Salus Logo
Penetration Testing

CHECK Penetration Testing (ITHC)

CHECK was developed for government departments, public sector bodies, and the organisations forming the UK’s critical national infrastructure (CNI) to gain external, independent assurance; however, many private sectors within these supply chains elect to perform CHECK testing to demonstrate adherence to good practices and meet contractual obligations.

CHECK is the scheme under which NCSC-approved companies can conduct authorised penetration tests of public sector and CNI systems and networks. Companies providing CHECK services use staff with NCSC-approved qualifications and suitable experience.

A CHECK ITHC should ensure that your organisation’s scoped assessment has a realistic threat scenario and should not just be considered a box-ticking exercise. Adding this threat modelling helps you design testing with outcomes that will help prove whether your scoped element is vulnerable to the threats you identified. A good example is on air-gapped networks; many organisations request a simple penetration test, whereas scoping the ITHC as a malicious insider or rogue administrator scenario can prove far more helpful in identifying risks and attack vectors that may be unknown.

Penetration tests will be conducted using NCSC-recognised methods. The subsequent report and its recommendations are meticulously crafted to a recognised standard. They are reviewed by the NCSC, ensuring the highest level of quality.

CHECK Penetration Testing (ITHC) Services

Salus CHECK Green Light Service

What do I get from an ITHC provider?

  • Security vetted testers who have been evaluated against stringent trust and integrity requirements.
  • Defined point of contact for quality assurance and management of your commissioned task.
  • Testing methodologies approved by the NCSC, which specify:
    • Mandate that any testing undertaken cannot cause damage to the systems they are testing.
    • Quality audit controls are applied to a defined standard.
    • No residual artefacts created because of the test remain in the client environment. Additionally, in case any of these get overlooked, a full breakdown of the indicators of compromise that might occur in the logs and monitoring systems is provided to the company.
    • Any residual changes which cannot be reversed are notified to enable post-testing recovery.
    • Systems under test are returned to their original state.
    • Testing assignments are conducted impartially and deliver technical results, including recommendations which have regard to value for money.
    • Any conflicts of interest are managed effectively and disclosed with full transparency.
    • Any recommendations associated with additional products or services where we have a commercial interest are objective and reflect the full range of options in the market.
    • Testing proposals focus on efficiency and value for money.
    • Reporting quality is of an assured standard independently audited by the National Technical Authority so that you can trust the accuracy.
    • You have access to NCSC as the national authority directly should you have concerns about our service quality.
Binary Image

Our Approach

Whatever you're protecting, we apply defence grade cyber security skills whilst taking into consideration the realities of day-to-day business operations. We help our customers to address their known - and their unknown - cyber risks.

Here to Help
Tell Us Your Priorities!

Related Services