CREST Marketplace

Pen Test Partners is a partnership of high-end penetration testers, cherry picked for their wealth of knowledge. Pen Test Partners LLP is focused on delivering innovative and meaningful penetration testing and Cyber Audit Services. Its a simple mandate, and one that we have built our business and reputation with.

ASSURE Membership No: 20S002005

As a CREST-Approved Computer Security Incident Response Team, PTP has a wealth of experience in helping organisations respond to and recover from real world cyber security incidents from attackers of varying levels of sophistication, including against Advanced Persistent Threat (APT) groups.

We use a variety of cutting-edge tools and technology to conduct DFIR services, including proprietary tooling and third-party recognised best-in-class tools such as CrowdStrike, Autopsy, Cyber Triage and Axiom.

Compromise Assessments
Incident Response Services
Incident Response Retainer Services (includes Compromise and Maturity Assessments)
IR maturity Assessment
First Responder Training
Digital Forensics Services
24/7 hotline
Preferential days rates for retained service
Market-leading Service Level Agreement (SLA) response times for retained service
Telephone assistance 4 hours
Remote access into environment 16 hours
UK Onsite response 24 hours

Pen Test Partners can offer a tailored approach to vulnerability assessment, ranging from daily delta port scans to detailed vulnerability assessment of hosts and services.

PTP’s Penetration Testing service assesses the security posture of your digital assets. We identify risks and security issues and provide recommendations on how to address these security issues to harden the asset to make them resilient to compromise. We have proprietary methodologies based on various security best practice frameworks.

PTP’s highly experienced penetration testers have a wealth of experience and understanding of a huge variety of environments.

We’ve tested in large corporate infrastructure, government departments, education establishments, retail giants, Banks & Airports. We’ve tested ships and rigs (while at sea!), Planes, Trains and connected and electric vehicles, the power grids and stations that keeps countries running, as well as the payment, transport, and fulfilment systems on which everybody is reliant.

Assessment Services
Bespoke & Web-based Application Testing
Web Application Architecture Reviews
Application Code Reviews
Testing of mobile devices
Enterprise Application Security Testing
Enterprise Database Security Audits
SCADA Process Control Audits
VoIP Assessments and Security Consultancy
Mail Server Deployments
Infrastructure and Architecture Security Reviews
Scenario-based Penetration Testing
Automated Infrastructure & Application Perimeter Scanning
IT Health Check
Wireless 802.11x Assessments & Rogue Access Point Identification
Operating System, Network Device & COTS Application Build Review
Firewall Rulebase Audit
Client Security (kiosks, workstations, laptops, mobile devices)

Pen Test Partners delivers STAR-FS Red Teaming to assess the Prevention, Detection and Response capabilities of financial institutions, so that they maintain resilience against attack from sophisticated threat actors.

Simulated Targeted Attack and Response – Financial Services (STAR-FS)

What is STAR-FS?
STAR-FS is a framework for providing Threat Intelligence-led simulated attacks against financial institutions in the UK, overseen by the Bank of England and Prudential Regulation Authority (PRA). STAR-FS has less regulatory oversight in comparison to CBEST, and is conducted upon more organisations than CBEST.

Using intelligence gathering sources, this service aims to test real world attack scenarios that are being successfully exploited in the wild. This is used to identify potential weaknesses in the client’s attack surfaces and in turn gain an understanding of the real risk to their high value systems.

How we operate
Security evaluations rarely take the user in to account. Hence, one can have an apparently secure environment that can be compromised with ‘real world’ hacking skills, taking advantage of people’s curiosity and willingness to help.

Our targets are usually data sources such as internal financial systems, employee HR records, high value customer databases such as the CRM, customer credit card data, intellectual property, board meeting minutes, anything that could be of value to a third party.

We sidestep technology, focusing instead on critical data, just as a motivated hacker would. This also helps the business understand the risk associated with these events, rather than getting lost in a list of overly technical vulnerabilities

What makes us a STAR-FS vendor?
As mandated by the Bank of England and PRA, to deliver the Red Team aspect of a STAR-FS, the engagement must be led by a CCSAM (CREST Certified Simulated Attack Manager) and a CCSAS (CREST Certified Simulated Attack Specialist). Both the CCSAM and CCSAS must also have 14,000 hours of pene

STAR (Simulated Target Attack and Response) is threat intelligence led Red Teaming

PTP have extensive experience performing STAR engagements, as well as other threat intelligence-led exercises under frameworks such as GBEST, GCASE and CBEST.

STAR is a framework for non-financial organisations, using the same methodology as CBEST assessments, to conduct a structured and professional intelligence led penetration test by accredited providers.

Pen Test Partners provides CBEST Red Teaming to assess the Prevention, Detection, and Response capabilities of financial institutions. It means that those institutions maintain resilience and are able to withstand attack from sophisticated threat actors.

What is CBEST?
CBEST is a framework for providing threat Intelligence-led simulated attacks against financial institutions in the UK, overseen by the Bank of England and Prudential Regulation Authority (PRA). Pen Test Partners has a history of delivering CBEST Red Teams in concert with Security Alliance, our Cyber Threat Intelligence (CTI) partner.

How does CBEST work?
In most instances, the Bank of England and PRA will notify a financial institution that they must undergo a CBEST. That financial institution is then responsible for procuring the service.

Once CTI and Red Team suppliers have been chosen and procured, the CTI supplier will conduct a detailed analysis of the target’s threat landscape, most relevant threat actors, and the creation of threat scenarios. They will also perform reconnaissance from the perspective of a threat actor, which will be combined to deliver a report to the institution and the regulator that contains the threat scenarios and objectives used to guide the Red Team Simulated Attack.

Pen Test Partners then conduct the Red Team Simulated Attack against the target institution.

Once we have achieved the objectives as laid out in the threat intelligence report, Pen Test Partners compose the final Red Team Simulated Attack report that is delivered to the target institution and the regulator. The report details the security posture of the organisation, attacks conducted during the engagement, and security deficiencies revealed, and recommendations to address the deficiencies and improve the resilience of the institution.

The regulator then has sight of how the recommendations are implemented.

GBEST is the government equivalent of CBEST in that the consultants require the same qualification, and that the Red Team Simulated Attacks are led by threat intelligence and involve 3 scenarios. Regulated by the Cabinet Office and with input from NCSC, GBEST ensures that our government departments meet a level of resilience to maintain the Confidentiality, Integrity and Availability of all of our data, all the way up to data that is protectively marked as TOP SECRET.

G-Cloud:

https://www.digitalmarketplace.service.gov.uk/g-cloud/services/129062132087617