Security Audit

CHECK Penetration Testing: What Is It and Why Your Company Needs It

Updated on: September 13, 2023

CHECK Penetration Testing: What Is It and Why Your Company Needs It

Over the months between 2021-2022, nearly 39% of UK businesses have identified a cyberattack with the most common threats being, phishing attacks, denial of service, malware, and or ransom attack. 

If your organization belongs to the public or government sector, then one surefire and necessary way of keeping it safe from such attacks is by carrying out CHECK penetration testing. 

What Is CHECK?

CHECK (IT Health Check Service) is the umbrella term for penetration testing companies that have been approved by United Kingdom’s National Cyber Security Centre (NCSC) for conducting authorized pentests for public and government sectors that form UK’s critical national infrastructure (CNI). 

CHECK also helps in the identification of pentest companies that follow NCSC-approved methodologies for testing.


NCSC defines CHECK penetration testing as the process of conducting authorized exploitation of computer and network systems to identify publicly known vulnerabilities using the same techniques and tools as an attacker would.

CHECK certified penetration testing with authorization from NCSC can help organizations in the public and government domains assess their CNI (Critical National Infrastructure)  (carrier network infrastructure) systems for security weaknesses. 

CHECK penetration testing is needed for multiple reasons including 

  • Maintaining data security
  • Deploying NCSC-recommended methodologies for a standardized testing experience
  • Making use of a CHECK certified penetration testing provider that is approved by the NCSC. 

Who Needs CHECK Accreditation? 

CHECK is an accreditation provided to pentesting companies by the National CyberSecurity Centre of the UK. This accreditation enables CHECK-approved penetration testing providers to carry out authorized exploits on public and government organization assets to find flaws and provide extensive reports and remediation assistance.

The staff of such companies will have NCSC-approved qualifications, and experience, and moreover, will conduct the pentests using NCSC-approved methodologies.

 Who Needs CHECK Penetration Testing?

CHECK penetration testing is required to be conducted without fail by the following sectors: 

  • Government departments, public sectors, and bodies – It is recommended by the NCSC that all systems be analyzed thoroughly by a CHECK vendor unless explicitly mentioned not to by the system’s risk owner. 
  • Central departments and their associated agencies- All systems that process data marked OFFICIAL have to be assessed through CHECK-approved penetration testing providers. 

If networks or computer systems process data that is marked SECRET or TOP SECRET they have to be tested with the aid of 2 CHECK team leaders who should have the appropriate clearances and access. 

  • If your organization doesn’t belong to either sector and is privately owned, then penetration testing can also be conducted by companies that are not under CHECK. 

Make your Website / Web Application the safest place on the Internet.

With our detailed and specially curated SaaS security checklist.

4 Reasons Why CHECK Penetration Testing Is Needed

  • NCSC Recommended

CHECK penetration testing is recommended by the National CyberSecurity Centre for non-private sector organizations in order to run standardized penetration tests with the aid of verified, trustworthy CHECK pentest providers. 

  • Sensitive Data Security 

CHECK penetration tests ensure that sensitive data stored and transmitted within the public and governmental sectors are secured with the highest possible security devoid of any vulnerabilities. 

  • Verified Service Provider

Organizations in the public sector can choose among the verified CHECK service providers available to conduct CHECK penetration tests. Verified CHECK providers are accredited by the NCSC to provide services that ensure the safety and security of the system even if exploited through the identification of vulnerabilities. 

  • NCSC Approved Pentest Methodology

NCSC-verified CHECK penetration testing services make use of the CHECK penetration testing methodology that is standardized and approved by the NCSC. This ensures that the test finds all vulnerabilities and is provided with ample remediation measures. 

Read more on NIST Penetration Testing

Differences Between CHECK and CREST Penetration Testing

Given below are the differences between CHECK and CREST penetration testing

CHECK Penetration TestingCREST Penetration Testing
Accreditation by National CyberSecurity CentreAccreditation by the Council of Registered Ethical Security Testers (CREST)
For public and government organizationsFor private organizations but also collaborate with NCSC. 
Endorsed by the UKInternationally recognized. 
Uses NCSC-recognized pentesting methodologiesUses CREST pentesting methodologies
Mainly aimed at cybersecurity expertsMainly aimed at cybersecurity companies

Read more on Penetration Testing Compliance

Steps in CHECK Penetration Testing

1. Scoping

This is the initial phase where a scope is agreed upon by the pentesters and the customer which details the number of assets to be audited, the rules of attack, and the understanding of the needs of the client.

Proper scoping is required for a thorough CHECK penetration test, to avoid scope creep and legal troubles in the future. 

2. Scanning

This is the second phase of the CHECK penetration testing where the assets are scanned and audited for any vulnerabilities or areas of non-compliance that endanger data safety by the CHECK pentest provider. 

3. Exploitation

The vulnerabilities discovered during the pentest are exploited, evaluated, and categorized based on the threat’s severity. This is done according to CVSS (Common Vulnerability Scoring System) scores in which 8-10 represents critical vulnerabilities, 5-7 medium-level vulnerabilities, and 1- 4 low-level vulnerabilities.

4. Reporting

Once the CHECK penetration testing is complete, a detailed report is generated for the customers to help them understand the measures taken, vulnerabilities found, remediation measures that can be opted for, and help with good documentation of security. 

5. Remediation

The report will contain remediation measures for the vulnerabilities found on them. These vulnerabilities are to be remediated and patched based on criticality, the ones with high criticality should be patched immediately. 

6. Rescanning

Once the patches are made the assets are scanned again to verify the airtightness of the fixes made and to make sure there are no further vulnerabilities. 


Confidential, susceptible data is always on the move or is stored digitally by most public and government agencies. This makes  CHECK penetration testing a much-needed safety measure to ensure their systems are safe from any vulnerabilities that could threaten data safety. 

It is prudent to regularly conduct CHECK penetration tests with the aid of NCSC-approved tools that make the job of security easier for you. 

What are the three types of penetration testing?

The three most common penetration testing types are white-box, black-box, and grey-box penetration testing.
1. White box: Testers are aware of the details regarding the system they are going to exploit.
2. Black box: This is a penetration test where pentester does not know anything regarding the target to be exploited.
3. Grey-box: Here pentesters have partial relevant information regarding the targets.

What are the steps in a penetration test?

A penetration test usually starts off by defining the scope, which is followed by scanning the determined assets for vulnerabilities, exploiting them, and reporting the learnings found.

What is CHECK?

CHECK or IT Health Check Service is an accreditation provided by NCSC to pentesting companies. Accredited pentesting companies can provide pentesting services to government and public sector organizations.

Nivedita James Palatty

Nivedita is a technical writer with Astra who has a deep love for knowledge and all things curious in nature. An avid reader at heart she found her calling writing about SEO, robotics, and currently cybersecurity.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany