Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Discover CREST penetration testing & continuous security
Internal & external infrastructure, network & system testing
Manage multiple tests & get external security assurance
Thoroughly assess your web apps & APIs for security flaws
Test your response to a simulated real-world cyber attack
All cloud platforms & services tested, including Azure & AWS
Test your human cyber defences with social engineering
Android, iOS & custom mobile application security testing
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Gap analysis, implementation, audits & more from GDPR experts
On-going support to easily manage your data protection obligations
Consultant-led support to meet all levels of DSPT submission
Flexible & engaging data protection training from certified experts
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Gap analysis, implementation, audits & more from dedicated ISO consultants
Find the next step in your strategy with this consultant-led assessment
Get quick & easy CE certification with a range of feature-packed packages
Flexible access to top-tier information security strategy & management
Experienced SOC 2 consultants, AICA audits & compliance automation platform
On-site, remote and video-based security training to boost your resilience
Affordable expertise & support to help you meet & maintain PCI DSS compliance
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
24/7 defence against cyber attacks with proactive threat detection
Get help responding & recovering from cyber incidents
Detect, analyse and stop cyber attacks with real-time prevention
Forensic support & data recovery following cyber attacks
Stay on top of new vulnerabilities with powerful, flexible scanning
Evaluate your wireless network for security weaknesses
Discover how your business can identify & manage cyber threats
Comply with regulations, meet certification standards & best practices
Train and test your staff for security resilience, data protection & compliance
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
Learn about our mission to make cyber & compliance accessible to all
Grow your business with high-margin, high-value & partner-ready services
Become part of the Bulletproof team & supercharge your career
Bulletproof’s in-house SOC powers our Managed SIEM & MDR services
We love to talk. Tell us about your cyber & compliance challenges
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Get the latest news, views & expert insight in the world of cyber security, data protection & compliance
A helpful index of cyber security terms, compliance acronyms and industry terminology to make life easy
Discover what we have to say about the threat landscape & what businesses need to know to get ahead
Find out how we can make companies like yours Bulletproof. Don’t take our word for it, hear direct from our clients
Detailed insights & helpful tips for understanding penetration testing, data protection & more
Interesting data & top tips at a glance, with insightful infographics covering all areas of cyber security & compliance
Watch our experts talk through their thoughts & opinions on a variety of security & compliance topics
See when & where we’re going to be bringing Bulletproof insight to an event near you
Ayisha Bari
Find out what ransomware is, how attacks work & types of attack to help you get started with keeping ransomware out of your business.
Read More
This blog was updated on 26th January 2024
CHECK and CREST are two separate penetration testing accreditations, from the National Cyber Security Centre (NCSC), and the Council of Registered Ethical Security Testers (CREST), respectively. Using a CHECK or CREST certified company for penetration testing services ensures that you are using a competent, legitimate vendor that adheres to industry best practice. For this reason both CHECK and CREST are valuable certifications for penetration testing companies to hold.
CHECK is more formally called a ‘IT Health Check Service’, and is an NCSC initiative for protecting government and public sector systems in line with government policy. CREST, on the other hand, is from the Council of Registered Ethical Security Testers, and accreditation has been developed to ensure the very highest standards of security testing.
But first, let’s recap the basics of penetration testing so we’re all on the same page.
Penetration testing is the practice of gaining access to organisational computer systems and security infrastructure. Its purpose is to identify and enumerate access points and weaknesses within the software that could leave business open to a data breach.
For more info about the fundamentals of cyber security, head to our YouTube channel, where you can see webinars, explainers, interviews and more. This short video gives a quick run-down of penetration testing.
Penetration tests, or “pen tests,” as they are commonly referred to within the cybersecurity and IT communities, are used to find potential vulnerabilities within a company computer system. Penetration testing is carried out by experienced professional security testers, aka ethical hackers, hired to run the necessary checks on IT systems. It is important to note that penetration tests are usually conducted by external companies (like us) for the simple reason that IT specialists within the company are too close to the process of building its systems to take an objective look at the infrastructure and identify weak points.
External cybersecurity specialists or agencies, such as Bulletproof, pride themselves on providing accurate and detailed penetration testing, with the main vulnerabilities usually outlined in a final report, including prioritising results, giving remediation advice and suggestions for improvements. Penetration Testing should be well resourced by every business, with many types of penetration test available for all types of technology: cloud, web apps, mobile apps, networks, IoT/OT and more. All too often penetration is pushed along the pipeline until a security breach has been identified – by which point systems have inevitably been compromised. We take a closer look at why it is so crucial to carry out regular Pen Tests with trusted third-party providers.
Pen testing is one of the best ways for a company to protect itself from hackers, from the prying eyes of the competition, and from other cybersecurity threats. This is because the process of penetration testing is designed to methodically uncover security flaws that a real cybercriminal would tr to use to break into systems. The only difference is that in the case of penetration testing, nothing really gets stolen, and no data is left exposed – all vulnerability exploits are carried out with the sole purpose of patching them up after the test is finished. That said, penetration testing is not the same as modelling a real-world attack. For that there’s another service you need: red teaming.
Penetration testing helps businesses to identify their greatest areas of risk and where their systems are vulnerable. They can also serve to test an organisation’s existing security controls and determine their current cyber resilience. Another key reason is that penetration testing supports compliance. GDPR, ISO 27001, PCI DSS, FTC, SOC 2 are just some of the certification and compliance standards that request or require regular penetration testing.
Learn how a Bulletproof pen test helped Traced create a chain of trust, improve its security posture, and inspire customer confidence.
So we’ve seen that carrying out regular penetration tests for your businesses IT infrastructure is necessary if you want to keep yours and your customers’ data safe and secure. However, this does not mean that you can just hire any coding freelancer or IT whiz with a computer science degree to test the security of your systems. Aside from the obvious pitfall of running into a real-life hacker, you also run the risk of hiring someone with subpar skills or lacking due diligence processes.
Thankfully, there are accreditation schemes that grant cybersecurity companies the legitimacy they need for potential clients to weed out the professionals from the amateurs and bad actors. CHECK and CREST are two of the most popular pen test accreditation schemes in the UK.
Created by the National Cyber Security Centre (NCSC), CHECK is an accreditation scheme directly endorsed by the UK government. It is used primarily to certify the cybersecurity experts working for government departments, public sector bodies, and other organisations that can be considered part of the UK’s CNI (Critical National Infrastructure). Penetration tests conducted by CHECK-approved members will do so using NCSC recognised methods.
CREST (Council of Registered Ethical Security Testers) is an internationally recognised non-profit organisation devoted to providing top-tier accreditation to cybersecurity service companies providing penetration tests, threat intelligence, cyber incident response, and SOC (Security Operations Centre) services. Their stamps of approval are acknowledged globally and not so easy to come by: to gain CREST certification, cybersecurity agencies need to get their data security, testing methodologies, and business processes thoroughly vetted by a CREST representative.
CHECK-certified agencies are required for government departments and associated organisations, and advised for public sector bodies. If an organisation is not public sector, then it does not require a CHECK-certified service provider to conduct penetration testing. In any other instance, the CREST certification is what you should look for in your penetration testing providers, as it is the best measure of a cybersecurity company’s legitimacy and competence that is also internationally recognised.
There are merits to both CHECK and CREST depending on which sector of business you are in. Companies who provide CHECK services will be required for organisations which make up the UK’s national infrastructure, whereas CREST-approved agencies are suitable for organisations across all other sectors. What is important is that penetration testing forms a critical part of assessing the cyber resilience of an organisation.
The government-backed nature of CHECK means that it is typically more expensive than a CREST certified penetration test, whilst not providing any meaningful improvement in assurance or outcome. It’s for this reason that Bulletproof recommends CREST penetration testing for all organisations, unless you are strictly required by regulation or legislation to procure a CHECK test.
Penetration testing is crucial for identifying vulnerabilities in your networks, systems and apps, and for meeting compliance requirements. The end goal of a penetration test is to help businesses secure their user and business-critical data, which should be a top priority for every organisation, regardless of type and size. CREST-approved services are the go-to accreditation schemes for helping to identify professional cybersecurity vendors and tell them apart from the amateurs, ensuring that you have access to industry-approved penetration tests conducted by the experts.
Jordan is a Bulletproof Penetration Testing Manager, with several years' experience of Red Team testing and managing complex projects. He still gets involved in regular penetration tests and has a particular flair for Red and Black teaming.
Start finding your vulnerabilities and get a prioritised list of remediations.
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.