UK Pen Test Companies List: Q1 2026 Ranking

This is the Q1 2026 retrospective ranking of UK penetration testing companies. The Q2 2026 update is published separately as the UK market continues to consolidate around accredited providers. Q1 was shaped by three factors: the December 2025 entry into force of the BSI Act in Germany (which pulled UK suppliers into supply-chain remediation work for DAX customers), the first full procurement cycle under DORA for UK financial entities operating in the EU, and the ongoing maturation of PCI DSS 4.0 testing one year after its mandatory date.

This is not a pay-to-play list. Providers can not pay to appear or rank higher. The tiering below is based on accreditation depth, methodology evidence, and editorial review.

Methodology

UK providers were evaluated on four axes: organisational accreditations (CREST, CHECK, CBEST, NCSC Assured, ISO 27001), individual tester certifications held by staff (CRT, CCT, OSCP, GIAC, SANS), evidence of methodology adherence and reporting quality (OWASP, PTES, OSSTMM mapped findings, sample reports made available), and observable market signal (named UK clients in financial services, government, or critical national infrastructure where disclosable). Providers without a UK delivery presence were excluded even where they hold UK accreditations through a parent group.

Tier 1, Full UK accreditation set with government and financial sector scope

NCC Group remains the largest UK pen testing organisation by headcount and geographic spread. Q1 saw continued strong delivery against CHECK government contracts and CBEST work for systemically important financial institutions. The breadth of accreditation set (CREST, CHECK, CBEST, NCSC Assured, ISO 27001) and the depth of named individual certifications across the team kept NCC at the top of the comprehensive-coverage tier.

Nettitude continued to deliver CBEST and threat-led testing for financial services clients in Q1, leveraging its position within the Lloyd Register Group. CHECK and CREST coverage support the broader UK government and enterprise base.

Bulletproof Cyber maintained CREST and CHECK accreditation alongside ISO 27001 work, with notable Q1 delivery in UK retail and mid-market financial services.

Pen Test Partners is an outlier in this tier because of the breadth of vertical depth (marine, aviation, automotive, IoT) alongside conventional UK enterprise pen testing. The published research output, particularly around connected vehicle and EV charging, is the strongest in the UK market.

Tier 2, Specialist UK consultancies with deep methodology focus

This tier covers UK firms that hold the main accreditations and have a defined specialist edge, whether that is adversary simulation, red teaming, financial services, or a particular industry focus.

MDSec is a Manchester and Buckinghamshire-based consultancy whose technical reputation is built on offensive tooling and adversary simulation work. CBEST, STAR, and TIBER assessment delivery anchor the practice. Strong for clients prioritising depth over breadth.

SECFORCE delivers CREST-accredited penetration testing from Canary Wharf, with a focus on adversary simulation and CBEST-aligned work for UK financial services. Q1 delivery included a steady book of regulated financial services work alongside the broader UK enterprise base.

CovertSwarm offers a subscription-based continuous offensive security model that differentiates the firm from project-based competitors. UK delivery base alongside a US footprint. Particularly relevant for buyers wanting an ongoing adversary simulation programme rather than annual point-in-time tests.

JUMPSEC has CREST and CHECK accreditation and a Manchester delivery centre. Q1 saw growth in UK regional government and financial services testing.

Secarma is a Manchester-based consultancy with CREST accreditation and a small-to-mid-market focus.

Claranet Cyber Security inherits Sec-1 heritage with CREST and CHECK coverage and a UK-wide consulting practice.

Sencode is a Manchester boutique with CREST registration and a tight focus on web application and infrastructure work.

Tier 3, Mid-market and SME-focused UK providers

This tier covers UK firms whose typical engagement size, accreditation set, or service breadth makes them better suited to SME and mid-market work than to government or systemic-financial engagements.

Onsecurity is a London-based pen testing provider with a productised mid-market offering, CREST accreditation, and a strong focus on SME-accessible delivery models.

Equilibrium Security delivers CREST-accredited testing from Birmingham. Q1 work concentrated in regional financial services and professional services clients.

Aardwolf Security, Salus Cyber, and Cyberis each operate in the UK mid-market with established CREST or CHECK relationships and consistent regional client bases.

Evalian is a UK-based consultancy with broader information governance breadth alongside pen testing.

Stripe OLT (no relation to Stripe, the payments company) provides CREST-accredited pen testing alongside managed IT and security services to UK SMEs.

CyberLab serves UK mid-market clients with CREST and CHECK accreditation alongside broader Chess ICT group services.

ThreatSpike Red brings a different model with a continuous monitoring plus periodic red team service combined with a Managed XDR offering.

Q1 2026 Regulatory Drivers That Shaped Procurement

DORA pen testing under the EU Digital Operational Resilience Act entered its first full procurement cycle. UK financial firms with EU subsidiaries pulled TIBER-EU aligned providers into longer engagement windows than were typical pre-DORA. CBEST remained the parallel UK framework. Buyers responded to DORA by extending engagement windows from typically 6 to 8 weeks for a conventional red team to 12 to 20 weeks for a TIBER-EU programme.

BSI Act entry into force in Germany in December 2025 created cross-border supply chain testing demand for UK firms whose clients have German subsidiaries or German enterprise customers. The April 2026 registration deadline for in-scope German entities meant Q1 was the practical window for supplier audits and pen tests aligned to the new requirements.

PCI DSS 4.0 entered its second year of mandatory enforcement. The customised approach option saw more uptake among Q1 buyers, leading to wider scope variation in PCI-aligned tests than in previous years.

UK Cyber Essentials Plus saw continued growth as a baseline procurement requirement for UK public sector suppliers. Most Tier 2 and Tier 3 UK providers added Cyber Essentials Plus to their accreditation set during Q1 if they did not already hold it.

How To Use This Ranking

Tier 1 providers are typically the right fit for systemic financial institutions, government engagements, and critical national infrastructure. The breadth of accreditation set and the depth of programme management capability are necessary for the scope and stakeholder load of those engagements.

Tier 2 specialist consultancies are usually the right fit when a specific testing capability matters more than full programme breadth. CBEST work, advanced adversary simulation, or vertical-specific testing (connected vehicles, marine, aviation) drives clients toward this tier even when Tier 1 firms could deliver the same nominal scope.

Tier 3 mid-market firms typically deliver faster turnarounds, more flexible engagement models, and lower fixed costs. The trade-off is narrower service catalogues and smaller team sizes, which can constrain programmes that require multi-discipline delivery.

Q1 to Q2 2026 What Changed

The Q2 2026 ranking captures movements in the directory between March and May 2026. The Q1 view above is preserved as a historical snapshot of where the UK market stood at the end of the first quarter. Both pages remain available so buyers can see how providers moved between rankings rather than only the latest position.

For the current ranking, see the Q2 2026 UK Pen Test Companies List at /blog/uk-pen-test-companies-list-q2-2026. For the full directory of pen testing companies serving the UK, see /location/uk.