SECFORCE logo

SECFORCE

Featured

Canary Wharf-based adversary simulation and CBEST-aligned penetration testing consultancy, delivering CREST-accredited offensive security to UK financial services and other organisations with the most demanding requirements.

Featured in: Best CREST Pen Testing Companies

Founded
2006
Team Size
11-50
Geography
Global
Last verified: Jun 2026

Key facts

  • CBEST-approved provider staffed by certified CCRTM and CCRTS consultants.
  • Has delivered over 15 CBEST engagements for UK high street banks, major financial institutions, and other regulated entities.
  • Works with a network of trusted, CBEST-approved threat intelligence partners, and can also work alongside any threat intelligence provider selected by the client or regulator.
  • Independently audited against both ISO 27001 and SOC 2 for information security, data handling, and operational integrity.
  • Runs a manual-first methodology: findings are validated and exploited by hand, not reported from scanner output.
  • Specialises in CBEST and TIBER-EU threat-led testing for UK financial services.
  • Engagements align to OWASP, OSSTMM, NIST, CREST, and CBEST frameworks.
  • Team members speak at DEF CON, Black Hat, and 44CON.
  • Founded in 2006.
  • Headquartered in London, United Kingdom.
  • Team of 11-50 security professionals.
  • Holds CREST, CBEST, ISO 27001, SOC 2, and Cyber Essentials accreditation.
  • Delivers 13 penetration testing services.
  • Typical response time: 1-3 days.
  • Operates globally, with delivery across the UK, Europe, APAC, and the Middle East.
  • Compliance expertise across ISO 27001, SOC 2, PCI DSS, GDPR, and NIS 2.

About

SECFORCE is a Canary Wharf-headquartered offensive security consultancy founded in 2006, specialising in adversary simulation and CBEST-aligned testing for UK financial services and other large organisations with the most stringent and mature security appetites. Major enterprises trust SECFORCE to test their systems, upgrade their security programmes, and comply with their regulations.

SECFORCE holds CREST accreditation for penetration testing services alongside ISO 27001 and ISO 9001 certifications, demonstrating both technical excellence and robust quality management. Their testing capabilities span the full spectrum of offensive security: web application testing, API penetration testing, mobile application assessments, source code review, external and internal infrastructure testing, wireless assessments, cloud and firewall configuration reviews, VDI breakout evaluations, thick client testing, and embedded device and IoT security. SECFORCE's methodology aligns with established frameworks including OWASP, OSSTMM, NIST, and CBEST standards, though their team is known for deviating from standard approaches when strategically beneficial for clients.

Driven by a passion for security research and a hacker-focused culture, SECFORCE consistently operates at the cutting edge of the security industry. Their approach combines deep technical expertise with actionable, result-oriented reporting that gives clients clear next steps for improving resilience. SECFORCE is widely recognised as one of the strongest penetration testing providers in both the UK and Europe.

SECFORCE in Depth

Featured

Overview

SECFORCE is a Canary Wharf-headquartered offensive security consultancy founded in 2006, specialising in adversary simulation and CBEST-aligned testing for UK financial services and other large organisations with mature security programmes. The firm works with major enterprises that need testing depth beyond a conventional point-in-time penetration test.

The consultancy holds CREST accreditation for penetration testing alongside ISO 27001, SOC 2, and ISO 9001 certification, evidencing both technical capability and the quality-management discipline that regulated financial clients expect. SECFORCE's engagement book spans regulated financial services work, enterprise infrastructure and application testing, and threat-led assessments aligned to CBEST and TIBER-EU.

SECFORCE is a research-driven firm with a hacker-focused culture. The team is known for going beyond standard methodology when it materially improves the outcome for a client, and for reporting that translates technical findings into clear, prioritised remediation steps a security leader can act on.

Approach

SECFORCE runs a manual-first methodology. Automated tooling is used for coverage and triage, but findings are validated, chained, and exploited by hand so that reports reflect real attacker capability rather than scanner output. Engagements align to OWASP, OSSTMM, NIST, CREST, and CBEST frameworks, with the team adapting scope and technique to the specific threat model of each client. For threat-led work, scoping is driven by current threat intelligence about the actors most likely to target the client's sector, and engagements are deliberately paced to test detection and response over time rather than to race to a single objective.

What They Test

Adversary simulation and red teaming
Threat-intelligence-led, objective-driven engagements aligned to CBEST and TIBER-EU, testing detection and response end to end.
Web application and API testing
Manual testing against OWASP ASVS depth, including business-logic and authorisation flaws automated tools miss.
Infrastructure testing
External and internal network testing, Active Directory attack paths, and lateral-movement assessment.
Cloud and configuration review
AWS, Azure, and GCP assessment, firewall and platform configuration review, and VDI breakout testing.
Specialist assessments
Thick-client testing, embedded device and IoT security, mobile application testing, and source code review.
AI and LLM penetration testing
Testing of LLM-backed applications against prompt injection, insecure output handling, and excessive-agency risks.

Working with SECFORCE

What makes SECFORCE suited to financial services testing?
SECFORCE has a long track record of CBEST-aligned and TIBER-EU-aligned threat-led testing for UK financial institutions. The team understands the regulatory context, the stakeholder load of a regulated engagement, and the reporting standards that financial regulators expect to see.
Does SECFORCE do conventional penetration testing as well as red teaming?
Yes. Alongside adversary simulation, SECFORCE delivers the full range of conventional testing: web application, API, infrastructure, cloud, mobile, wireless, and source code review. The same manual-first methodology applies across all of it.
Where is SECFORCE based and where do they deliver?
SECFORCE is headquartered in Canary Wharf, London. The team delivers across the UK and into Europe, with particular depth in the UK regulated financial services market.
How quickly can SECFORCE start an engagement?
SECFORCE typically responds to new enquiries within 1 to 3 days. Threat-led programmes aligned to CBEST or TIBER-EU require a longer scoping and threat-intelligence phase before active testing begins.

Methodologies

OWASPOSSTMMNISTCRESTCBEST

Team Activity

Active in CTF competitions
Speaker: DEF CON
Speaker: Black Hat
Speaker: 44CON

Is this your company?

Claim SECFORCE to verify the listing, update your services and pricing, respond to leads, and add the Verified badge to your profile. Free for companies, we just need to confirm your business email.

Claim This Profile