HP/SEC is a cyber security consultancy based in London, serving organisations across the United Kingdom, Europe, the Middle East and Asia. Our consultants identify exploitable weaknesses, prepare organisations for certification, and stand beside clients when incidents occur — combining enterprise-grade methodology with the responsiveness of a dedicated partner.
The threat landscape, by the numbers
Every engagement is scoped and priced in advance. Fixed fees apply wherever the scope permits; bespoke work is quoted before commencement. All deliverables include an executive summary for leadership and a technical report with prioritised remediation.
Authorised, methodology-led testing of external infrastructure, internal networks and cloud environments. Our consultants replicate genuine attacker behaviour to determine what could be exploited — and precisely how to close it. Reporting includes proof of exploitation, business impact analysis and remediation guidance tailored to your environment.
Objective-driven adversary simulation testing your organisation's detection and response capability across technical, physical and human attack surfaces.
In-depth assessment against the OWASP Top 10 and beyond — authentication, access control, injection, session management and business-logic flaws.
Hardening of the most attacked channel in your business: DMARC, SPF and DKIM implementation, Microsoft 365 and Google Workspace configuration review, and anti-phishing controls.
Authenticated scanning and verified analysis of infrastructure, endpoints and cloud estates, prioritised by genuine business risk rather than raw scanner output.
A concise, risk-ranked review of email, identity, devices, backups and cloud configuration — delivered within one week.
Gap assessment, remediation planning and submission support across the five controls — through to the hands-on Plus audit.
Gap analysis, control mapping, policy development and evidence preparation for ISO 27001, NIST-aligned frameworks, regulatory requirements and supplier security questionnaires — wherever your clients and regulators are.
Controlled phishing campaigns measuring genuine staff susceptibility, paired with targeted training built on the results. Available as a quarterly programme to embed lasting reporting behaviour.
An ongoing security function for organisations without in-house expertise: monthly reviews, supplier assessments, policy maintenance, certification renewals and priority advisory access.
Rapid containment, investigation and recovery for suspected compromise, malware events or account takeover — remote first response available across time zones.
Big consultancies price small and mid-sized companies out of proper security — then those companies get breached. HP/SEC exists to close that gap: the same testing and rigour the large firms sell, bundled into clear fixed-price packages a growing business can actually afford. No day-rate surprises, no enterprise minimums.
// All packages are fixed-price and scoped in advance. Prefer to pick individual services? See the full menu above. Not sure what you need? Run a free scan or ask us — we'll point you to the right starting point, honestly.
Every engagement follows the same structured, transparent process — whether the client is in London, Dubai or Singapore. No open-ended retainers, no scope creep, no reporting that requires translation.
A complimentary thirty-minute discussion to understand your organisation, current security posture and objectives. We use this conversation to establish whether HP/SEC is the right partner for your requirements before any commitment is made.
A concise proposal defining scope, deliverables, methodology, timeline and fee — agreed in writing before any work begins. For offensive engagements, signed authorisation and rules of engagement are established at this stage.
Work is conducted to the agreed schedule by our consulting team, with a structured midpoint check-in to confirm direction. Findings that present immediate risk are escalated to you the day they are identified, not held for the final report.
Findings are delivered as an executive summary for decision-makers and a technical report with complete evidence and remediation guidance. A thirty-day follow-up window is included with every engagement as standard.
Large consultancies bring methodology but treat smaller clients as overflow work. HP/SEC brings the same standards — OWASP, MITRE ATT&CK, NIST — with direct access to the consultants doing the work.
Every engagement is led and quality-assured from London, with named points of contact throughout. You always know who is responsible for your work.
Our distributed consulting team operates across time zones, enabling overnight assessment windows, rapid turnaround and incident support whenever it is needed.
Findings are written for the audience: a board-ready executive summary, and a technical report your engineers can act on the same day it arrives.
If your question is not covered below, submit an enquiry — every message receives a substantive response within one working day.
Yes. HP/SEC is based in London and delivers remotely to clients worldwide. The substantial majority of our services — penetration testing, web application assessments, email security, compliance support and incident response — are delivered remotely as standard, and our team operates across time zones.
Yes — organisations of between five and five hundred staff are our core client base, and our pricing is structured accordingly. We also support larger organisations with defined, project-based requirements.
Every offensive engagement begins with a written scoping document defining targets, methodology, testing windows and rules of engagement. No testing activity takes place until signed authorisation is in place from a person with authority over the systems concerned. We provide the authorisation paperwork as part of the proposal stage.
A penetration test aims to identify as many exploitable weaknesses as possible within a defined scope. A red team engagement is objective-driven: it simulates a genuine adversary pursuing a specific goal — such as accessing a critical system — to test whether your organisation can detect and respond. Most organisations benefit from penetration testing first, and red teaming once defensive capability has matured.
Yes. We provide readiness services for Cyber Essentials, Cyber Essentials Plus and ISO 27001, taking organisations from initial gap assessment through to submission or audit. Certification readiness engagements are fixed-fee and typically complete within two to four weeks.
Incident support is engaged hourly with a two-hour minimum. We provide remote first response focused on containment and evidence preservation, before moving into investigation, recovery and post-incident hardening. Our distributed team enables a rapid response regardless of your time zone.
Run a free passive external attack surface scan. We check your email security, exposed services, security headers, TLS and public footprint — the same first look an attacker takes. No login, no scanning of your servers, results in seconds.
// Passive reconnaissance only — we read public records. No intrusive scanning is performed against your systems.
HP/SEC's free scan performs passive reconnaissance using publicly available data sources (certificate transparency logs, public DNS, and existing third-party scan data). It does not perform port scanning or intrusive testing against the target. Results are indicative and time-limited; absence of a finding is not a guarantee of security. Only scan domains you own or are authorised to assess.
Practical guidance on penetration testing, certification and security operations for organisations in the United Kingdom, North America, Australia, New Zealand, Europe and the Middle East. Written by our consultants — no fluff, no fear-mongering.
The honest answer is: at least annually, and after any significant change. A penetration test is a snapshot — the moment you migrate to a new cloud platform, launch a customer-facing application, complete a merger or restructure your network, the previous report stops describing your environment.
Regulated organisations often have the cadence set for them: PCI DSS requires testing at least annually and after significant changes, while frameworks such as SOC 2, ISO 27001 and the UK's Cyber Essentials Plus expect evidence of regular technical assessment. For most small and medium-sized businesses in the UK, US, Canada and Australia, an annual external penetration test combined with quarterly vulnerability scanning strikes the right balance between assurance and budget.
If you have never tested at all, start with an external infrastructure test and a web application assessment of your most critical system — these cover the attack surface a real adversary sees first.
Cyber Essentials is the UK Government-backed certification covering five technical controls: firewalls, secure configuration, access control, malware protection and security update management. It is mandatory for many UK public-sector contracts and increasingly requested in private-sector supply chains.
Most organisations fail their first self-assessment on the same handful of issues: unsupported operating systems still in use, missing multi-factor authentication on cloud services, local administrator rights granted too broadly, and patching that exceeds the 14-day window for critical updates.
Cyber Essentials Plus adds an independent technical audit of the same controls. For organisations bidding on UK contracts from overseas — including suppliers in Europe, North America and the Middle East — certification is achievable remotely and demonstrates a credible security baseline to UK buyers. A structured readiness assessment typically takes an organisation from gap analysis to submission within two to three weeks.
The Australian Cyber Security Centre's Essential Eight is one of the most pragmatic security frameworks in circulation: application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups.
Australian government entities are required to meet defined maturity levels, and the model is spreading through Australian and New Zealand supply chains as a procurement expectation. But its value is not limited to Australasia — the Essential Eight maps cleanly onto the controls that stop the majority of real-world intrusions anywhere in the world.
If your organisation operates in Australia or New Zealand, an Essential Eight maturity assessment is the fastest way to understand your standing before a customer or regulator asks. If you operate elsewhere, it remains an excellent prioritisation tool for limited security budgets.
The NIS2 Directive significantly widens the scope of EU cyber security regulation, bringing medium and large organisations across sectors such as manufacturing, food, digital services, waste management and postal services into scope alongside traditional critical infrastructure.
In-scope entities face concrete obligations: risk management measures, incident reporting within tight timeframes, supply chain security requirements, and management accountability — with penalties that can reach significant percentages of global turnover. Member states have transposed the directive into national law, so the precise requirements vary by country.
Two practical points are frequently missed. First, non-EU companies providing services into the EU can fall within scope. Second, the supply chain provisions mean that even out-of-scope smaller suppliers are now being asked by their in-scope customers to evidence security controls. A gap assessment against NIS2's risk management measures is the sensible starting point for any organisation selling into Europe.
If your customers are primarily in the United States or Canada, the answer is usually SOC 2 — a reporting framework built around the AICPA Trust Services Criteria, delivered as an independent auditor's report rather than a certificate. If your customers are in the UK, Europe, Australia or the Middle East, ISO 27001 — the international standard for information security management systems — generally carries more weight.
Many scaling SaaS and services companies ultimately need both, and the good news is the overlap is substantial: a well-built ISO 27001 management system covers the majority of SOC 2's common criteria. The efficient route is to build the control set once and evidence it twice.
Whichever path you take, begin with a gap analysis before engaging auditors. Audit time is expensive; remediation time is not. Arriving at the audit with known gaps closed is the difference between a clean report and a qualified one.
Email remains the most attacked channel in business, and yet a large share of organisations worldwide still run with incomplete email authentication. SPF defines which servers may send on your domain's behalf; DKIM cryptographically signs your outbound mail; DMARC tells receiving servers what to do when checks fail — and gives you reporting on who is spoofing your domain.
The most common failure we see is a DMARC policy of p=none left in place indefinitely: monitoring mode, enforcing nothing. Attackers can still impersonate your domain to your customers and suppliers. Major mailbox providers now require authentication from bulk senders, so weak configuration also harms deliverability of legitimate mail.
The path to enforcement — none, quarantine, reject — should be walked deliberately over a few weeks using DMARC reports to catch legitimate senders before they are blocked. Combined with a hardened Microsoft 365 or Google Workspace configuration, this is some of the highest-value security work available at modest cost.
The tell-tale signs organisations trained their staff to spot — clumsy grammar, generic greetings, implausible scenarios — are gone. Generative AI lets attackers produce fluent, contextually convincing emails in any language at near-zero cost, and voice cloning has put convincing phone-based pretexts within reach of low-skilled actors.
This does not make awareness training obsolete; it changes what good training looks like. The emphasis must shift from spotting linguistic errors to verifying requests through independent channels: any instruction involving payment, credentials or data deserves confirmation via a known phone number or in-person check, regardless of how legitimate the message appears.
Realistic phishing simulation remains the most effective way to build this reflex — not to catch employees out, but to give them safe practice at pausing before they click. Organisations that run quarterly simulations with targeted follow-up training consistently show measurable reductions in click-through and faster reporting of genuine attacks.
A penetration test answers the question "what weaknesses exist in this scope?" A red team engagement answers "can an adversary achieve a specific objective without being detected?" They are different instruments, and buying the wrong one wastes money.
Penetration testing is the right choice when you want broad coverage of a defined environment: an external perimeter, a web application, a cloud tenancy. The deliverable is a prioritised list of exploitable findings with remediation guidance.
Red teaming is the right choice once your defensive capability has matured: you have monitoring, an incident response process, and you want to know whether they actually work under pressure. The deliverable is a narrative of what an attacker achieved, what your defenders saw, and where detection and response broke down. Most organisations should test before they red team — there is little value in stealth-testing an environment whose basic weaknesses have never been assessed.
The persistent myth in SME leadership is "we are too small to be worth attacking." The data says otherwise: a large share of cyber attacks target small and medium-sized organisations, precisely because attackers know defences are thinner while the data — customer records, payment details, supplier credentials — is just as monetisable.
SMEs also serve as stepping stones. Supply chain compromise, where attackers breach a small supplier to reach a large customer, has become a standard technique, which is why enterprise procurement teams across the UK, US, Canada, Australia and Europe now demand security evidence from even their smallest vendors.
The encouraging news: the controls that stop most opportunistic attacks are neither exotic nor expensive. Multi-factor authentication everywhere, disciplined patching, tested backups, email authentication and a basic incident plan put an SME ahead of the majority of its peers — and a focused security health check can identify which of these gaps exist in days, not months.
The Gulf has moved rapidly from guidance to enforcement. In Saudi Arabia, the National Cybersecurity Authority's Essential Cybersecurity Controls (NCA ECC) set mandatory requirements for government entities and organisations connected to them, with sector regulators such as SAMA imposing further obligations on financial institutions. In the UAE, federal and emirate-level frameworks — including the UAE Information Assurance Regulation and DIFC and ADGM data protection regimes — create overlapping obligations for organisations operating across free zones.
For international companies entering these markets, the recurring challenges are data residency requirements, mandatory incident reporting timelines, and evidencing controls in the structured formats regulators expect.
Organisations with mature ISO 27001-aligned programmes typically find they already meet a substantial portion of regional requirements — the work lies in mapping, localisation and closing specific gaps such as residency and reporting. A structured gap assessment against the relevant framework is the pragmatic first step before bidding on government or financial-sector work in the region.
The decisions made in the first day of an incident determine whether it becomes a contained event or a prolonged crisis. The priorities, in order: contain the spread (isolate affected systems from the network — do not power them off, as memory evidence is lost), preserve evidence (logs, disk images, mailbox audit records), establish out-of-band communications if email may be compromised, and engage your insurer early, as many cyber policies require notification before costs are incurred.
The most damaging early mistakes are predictable: wiping and rebuilding systems before understanding the intrusion (destroying the evidence needed to confirm what was taken), communicating about the incident over potentially compromised channels, and public statements that outrun the facts.
Regulatory clocks also start immediately — UK and EU GDPR's 72-hour breach notification, and equivalent obligations in Canada, Australia and across the Gulf. Even without in-house security staff, a pre-agreed incident response contact and a one-page plan transform the quality of those first hours.
Many organisations buy a scanner, schedule it monthly, and consider the problem solved. The result is usually a growing PDF of thousands of findings that nobody reads — scanning without management is reporting, not security.
Vulnerability management is the cycle around the scan: asset discovery (you cannot patch what you do not know you own), prioritisation by genuine exploitability and business impact rather than raw CVSS score, assigned remediation with deadlines, and verification that fixes landed. A critical-rated vulnerability on an isolated test box may matter less than a medium-rated one on your internet-facing VPN.
The maturity marker we look for in assessments is simple: can the organisation state its median time to remediate a critical, internet-facing vulnerability? If the answer is unknown, the programme is producing data, not risk reduction. For resource-constrained teams, a quarterly verified assessment with ruthless prioritisation outperforms a monthly scan nobody actions.
The penetration testing market ranges from rigorous consultancies to operations that run an automated scanner and rebrand the output. Before engaging any provider — in the UK, North America, Australia or anywhere else — ask: Will testing be performed manually by a named consultant, or is it primarily automated? What methodology do you follow (OWASP, PTES, MITRE ATT&CK)? Can I see a sanitised sample report? How do you handle findings of critical severity mid-engagement? What insurance do you carry?
Further: How is scope and authorisation documented? Do you retest after remediation, and is that included? Who actually performs the work — employees or undisclosed subcontractors? How is my data protected during and after the engagement? What does the debrief include for non-technical stakeholders?
A professional firm answers all ten without hesitation and puts the answers in writing. Evasiveness on methodology, sample reporting or insurance is a reliable signal to look elsewhere — the cheapest quote is rarely cheap once a missed vulnerability is exploited.
A question we hear from clients in Canada, Australia, New Zealand and the Gulf: can a London-based consultancy genuinely test our environment remotely? For the substantial majority of modern engagements, yes — external infrastructure, web applications, cloud configurations, email security and phishing simulation are all delivered remotely as standard practice across the industry.
What matters is the operational discipline around it. Testing windows agreed in your time zone, so any disruption risk falls in your quiet hours. Written authorisation that satisfies the legal requirements of your jurisdiction. Secure handling of findings and evidence, with data residency respected where regulation requires it. And a debrief scheduled when your team is awake, not ours.
A distributed delivery model turns time zones into an asset: overnight testing windows for you are working hours for part of the team, and incident response does not wait for London to wake up. Geography stopped being a constraint on assessment quality some years ago — what varies between providers is process, not postcode.
A supplier deadline, a contract demanding certification, a finding from an audit, or a concern that has been quietly nagging at you — outline it below and we will reply within one working day with a clear next step.