Configuration Review Providers
Configuration review is a detailed assessment of system, network, and application configurations against security best practices and industry benchmarks such as CIS Benchmarks, NIST guidelines, and vendor hardening guides. Reviewers examine operating system configurations, network device settings, firewall rules, database configurations, web server setups, cloud service configurations, and Active Directory policies to identify misconfigurations that could be exploited by attackers.
Common findings include default credentials, unnecessary services, overly permissive access controls, weak encryption settings, missing security patches, and inadequate logging configurations. Configuration review is a proactive approach that helps organisations reduce their attack surface and ensure that systems are deployed securely. It is often performed as part of a broader security assessment programme alongside penetration testing and vulnerability assessment.
Configuration reviews are required or recommended by compliance frameworks including PCI DSS, ISO 27001, SOC 2, CIS Controls, Cyber Essentials, and NIST CSF. Regular configuration reviews help maintain a secure baseline as systems are updated, new services are deployed, and configurations drift over time.
Aardwolf Security
Boutique UK penetration testing consultancy in Milton Keynes specialising in manual, expert-led security assessments across web applications, APIs, cloud, and mobile platforms.
Aristi
CHECK and CREST-accredited Birmingham-based cyber security consultancy with over 15 years of experience delivering penetration testing, red teaming, and OT security assessments for government and private sector clients.
Bishop Fox
Premier US-based offensive security firm known for elite penetration testers, cutting-edge research, and the Cosmos continuous attack surface management platform.
Claranet
CREST and CHECK-accredited European managed services provider delivering penetration testing with deep infrastructure and cloud hosting expertise.
Coalfire
Compliance-focused cybersecurity advisory firm and FedRAMP 3PAO specializing in penetration testing that meets stringent regulatory requirements.
Cure53
Berlin-based specialists in web security, browser security, and cryptographic auditing, trusted by the world's leading VPN providers and privacy tools.
Cyberis
CREST and CHECK-accredited UK penetration testing consultancy with CBEST approval, specialising in infrastructure, application, and simulated attack assessments across the public and private sectors.
CyberLab
Cardiff-based CREST and CHECK-accredited cyber security company delivering penetration testing, red teaming, and OT security assessments as part of the Chess Group.
Dionach
Global enterprise cybersecurity consultancy founded in 1999 in Oxford, holding rare CREST STAR-FS accreditation and delivering penetration testing, red and purple teaming, and PCI QSA services across five international offices.
Evalian
CREST-accredited UK cyber security and data protection consultancy offering penetration testing, ISO consultancy, and managed SOC services from offices across the UK and Ireland.
IT Governance
Established Ely-based compliance and cybersecurity consultancy offering CREST-approved penetration testing as part of a comprehensive governance, risk management, and compliance portfolio.
JUMPSEC
Full-service London-based cybersecurity consultancy with CREST, CHECK, and NCSC accreditations delivering offensive testing, managed detection, and strategic advisory services.
LRQA
The only organisation worldwide with a full suite of CREST accreditations. 250+ cybersecurity specialists operating in 55+ countries across pen testing, red teaming, and incident response.
MDSec
Elite UK offensive security consultancy specialising in CBEST/STAR/TIBER red teaming, advanced adversary simulation, and CREST-accredited penetration testing for FTSE 100 clients.
NCC Group
Global cybersecurity consultancy with CREST, CHECK, and CBEST accreditation, renowned for deep technical research and comprehensive penetration testing services.
NetSPI
Leading penetration testing firm with the Resolve platform for continuous attack surface management, trusted by nine of the top ten US banks.
Pen Test Partners
The UK's largest independent security testing firm, renowned for IoT/OT research, CBEST red teaming, and CHECK/CREST-accredited penetration testing across all sectors.
Pentest People
CREST and CHECK-accredited UK penetration testing firm with an innovative SecurePortal platform and transparent pricing for mid-market organizations.
PwC Cyber Security
Global Big Four professional services firm delivering CREST, CHECK, and CBEST-accredited penetration testing and red teaming services from London, serving the UK's largest enterprises and regulated organisations.
Rapid7
Creators of Metasploit offering enterprise penetration testing integrated with their comprehensive vulnerability management and security operations platform.
Salus Cyber
Award-winning Cheltenham-based cybersecurity consultancy with NCSC CHECK Green Light status and CREST approval, specialising in defence, government, and critical national infrastructure security.
Secarma
Manchester-based independent cybersecurity consultancy with over 20 years of experience delivering CREST and CHECK-accredited penetration testing, red teaming, and compliance certification services.
SECFORCE
Leading UK offensive security consultancy based in Canary Wharf, delivering CREST-accredited penetration testing and adversary simulation to organisations with the most demanding security requirements.
ThreatSpike Red
London-based cybersecurity firm offering unlimited, fixed-price penetration testing and red teaming services with ISO 27001 certification and a unique subscription model.
Trail of Bits
Elite security research firm specializing in source code review, blockchain auditing, and building industry-standard open-source security tools.
TrustedSec
Elite offensive security firm founded by a former NSA operator, delivering CREST-accredited penetration testing, red teaming, and adversary simulation to Fortune 500 and government clients.
Configuration Review FAQs
What systems can be reviewed?+
Configuration reviews cover Windows and Linux servers, network devices (routers, switches, firewalls), databases, web servers, cloud platforms (AWS, Azure, GCP), Active Directory, and application servers.
What benchmarks are used?+
Common benchmarks include CIS Benchmarks, NIST 800-123, vendor hardening guides (Microsoft, Red Hat, Cisco), DISA STIGs for government systems, and PCI DSS requirements for payment card environments.
How often should configuration reviews be performed?+
Configuration reviews should be performed at least annually, after significant infrastructure changes, and when deploying new systems. Automated configuration monitoring can supplement periodic manual reviews.