Penetration Testing for Cyber Essentials and Cyber Essentials Plus
Cyber Essentials is a UK government-backed cybersecurity certification scheme designed to help organisations protect themselves against common cyber threats. It comes in two levels: Cyber Essentials (a self-assessment questionnaire) and Cyber Essentials Plus (which requires hands-on technical verification by an accredited assessor). If you are bidding on UK government contracts or working with organisations that handle sensitive data, one or both certifications are likely required. Here is how penetration testing fits into the picture, what the technical requirements actually involve, and how to meet them cost-effectively.
Cyber Essentials vs Cyber Essentials Plus
The basic Cyber Essentials certification is a self-assessment. You complete a questionnaire through an IASME-accredited certification body, answering questions about your implementation of five technical controls. A senior member of your organisation signs off that the answers are accurate, and the certification body reviews the responses. There is no technical testing involved. The assessment costs between 300 and 600 pounds depending on your organisation's size.
Cyber Essentials Plus adds a critical layer: hands-on technical verification. An accredited assessor physically or remotely tests your systems to verify that the controls you claimed in the self-assessment are actually implemented and functioning. This includes vulnerability scanning of external-facing IP addresses, internal vulnerability assessments, and targeted tests of the five technical control areas. The assessor produces a report documenting their findings, and certification is only granted if your systems pass.
This is where penetration testing becomes directly relevant. While the CE Plus assessment is not a full penetration test in the traditional sense, it involves many of the same techniques: external scanning, service enumeration, vulnerability identification, and verification of security controls. Organisations that maintain a regular penetration testing programme find CE Plus assessments significantly easier to pass, because the issues the assessor would find have already been identified and remediated.
The Five Technical Controls
Both Cyber Essentials levels assess five technical control areas. For CE Plus, these are verified through technical testing rather than self-declaration.
1. Firewalls and internet gateways. Your boundary devices must be configured to prevent unauthorised access. The assessor verifies that default firewall rules deny inbound traffic unless explicitly permitted, that administrative interfaces are not exposed to the internet, and that firewall configurations follow the principle of least privilege. Penetration testing validates these controls by attempting to access services that should be blocked, identifying misconfigured rules, and testing whether boundary controls can be bypassed.
2. Secure configuration. Systems must be configured to reduce vulnerabilities. This means removing unnecessary software and services, changing default passwords, and disabling auto-run features. The CE Plus assessor checks for default credentials on accessible services, unnecessary open ports, and insecure default configurations. A penetration test covers all of these checks and goes further, testing whether apparently secure configurations can be circumvented through less obvious attack vectors.
3. Access control. User accounts must follow the principle of least privilege, with administrative accounts used only for administrative tasks. The assessor verifies that user accounts have appropriate permissions, that administrative access is controlled, and that authentication mechanisms are robust. Penetration testing validates access controls by attempting privilege escalation, testing for insecure direct object references, and verifying that role boundaries hold under adversarial conditions.
4. Malware protection. Systems must be protected against malware through anti-malware software, application whitelisting, or sandboxing. The CE Plus assessor verifies that protection mechanisms are active, up to date, and configured to scan automatically. While penetration testing does not typically deploy actual malware, it tests whether the controls that protect against malware are functioning, for example, by attempting to upload executable files through web applications or testing whether content filtering blocks known malicious payloads.
5. Patch management. Software must be kept up to date, with security patches applied within 14 days of release for critical and high-severity vulnerabilities. The assessor checks for outdated software on sampled devices and externally accessible services. Penetration testing identifies vulnerable software versions across your entire attack surface, not just sampled devices, providing comprehensive coverage that exceeds the CE Plus sampling methodology.
What the IASME Assessor Looks For
IASME-accredited assessors follow a defined testing methodology for CE Plus. They conduct an external vulnerability scan of all internet-facing IP addresses and services within scope. They perform an internal assessment on a representative sample of devices, typically including workstations, laptops, and mobile devices. They test email and web browsing controls by sending test emails with attachments and attempting to access known malicious URLs. They verify that sampled devices are running supported and patched operating systems and applications.
The assessor produces a findings report. Any high-severity or critical vulnerabilities identified during testing must be remediated before certification can be granted. Medium and low findings are noted but do not necessarily block certification, depending on the context and compensating controls.
Organisations that fail the CE Plus assessment must remediate the identified issues and undergo re-testing, which incurs additional cost and delay. This is why pre-assessment testing is so valuable. Running your own penetration tests before the assessor arrives means you discover and fix issues on your own schedule, rather than having them surface during the formal assessment. Learning about autonomous AI pentesting can help you understand how to build continuous pre-assessment testing into your security operations.
How AI Pentesting Covers CE Plus Requirements
Revelion's AI pentesting platform covers the technical testing areas that CE Plus assessors evaluate. External vulnerability scanning identifies open ports, exposed services, and vulnerable software versions across your internet-facing infrastructure. Application-layer testing goes beyond what a typical CE Plus assessment covers, identifying business logic flaws, authentication weaknesses, and injection vulnerabilities in your web applications.
For each of the five control areas, Revelion generates specific evidence. Firewall testing produces a map of accessible services and identifies any that should be blocked. Secure configuration testing identifies default credentials, unnecessary services, and insecure settings. Access control testing verifies privilege boundaries and identifies escalation paths. Patch management testing identifies outdated software versions with CVE references and severity scores.
The reports include CVSS scoring, remediation guidance specific to each finding, and proof-of-concept evidence where applicable. This gives you a clear picture of exactly what needs to be fixed before your formal CE Plus assessment, prioritised by severity and mapped to the relevant technical control area.
The UK Angle
Revelion is built in the UK, which matters for Cyber Essentials in several practical ways. The platform understands the UK regulatory landscape, including the specific requirements of Cyber Essentials, the NCSC's guidance on security testing, and the expectations of UK-based IASME assessors. Reports are formatted to align with what UK certification bodies expect to see, reducing the translation effort between your testing evidence and your assessment submission.
For UK organisations subject to data residency requirements, this is also relevant. Your testing data is handled by a UK-based platform, and reports are generated with UK compliance frameworks in mind. This is particularly important for organisations working with UK government departments, NHS trusts, or Ministry of Defence supply chains, where both Cyber Essentials certification and data handling practices are scrutinised.
Cost Comparison: Traditional vs Continuous Testing
| Cost Element | Traditional Approach | AI Pentesting (Revelion) |
|---|---|---|
| CE Plus assessment fee | £1,500 - £5,000+ | £1,500 - £5,000+ (still required) |
| Pre-assessment pentest | £5,000 - £15,000 | From £10 |
| Re-test after remediation | £2,000 - £5,000 | Included |
| Failed assessment re-test | £1,000 - £3,000 | Near-zero (issues caught beforehand) |
| Ongoing testing between certifications | Not typically done | Continuous, from £10 per test |
| Wait time for results | 2-4 weeks | Hours |
| Total annual cost (typical SME) | £8,500 - £23,000+ | £1,500 - £5,500+ |
The key insight is that the formal CE Plus assessment fee remains the same regardless of your approach. What changes dramatically is the cost of preparation. Traditional pre-assessment pentesting from a consultancy adds thousands of pounds to the process, and any re-testing adds more. With AI pentesting, you can run unlimited pre-assessment tests, fix issues iteratively, and arrive at your formal assessment with confidence that you will pass first time.
The risk reduction is significant. Failing a CE Plus assessment is not just a financial cost. It delays your certification, which can delay contract awards, damage client relationships, and create compliance gaps. Organisations that pre-test thoroughly with modern AI pentesting platforms rather than relying on traditional tools alone virtually eliminate the risk of assessment failure.
Beyond the annual certification cycle, continuous testing maintains your security posture between assessments. Cyber Essentials certifications are valid for 12 months. During that period, your systems change: new software is deployed, configurations drift, new vulnerabilities are discovered. Running regular AI-driven tests ensures that your security posture remains certification-ready throughout the year, not just at assessment time.
Getting Started
Whether you are preparing for your first Cyber Essentials Plus assessment or looking to reduce the cost and stress of annual recertification, AI-driven pentesting provides a practical, cost-effective path. Run your first test before your assessor arrives, fix what needs fixing, and walk into your assessment with confidence.
Related Content
What is Autonomous AI Pentesting?
A comprehensive guide to autonomous AI penetration testing: how intelligent agents perform reconnaissance, exploitation, and reporting without manual intervention, with real benchmark results.
Revelion vs Pentera
Pentera is an enterprise security validation platform starting at ~$50,000/year. Revelion starts free with 20,000 credits. See the full feature-by-feature comparison.