Penetration testing
Understand your vulnerabilities, reduce risk and achieve compliance fast with an expert-led penetration test.
Our penetration testing delivers a precision, intelligence-led approach tailored to your organisation, so you get clear, actionable insights that strengthen your defences, fast.
Our NCSC and CREST-accredited experts partner with you every step of the way—scoping what matters most, uncovering critical vulnerabilities, and helping you remediate them quickly and effectively.
With us, you can achieve a more resilient cyber posture and stay ahead of evolving threats.
CREST-accredited
Jisc is a CREST-accredited provider of penetration testing.
CREST membership is an internationally-recognised badge of excellence in information security.
How the penetration testing service helps
Evaluate your readiness against real-world attacks
During penetration testing, our experts mimic real-world attacks by looking for ways to circumvent your security systems and data using common tools and techniques.
We then provide a comprehensive report, helping you to determine:
- Where your vulnerabilities lie – including how well your systems tolerate real-world attacks, and how successfully you detect and respond to them
- What impact these vulnerabilities may have – and how likely they are to be exploited
- What actions you can take to improve your security posture
How the service works
The penetration testing service process involves the following steps:
- Performing reconnaissance
- Identifying vulnerabilities, exploring vulnerabilities, escalating privileges, gathering information, creating pivot points
- Cleaning up
- Reporting
Conduct varying tests according to your needs and budget
Because this is a flexible service, we offer varying scope and depth of penetration testing, making the service cost-effective for you. Our service could range from a straightforward evaluation of your external networks, to many hours of involved on-site manual testing.
Alternatively, you may simply be looking to have the security of an individual system or application tested before it is deployed, or you may be interested in the wider security of your network.
Either way, we can adapt our testing schedules to suit you.
Before testing begins, we can advise you on the level of service you are likely to need.
Why use Jisc?
- One of only 25 UK organisations with NCSC CIR Level 2 accreditation: proven expertise to identify and resolve the most complex vulnerabilities
- CREST-accredited: globally recognised capability to tackle today’s international cyber threats
- Education and research specialists: powered by unique Janet Network intelligence to pinpoint risks faster
- Transparent, day-rate pricing: our easy-to-understand charges and competitive rates help you maximise efficiency and reduce costs
- Supports compliance: we can ensure you comply with GDPR, Cyber Essentials, PCI-DSS, and more
- We don’t just find vulnerabilities—we help you fix them: our experts work alongside your team to remediate issues quickly and confidently, while building your in-house capability for the future
Jisc were very good at helping me understand what the threats were and how they manifest themselves. As far as I can tell, the service is exceptional. It gave me the grounding to improve our security position.
What information would you need to provide?
Different forms of penetration testing mean you need to provide different levels of information about your systems. These include:
- White box testing – where you provide full network information
- Grey box testing – where you allow the attacker user-level privileges
- Black box testing – where you provide no privileged information
Typically you will be required to provide information such as IP ranges, domains, URLs of applications, key systems and applications, and IP addresses and systems that should be avoided.
Further information
To find out more about the penetration testing service, contact your relationship manager or email professional.cyberservices@jisc.ac.uk.
Eligibility
Our penetration testing service is open to all UK education, research and public sector organisations.
Our penetration testing service is open to all UK education, research and public sector organisations.
How to buy
Jisc is an approved supplier on the Government Commercial Agency G-Cloud framework and Cyber Security 3 dynamic purchasing system (DPS).
Visit the Government Commercial Agency website for more information and guidance on how to purchase G-Cloud 14 and Cyber Security Services 3.
Jisc is an approved supplier on the Government Commercial Agency G-Cloud framework and Cyber Security 3 dynamic purchasing system (DPS).
Visit the Government Commercial Agency website for more information and guidance on how to purchase G-Cloud 14 and Cyber Security Services 3.
Service level description
Security
Please ensure your organisation understands and adheres to the security policy.
Hours of service
The service is available during the business day.
The business day is defined as Monday to Friday. It excludes 24-31 December, all English public holidays and also the Tuesday following the August public holiday.
Service description
A service providing organisations with manual penetration testing and consultancy.
Your responsibilities
You are responsible on an ongoing basis for:
- Ensuring that Jisc has up to date contact details of a suitable representative from within your organisation and any changes in responsibility promptly notified
- Ensuring the list of authorised users is maintained where automated testing is employed.
Charges
Charges will be determined during the discussions of the requirements between you and Jisc.
Request for service
Request this service by contacting your relationship manager. New to Jisc? Make a customer enquiry.
Service delivery time
You will be contacted to discuss requirements within three business days of receipt of a request for assistance.
Terms and conditions
Please ensure your organisation understands and adheres to the terms and conditions (.docx).
Escalation
If you are experiencing an issue with the service, and wish to escalate the issue please contact us via the service desk on tel: 0300 300 2212 or via email: professional.cyberservices@jisc.ac.uk.
Security
Please ensure your organisation understands and adheres to the security policy.
Hours of service
The service is available during the business day.
The business day is defined as Monday to Friday. It excludes 24-31 December, all English public holidays and also the Tuesday following the August public holiday.
Service description
A service providing organisations with manual penetration testing and consultancy.
Your responsibilities
You are responsible on an ongoing basis for:
- Ensuring that Jisc has up to date contact details of a suitable representative from within your organisation and any changes in responsibility promptly notified
- Ensuring the list of authorised users is maintained where automated testing is employed.
Charges
Charges will be determined during the discussions of the requirements between you and Jisc.
Request for service
Request this service by contacting your relationship manager. New to Jisc? Make a customer enquiry.
Service delivery time
You will be contacted to discuss requirements within three business days of receipt of a request for assistance.
Terms and conditions
Please ensure your organisation understands and adheres to the terms and conditions (.docx).
Escalation
If you are experiencing an issue with the service, and wish to escalate the issue please contact us via the service desk on tel: 0300 300 2212 or via email: professional.cyberservices@jisc.ac.uk.
ISO certification
This service is included within the scope of our ISO9001 and ISO27001 certificates.
Cyber essentials
This service is certified by Cyber Essentials and Cyber Essentials Plus for its internet-facing infrastructure, including firewalls and routers, located in the UK. Read more about certifications and view Jisc certificates.
