what to fix first. Technical teams get enough depth to act; leadership teams get concise, confidence-building clarity.
Relentlessly focused on real risk
Prioritises realistic attack paths and “fix first” items, not noise from scanners or checklists.
Clear with engineers & the board
Walkthroughs tailored to your audience — from deep technical detail to board-ready summaries.
Actionable, pragmatic reporting
Clear remediation steps, sensible priorities and context your team can actually implement.
Collaborative, not “gotcha” testing
Works alongside your team to strengthen your environment — no blame, just clear, calm assurance.
How a typical engagement works.
Controlled, agreed and communication-heavy — so there are no surprises for you or your team.
Scoping
We agree objectives, targets, rules of engagement and any constraints.
Preparation
Accounts or access (if needed) are set up, with clear contacts and safe testing windows.
Testing
Manual testing is carried out within scope, with updates if anything critical is found.
Report & debrief
You receive a written report plus a walkthrough call to explain findings and next steps.
All testing is pre-agreed and carefully coordinated to minimise disruption while still representing realistic attack behaviour.
Ready to scope a penetration test?
Tell us what you're worried about and roughly what's in scope. We'll come back with a sensible test approach and clear pricing — no hard sell, no jargon.
- Short, focused enquiry — takes a couple of minutes.
- We suggest scope, timings and an estimated budget.
- Initial conversation is exploratory, not a sales pitch.
Opens a short popup form. We'll review it and get back to you with options and next steps, usually within one working day.
Who should be thinking about pen testing.
If any of these sound familiar, a focused penetration test is usually a good next step.
- Organisations handling sensitive data, payments or critical processes.
- Teams under customer or regulatory pressure to demonstrate regular testing.
- Businesses that already run vulnerability scanning and want deeper assurance.
- Firms launching new or significantly changed systems (web apps, remote access, infra changes).
- Organisations that want to understand “worst plausible case” rather than guess.
- Leadership teams who want clearer answers than “the tools say we're fine”.
Want to know what an attacker could really do?
Tell us what you're worried about, and we'll help you design the right penetration test for your organisation.
We'll come back with options, timelines and a clear view of what's involved — no obligation.