Configuration Review Providers
Configuration review is a detailed assessment of system, network, and application configurations against security best practices and industry benchmarks such as CIS Benchmarks, NIST guidelines, and vendor hardening guides. Reviewers examine operating system configurations, network device settings, firewall rules, database configurations, web server setups, cloud service configurations, and Active Directory policies to identify misconfigurations that could be exploited by attackers.
Common findings include default credentials, unnecessary services, overly permissive access controls, weak encryption settings, missing security patches, and inadequate logging configurations. Configuration review is a proactive approach that helps organisations reduce their attack surface and ensure that systems are deployed securely. It is often performed as part of a broader security assessment programme alongside penetration testing and vulnerability assessment.
Configuration reviews are required or recommended by compliance frameworks including PCI DSS, ISO 27001, SOC 2, CIS Controls, Cyber Essentials, and NIST CSF. Regular configuration reviews help maintain a secure baseline as systems are updated, new services are deployed, and configurations drift over time.
Related Rankings
NCC Group
Global cybersecurity consultancy with CREST, CHECK, and CBEST accreditation, renowned for deep technical research and comprehensive penetration testing services.
SECFORCE
Canary Wharf-based adversary simulation and CBEST-aligned penetration testing consultancy, delivering CREST-accredited offensive security to UK financial services and other organisations with the most demanding requirements.
Pen Test Partners
The UK's largest independent security testing firm, renowned for IoT/OT research, CBEST red teaming, and CHECK/CREST-accredited penetration testing across all sectors.
PwC Cyber Security
Global Big Four professional services firm delivering CREST, CHECK, and CBEST-accredited penetration testing and red teaming services from London, serving the UK's largest enterprises and regulated organisations.
Dionach
Global enterprise cybersecurity consultancy founded in 1999 in Oxford, holding rare CREST STAR-FS accreditation and delivering penetration testing, red and purple teaming, and PCI QSA services across five international offices.
NetSPI
Penetration testing firm trusted by nine of the top ten US banks, with the Resolve platform for continuous attack surface management.
MDSec
Elite UK offensive security consultancy specialising in CBEST/STAR/TIBER red teaming, advanced adversary simulation, and CREST-accredited penetration testing for FTSE 100 clients.
Secarma
Manchester-based independent cybersecurity consultancy with over 20 years of experience delivering CREST and CHECK-accredited penetration testing, red teaming, and compliance certification services.
Cyberis
CREST and CHECK-accredited UK penetration testing consultancy with CBEST approval, specialising in infrastructure, application, and simulated attack assessments across the public and private sectors.
Trustwave
Global managed security provider with the elite SpiderLabs penetration testing team and deep PCI DSS compliance expertise.
Aristi
CHECK and CREST-accredited Birmingham-based cyber security consultancy with over 15 years of experience delivering penetration testing, red teaming, and OT security assessments for government and private sector clients.
Configuration Review FAQs
What systems can be reviewed?+
Configuration reviews cover Windows and Linux servers, network devices (routers, switches, firewalls), databases, web servers, cloud platforms (AWS, Azure, GCP), Active Directory, and application servers.
What benchmarks are used?+
Common benchmarks include CIS Benchmarks, NIST 800-123, vendor hardening guides (Microsoft, Red Hat, Cisco), DISA STIGs for government systems, and PCI DSS requirements for payment card environments.
How often should configuration reviews be performed?+
Configuration reviews should be performed at least annually, after significant infrastructure changes, and when deploying new systems. Automated configuration monitoring can supplement periodic manual reviews.