IT Health Check
We offer full, CREST and CHECK approved, IT Health Checks (also known as an ITHC, ICT Health Check or a penetration test) services for internal and external networks. We are NCSC (National Cyber Security Centre) approved to conduct CHECK accredited penetration testing and IT Health Checks for government systems.
An IT Health Check (also known as a ITHC or pentest) is an authorised simulated attack on a computer system, network or web application to identify vulnerabilities that could be exploited. Testing should be conducted from outside the organisation (external testing) and from inside the organisation.
The vulnerabilities identified are reported back to the system owner along with mitigation recommendations.
An ITHC can also be used to test an organisation's compliance with security policies, the security awareness of its staff and how effectively it can respond to security threats.
An IT Health Check can provide assurance that the systems and security controls tested have been configured in accordance with best security practice and that there are no common or publicly known vulnerabilities in the target system at the time of the test. If vulnerabilities are found these can be rectified before an attack or security breach occurs.
An IT Health Check will enable you to:
- Manage vulnerabilities
- Avoid extra cost and reputation damage from a security breach
- Provide evidence of compliance with regulatory and certification standards
- Provide assurance to customers and suppliers that their data is secure
IT Health Checks can be CHECK approved (government approved testing) or non CHECK approved, but still conducted to the same standard on any aspects of the network, infrastructure or application.
- Some common examples are listed below:
- Internal penetration test
- External penetration test
- Server build reviews
- Network and firewall configuration reviews
- Application testing
Why Choose Armadillo?
Armadillo Sec are a CREST certified testing body and we are accredited to operate as a CHECK service provider. All of our testers are certified by CREST and our senior consultants are certified by CREST to the highest CCT Level. Our testers are also CHECK Team Leaders (CTL’s) or CHECK Team Members (CTM’s) and are approved to conduct government CHECK testing.
Our team have many years experience conducting a broad range of government and commercial tests and always aim to go the extra mile for our customers.
Easy To Understand Reports
If your team can’t understand the report, you may not fully be able to remediate the issues found. We offer a full report walk through with your team so they can plan remediation steps and understand the risk and impact to assets to ensure any findings are properly understood and can be resolved.
We are very proud of our report and we can provide you with a sample pentest report upon request.
No Cancellation Fees
We understand project deadlines can slip. If you do have to cancel at short notice we will not penalise you and instead work with you to adjust project timelines accordingly. If cancelled with 2 weeks’ notice, there is no charge at all. If cancelled with less than 1 week’s notice we will charge you the cost of the proposed activity, but this will be stored as testing credit for you for you to use when you are ready.
Frequently Asked Questions
Typically there is no difference between an ITHC and a penetration test, these are both terms for the same thing. The only difference is when there is a requirement for a CHECK ITHC, as all CHECK reports are then submitted to the NCSC (National Cyber Security Centre) and normally an official auditor is involved.
CHECK approved ITHC's can only be conducted by a CHECK green light company and CHECK certified testers. All CHECK reports are submitted to the NCSC (National Cyber Security Centre) and normally an official auditor is involved. Typically what makes the test a CHECK test is the nature or sensitivity of the data being held or transmitted on the system i.e OFFICIAL SENSITIVE or SECRET. Armadillo Sec are a CHECK green light company authorised by the NCSC to conduct CHECK testing.
A non CHECK approved ITHC typically involves the same standard of testing, but there is no requirement for the official CHECK approval. An example may be for a Council PSN network, where the data is not sensitive to the level requiring a CHECK test.
All our testers are certified by CREST and our senior consultants are certified by CREST to the highest CCT level.
|CREST Certifications||Certified Testers|
|Practitioner Security Analysts||Yes|
|Registered Penetration Testers||Yes|
|Certified Web Application Testers||Yes|
|Certified Infrastructure Testers||Yes|
|Certified Simulated Attack Specialist||Yes|
|Certified Simulated Attack Manager||Yes|
Our CREST member status can be viewed, along with the certified tester types we have on the below link:
Our testers are also CHECK Team Leaders (CTL's) or CHECK Team Members (CTM's) and are approved to conduct government CHECK testing.
|CHECK Status||Certified Testers|
|CHECK Team Member (CTM)||Yes|
|CHECK Team Leader (CTL) - Infrastructure||Yes|
|CHECK Team Leader (CTL) - Applications||Yes|
Our CHECK status can be viewed on the below link:
It is recommended that external and internal penetration testing should be conducted annually as cyber threats are constantly evolving.
If major changes are made to the infrastructure or new applications are developed, then it is recommended that additional testing is conducted. This ensures that any recent changes are not introducing new vulnerabilities into the environment.
Some certifications such as ISO 27001 or PCI DSS, require a certain frequency of testing to remain compliant.
IT Health Checks are bespoke depending on the goal or outcome you wish to achieve, therefore there is not an off-the-shelf price for an ITHC.
For each project we will technically scope your requirements and establish the time needed to complete the work. We will then provide a detailed proposal and breakdown of costs and options.
We supply a full IT Health Check report, which covers the following:
- Executive management summary - Non technical overview of issues for management board level
- Detailed technical findings - A complete list of all issues identified
- Affected Hosts - A list of all hosts affected, including the associated network port
- Risk Level - Impact, likelihood and overall risk ratings are listed for each issue
- Examples - Output or screenshots to demonstrate the issue
- Recommendations - Recommendations of how to remediate the issues, including any reference to documents that can assist
A sample report can be supplied upon request.
We have a full methodology for all testing services we provide, which is supplied with each project proposal. This outlines the testing steps and all the requirements in order to deliver the test.
All of our application testing methodology aligns to the OWASP top 10 standard, which is the industry standard for application security.