Security Testing
CREST-accredited, expert-led testing with findings in real time through Sentry — and free retesting of critical and high findings on internet-facing assets.
Every system you expose to the internet — and plenty you don't — is being probed right now. Our penetration testing services give you an evidence-based answer to the question your board keeps asking: could an attacker actually get in, and what would it cost you if they did?
Blackfoot is a CREST-accredited testing company. Our consultants deliver expert-led manual testing using recognised methodologies including OWASP, NIST and PTES — because automated scanners only find what they already know about. Real attackers chain weaknesses together, abuse business logic and exploit the gaps between systems, so that is exactly what our testers do, with exploitation to demonstrate real-world impact wherever it is safe and agreed.
Whether you need an annual test of a customer-facing platform, assurance over a new build before go-live, or evidence for a contract, tender or insurance renewal, each test type has its own methodology and its own scoping questionnaire — so you are never paying for a generic exercise. Engagements are shaped around what you are protecting, who would attack it, and what a breach would actually mean for your business.
Every engagement runs through Sentry, our security delivery platform. You are scoped through a tailored questionnaire and scoping call, findings are uploaded in real time as they are discovered, and you are alerted to critical and high-severity issues during the test — not in a PDF weeks later. Your consultant is available through Sentry messaging for the whole engagement.
You finish with a board-ready executive summary and detailed technical findings with evidence, CVSS scores and clear remediation guidance, delivered as a branded report with a debrief session. Findings stay in Sentry afterwards so you can track remediation, compare results across engagements and evidence progress to auditors, insurers and customers. Project owners keep platform access throughout the engagement and for ninety days after delivery, with findings retained well beyond that under our retention policy.
Then we go one step further: free retesting of critical and high-severity findings on internet-facing assets is included as standard, so you can prove the issues that mattered most are actually fixed. Test types span external and internal infrastructure, web applications and APIs, mobile applications, Wi-Fi, PCI DSS segmentation and red teaming — plus capabilities such as OSINT reconnaissance and breakout (VM and container escape) testing — and can be combined into a single engagement. The results support PCI DSS, ISO 27001 and Cyber Essentials Plus evidence, and the requirements cyber insurers increasingly set at renewal.
Engagements delivered by a CREST-accredited company using OWASP, NIST and PTES methodologies.
Results appear in Sentry as they are discovered, with immediate alerts for critical and high-severity issues during testing.
Critical and high findings on internet-facing assets are retested at no extra cost once you have fixed them.
Skilled consultants chain vulnerabilities and probe business logic in ways automated scanners cannot.
An executive summary for leadership plus detailed technical findings with evidence, CVSS scores and remediation guidance.
Message your tester directly through Sentry throughout the engagement — no ticket queues, no middlemen.
Complete a short questionnaire tailored to the test type, then join a scoping call with a consultant. You receive a clear proposal and Statement of Work, and your project is created in Sentry. Typically one to two weeks.
Your consultant is assigned and logistics are arranged: IP whitelisting, credentials, access and rules of engagement. The testing window is scheduled around your business. Typically one week.
Expert-led manual testing begins. Findings appear in Sentry in real time as they are discovered, you are alerted immediately to critical and high-severity issues, and you can message your consultant throughout. From two days for a small web application to fifteen or more for enterprise estates.
After quality assurance you receive a board-ready executive summary and detailed technical findings with evidence, CVSS scores and remediation guidance, followed by a debrief session. Findings remain in Sentry for remediation tracking and comparison with future tests.
Straight answers to what prospective clients ask us most.
Vulnerability scanning is automated and identifies known weaknesses; penetration testing is a manual, expert-led exercise that actively exploits weaknesses — often chaining several together — to show what an attacker could really achieve. Security standards treat them as separate requirements because they do different jobs. Our Sentry CVM service covers the continuous scanning side; penetration testing provides the depth.
Base the frequency on your risk profile. Testing key systems at least annually, and after significant change such as new systems or major updates, is a sensible baseline; higher-risk environments and some compliance regimes require more.
It depends on scope: a small web application might take two days of testing, while a large enterprise environment can take fifteen days or more. Scoping typically takes one to two weeks and reporting around a week, and we agree the timeline with you up front.
You receive an executive summary and a detailed technical report with prioritised findings and remediation guidance, followed by a debrief with your tester. Findings remain in Sentry so you can track fixes, and free retesting of critical and high findings on internet-facing assets confirms your remediation worked.
Critical and high-severity findings on internet-facing assets — such as web applications and external infrastructure — that were in your original scope. Request the retest through Sentry within two calendar months of your report being released and we will verify your fixes at no additional cost.
Get a fixed-scope quote, usually the same working day.