Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Discover CREST penetration testing & continuous security
Internal & external infrastructure, network & system testing
Manage multiple tests & get external security assurance
Thoroughly assess your web apps & APIs for security flaws
Test your response to a simulated real-world cyber attack
All cloud platforms & services tested, including Azure & AWS
Test your human cyber defences with social engineering
Android, iOS & custom mobile application security testing
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Gap analysis, implementation, audits & more from GDPR experts
On-going support to easily manage your data protection obligations
Consultant-led support to meet all levels of DSPT submission
Flexible & engaging data protection training from certified experts
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Gap analysis, implementation, audits & more from dedicated ISO consultants
Find the next step in your strategy with this consultant-led assessment
Get quick & easy CE certification with a range of feature-packed packages
Flexible access to top-tier information security strategy & management
Experienced SOC 2 consultants, AICA audits & compliance automation platform
On-site, remote and video-based security training to boost your resilience
Affordable expertise & support to help you meet & maintain PCI DSS compliance
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
24/7 defence against cyber attacks with proactive threat detection
Get help responding & recovering from cyber incidents
Detect, analyse and stop cyber attacks with real-time prevention
Forensic support & data recovery following cyber attacks
Stay on top of new vulnerabilities with powerful, flexible scanning
Evaluate your wireless network for security weaknesses
Discover how your business can identify & manage cyber threats
Comply with regulations, meet certification standards & best practices
Train and test your staff for security resilience, data protection & compliance
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
Learn about our mission to make cyber & compliance accessible to all
Grow your business with high-margin, high-value & partner-ready services
Become part of the Bulletproof team & supercharge your career
Bulletproof’s in-house SOC powers our Managed SIEM & MDR services
We love to talk. Tell us about your cyber & compliance challenges
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Get the latest news, views & expert insight in the world of cyber security, data protection & compliance
A helpful index of cyber security terms, compliance acronyms and industry terminology to make life easy
Discover what we have to say about the threat landscape & what businesses need to know to get ahead
Find out how we can make companies like yours Bulletproof. Don’t take our word for it, hear direct from our clients
Detailed insights & helpful tips for understanding penetration testing, data protection & more
Interesting data & top tips at a glance, with insightful infographics covering all areas of cyber security & compliance
Watch our experts talk through their thoughts & opinions on a variety of security & compliance topics
See when & where we’re going to be bringing Bulletproof insight to an event near you
Ayisha Bari
Find out what ransomware is, how attacks work & types of attack to help you get started with keeping ransomware out of your business.
Read More
Over the past few years there’s been an explosion in demand for penetration testing services. What was once seen a service only needed by larger enterprises is now more affordable than ever and used by SMEs and startups. This increase in adoption is partly down to pen testing being an all-round useful cyber control, but it’s also driven by compliance.
Many compliance standards recommend or require penetration testing, and pen testing is an essentials part of PCI DSS, ISO 27001, Cyber Essentials, SOC 2 and FTC to name but a few. Some are less explicit, not calling out penetration tests by name, but word their requirements so that they can only really be met with a pen test.
Businesses can use a pen test to meet compliance requirements in three ways:
Before we look at the top compliance standards that need penetration testing, let’s quickly cover what it is. A penetration test is a simulated, ethical cyber attack that aims to uncover and identify security vulnerabilities in your network, systems and applications. Occasionally there’s some confusion about the difference between penetration testing and vulnerability scanning, so I made this quick video to demystify the two terms:
When the driver for a penetration test comes from a compliance need, there are a few things businesses need to bear in mind:
Uncover & prioritise your security weaknesses with a pen test. Remediation advice is included with each finding to help speed up your remediation efforts.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of stringent security requirements for businesses that store, process, or transmit credit card data. If your business handles credit card data, PCI DSS compliance is not optional, it’s a hard requirement. PCI DSS Penetration testing is mandated by Requirement 11.3 of the PCI DSS standard.
PCI DSS penetration testing should focus on the following areas
Types of tests needed for PCI DSS penetration testing
ISO 27001 is an international standard for information security management. It provides a framework for businesses to identify, assess, and manage your information security risks. Penetration testing is required according to section A.12.6.1 – management of technical vulnerabilities. In fact, section 13 of Annex A is devoted entirely to penetration testing. Other clauses that require pen testing are 6.1.4 “assess the risks to information security” and 8.2.4 “implement technical measures to mitigate risks to information”. If you’re going to do these in any meaningful way, you need a penetration test.
ISO 27001 penetration testing should focus on the following areas
Types of tests needed for ISO 27001 penetration testing
Cyber Essentials is a UK Government-backed security standard that sets a great foundational level of cyber security. It covers 5 areas of security and is widely accepted as the universal ‘minimum requirement’ for every company, regardless of size (it’s also required for Government and public sector contracts). The type of security assessment you need depends on the scope of your certification and if you’re getting Cyber Essentials or Cyber Essentials Plus.
Types of tests needed for Cyber Essentials penetration testing
SOC 2 is a US framework from the AICPA that requires certain businesses to meet security and privacy standards. There are many criteria that organisations must meet in order to obtain SOC 2 certification, the core of which are the Trust Services Criteria. Penetration testing is needed to meet various compliance criteria, including CC1.4 Auditing Controls and CC4.0 Monitoring of controls.
SOC 2 is a complex standard, so we recommend a consultative approach to SOC 2 penetration testing. Find a provider who’s willing to roll their sleeves up and take the time to understand your unique SOC 2 penetration testing requirements, not just sell you a generic pen test. As our friendly SOC 2 consultants will attest, getting the right help at the right time can really speed up your SOC 2 compliance.
The General Data Protection Regulation (GDPR) is EU and UK regulation that protects the privacy of individuals' personal data. GDPR penetration testing is not specifically required by name, but if you’re serious about GDPR compliance and not just box ticking, a pen test is the way to go. It’s also a good way to demonstrate various parts of your compliance activities. And in the world of GDPR, if you can’t demonstrate something, you may as well not be doing it (...don’t tell the Data Protection Officers I said that). Article 32’s “appropriate technical measures” cover all sorts of technical demands for keeping personal data secure when stored electronically.
GDPR penetration testing should focus on the following areas:
Types of tests needed for GDPR penetration test
The Federal Trade Commission (FTC) is a US Government agency that enforces consumer protection laws. Penetration testing is needed for compliance with the Gramm-Leach-Bliley Act (GLBA) and the agency’s own FTC Safeguards Rule. The GLBA is a law that requires financial institutions to protect the privacy of their customers' personal financial information. The FTC Safeguards Rule was updated in 2022 to reflect the evolving treat landscape – which is another sign that penetration testing is essential.
Similarly to PCI DSS, the FTC says that financial institutions must conduct penetration testing at least annually and after any significant changes to their systems. The testing should be conducted by a qualified penetration testing firm – so again, look out for a CREST certified pen test provider.
“Whatever your compliance standard, if it intersects with security, it’s going to be quicker and easier to reach compliance if you get a penetration test.”
As we’ve seen, penetration testing is important for compliance with many industry standards. Though there are myriad more compliance standards I haven’t talked about (such as IT Health Check (ITHC) and HIPAA), if it intersects even slightly with security then bottom-line is a pen test is a really good idea. It’ll speed up your compliance efforts and make you more secure. Win-win.
Joe is a blogger and security evangelist who’s been raising the profile of cyber security for a decade. He writes about a variety of cyber and compliance topics, with a keen eye on translating events and data into valuable customer insights. Never boring, sometimes controversial, always insightful.
Maintain your compliance status with a compliance-focussed pen test
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.