Ethical hacking

Would your business survive a real world cyber attack? Identify critical vulnerabilities in your defences and provide key risk insights to stakeholders.

The growing digitalisation of business operations creates numerous entry points for cyber attackers to compromise critical systems and expose assets, data and customer information. Organisations are also facing relentless pressure from regulators and stakeholders to quantify the effectiveness of their security controls across their systems and platforms and provide a clear roadmap of remediation.

Ethical hacking exercises are an effective way to test an organisation's prevention and detection capabilities with real world cyber attack scenarios. However, to get the most value from these exercises, they should be approached as programmatic, strategic exercises that deliver intelligence driven insight into new or emerging weaknesses in a business.

How can we help?

We aim to replicate the techniques used by real world attackers by delivering bespoke intelligence driven simulated attack exercises that assess the full suite of defence in depth controls, including the often overlooked areas of people and processes. We further focus our approach based on the risk profile for each client to make our ethical hacking services as realistic and tailored as possible.

Our ethical hacking services are particularly relevant for organisations:
  • seeking assurances that their security operations and processes meet industry and compliance standards
  • needing to demonstrate the need for security investment from the board
  • going through an IT transformation or implementing new technology, or
  • assessing their preparedness as part of a cyber incident response or crisis strategy.

Key benefits

Clearly understand and communicate the security vulnerabilities within your business to key stakeholders. 

Develop a remediation plan that seeks to address the root cause issues and reduce risk exposure across the whole organisation. 

Inform your compliance efforts to meet regulatory requirements and standards such as CHECK, ISO 27001, NIST CSF and PCI DSS.

Assess your ability to detect and respond to real world cyber attacks rather than theoretical scenarios. 

Evaluate the effectiveness of your security tools, technology and processes. 

Our services

Assess your ability to detect and respond to real world cyber attacks

Red teaming helps organisations to understand how they can defend themselves against a cyber attack with a particular goal in mind, such as gaining access to a critical application or stealing privileged credentials. The way in which the attack is carried out could involve multiple vectors to achieve this goal.

We have a proprietary and industry approved methodology for delivering real world and intelligence led red team exercises. Our Red Team, consisting of penetration testing, threat intelligence and incident response experts, work collaboratively to deliver a holistic approach to simulated attacks. This allows us to adopt the latest tactics used by attackers and provide a realistic assessment of your organisation’s resilience to cyber threats.

Find the critical vulnerabilities within your IT estate

Our penetration testing services apply tailored testing methodologies to identify security vulnerabilities that could be exploited by real world threat actors. We offer a number of different penetration testing services depending on the technology under test and the attack scenario being emulated:

  • Web application penetration testing - combines automated security testing and manual analysis of vulnerabilities at all stages of the software lifecycle, covering the Open Worldwide Application Security Project (OWASP) top 10 most critical web application security risks.
  • Internal infrastructure testing - covering all technologies and operating systems that are likely to be located on an internal network. We are capable of conducting white box penetration tests, limited to defined systems, through to black box penetration tests, that explores the impact of an attacker with logical access to an internal network.
  • External infrastructure testing - simulating tactics used by attackers to probe external systems as well as testing internal network for scenarios where attackers have already accessed the internal network threat actors already already in the network
  • Network device security - methodology combines the use of automated tools, manual verification and interviews with technical stakeholders (such as firewall administrators) to assess the security of each network device. This includes assessing the device/s for misconfigurations, deviation from good practice, outdated software and missing security patches.

Identify critical security vulnerabilities within OT and IoT environments

We offer advanced penetration testing services tailored for identifying business critical security vulnerabilities in OT and IoT environments. This includes:

  • automotive and vehicle penetration testing and forensics,
  • IoT security evaluations, and
  • destructive and non-destructive hardware security testing services.

We have a dedicated lab equipped with the latest technology, as well as a dedicated team with experience conducting security reviews of physical hardware, OT and IoT environments such as connected and autonomous vehicles (CAV), industrial control systems (ICS) and connected devices.

Our hardware security testing methodology covers a full physical analysis of hardware devices, as well as individual components (such as flash memory and processors).

Why choose us?

  • We have a dedicated R&D centre where we research the latest hacking techniques and develop our own tools to stay ahead of the curve.
  • As well as a depth of technical knowledge, we understand the business, legal and regulatory context that underpins your operations.
  • The way we have structured our Cyber Security practice around the world means that you can benefit from all of our global expertise, depth of technical excellence, industry expertise, cutting edge technology and scale – all accessed through a local UK team.
  • Our experts are recognised by leading industry accreditations:
    • We are part of the Bank of England's CBEST scheme. CBEST is the most rigorous banking security testing framework and is designed to deliver controlled, bespoke, and intelligence-led cyber security tests.
    • CBEST differs from other security testing frameworks since it is threat intelligence based, is less constrained, and focuses more on sophisticated and persistent attacks against critical systems, which are systemic to the UK financial market.
    • We are assured by the UK National Cyber Security Centre (NCSC) to conduct penetration testing under the CHECK scheme. Our team of ethical hackers are regularly put through rigorous practical examinations and measured against the highest technical standards set by the NCSC. The NCSC is the national authority responsible for cyber security. The IT Health Check Service, or CHECK, was initially developed by CESG (now NCSC) to enhance the availability and quality of the penetration testing services provided to UK Government bodies. Companies belonging to CHECK are measured against the high standards set by the NCSC
  • We are members of CREST’s Simulated Targeted Attack & Response (STAR) scheme. This demonstrates our proven experience and ability to deliver threat intelligence led simulated attack and red team exercises.


{{contentList.dataService.numberHits}} {{contentList.dataService.numberHits == 1 ? 'result' : 'results'}}

Contact us

Stuart Criddle

Stuart Criddle

Ethical Hacking Lead, PwC United Kingdom

Tel: +44 (0)7483 416716

Rhodri Evans

Rhodri Evans

Wales & Western England - Cyber Security Director, PwC United Kingdom

Tel: +44 (0)7843 333819

Gavan Kingdon

Ethical Hacking Director, PwC United Kingdom

Follow us