Frequently Asked Questions

Find answers to common questions about our services and security challenges

The £10,000 Challenge

Is this challenge really free to enter?
Yes, there is no cost to apply for or participate in the challenge. If we succeed in finding vulnerabilities in your systems, you get a detailed report and recommendations at no cost. If we fail to breach your security, we pay you £10,000. It's a win-win scenario designed to demonstrate our confidence in finding security issues.
What's the catch? This sounds too good to be true.
There's no catch. We're so confident in our ability to find vulnerabilities that we're willing to back it with real money. The reality is that most businesses have security gaps they're unaware of. Our business model works because we typically find issues, and businesses then choose to work with us to fix those issues. But if your security truly is bulletproof, we're happy to acknowledge that with our £10,000 reward.
What qualifies as a successful hack for the challenge?
A successful hack is clearly defined in our challenge agreement, but generally includes any of the following: unauthorized access to sensitive data, ability to execute commands on servers or workstations, privilege escalation to administrator level, successful social engineering attacks resulting in credential disclosure, or any other security breach as defined in your specific agreement. All specific success criteria are agreed upon before the challenge begins.
What kind of businesses qualify for the challenge?
The challenge is open to registered businesses with at least 10 employees and a functioning IT infrastructure. We work with businesses across various sectors, though certain regulatory restrictions may apply in highly regulated industries. During the application process, we'll evaluate whether your business is a good fit for the challenge.

Legal & Compliance

Is what you're doing legal?
Absolutely. All our testing is conducted with proper authorization and within agreed boundaries. Before any testing begins, we establish a legally binding agreement that outlines the scope, methodology, and limitations of the assessment. This agreement provides us with the legal authorization to conduct testing activities. Without such authorization, attempting to breach a system would indeed be illegal. We operate within all relevant UK and international laws.
How do you handle our sensitive data during testing?
Protecting your data is our top priority. We maintain strict confidentiality for all information encountered during testing. Our team follows a comprehensive data handling policy that includes: not extracting sensitive data unless explicitly authorized, documenting only the minimum necessary to demonstrate vulnerabilities, securely storing all testing data, and permanently deleting all client data after the engagement concludes. Our team members sign NDAs and are bound by strict ethical guidelines.
Are you insured in case something goes wrong?
Yes, we carry comprehensive professional indemnity and cyber liability insurance. While our testing methodology is designed to be non-destructive and minimize any risk of disruption, we maintain insurance coverage to protect both our clients and our business in the unlikely event that something unexpected occurs. We're happy to provide proof of insurance upon request.
How does this help with our compliance requirements?
Many compliance frameworks require regular security testing. Our challenge and services can help satisfy requirements for standards such as ISO 27001, Cyber Essentials Plus, GDPR, and PCI DSS. We provide detailed documentation that can be used as evidence during audits. Additionally, our team can help interpret compliance requirements and develop strategies to address any gaps identified during testing.

Technical Process

What techniques do you use to test our security?
We use a comprehensive range of ethical hacking techniques similar to those used by malicious actors. These may include network scanning, vulnerability assessment, web application testing, API security analysis, social engineering (if agreed upon), password cracking, and exploitation of found vulnerabilities. Our methodology follows industry standards such as the OWASP Testing Guide and NIST guidelines. All techniques are agreed upon in advance and conducted within the defined scope.
Will your testing disrupt our operations?
Our testing is designed to minimize disruption to your business operations. We employ non-destructive testing methods and can schedule intensive testing during off-hours if needed. We also maintain constant communication channels during testing, so you can request us to pause if any issues arise. In our experience, most testing proceeds without any noticeable impact on day-to-day operations.
Will you steal or destroy our data?
Absolutely not. Our testing is ethical and non-destructive. We never delete, modify, or exfiltrate your data unless explicitly authorized to do so as part of the testing scope. If we need to demonstrate a vulnerability that might involve accessing sensitive data, we will always seek explicit permission first and will only access the minimum necessary to prove the vulnerability exists. Our goal is to help improve your security, not compromise it further.
How long does the testing process take?
The duration of testing depends on the size and complexity of your IT infrastructure. Typically, our challenge testing ranges from 1-4 weeks. We'll provide a specific timeframe estimate during the scoping phase based on the agreed scope of testing. This includes initial reconnaissance, active testing, and the preparation of detailed reports. We work efficiently to deliver results as quickly as possible without compromising the thoroughness of our assessment.

Business Questions

What happens after the challenge is complete?
After the challenge, we provide a comprehensive report detailing our findings, regardless of the outcome. If we succeed in finding vulnerabilities, we'll explain each issue, its potential impact, and provide actionable recommendations for remediation. We'll also present options for ongoing security services if you'd like assistance in addressing the issues. If we fail to breach your security, we'll pay you £10,000 and can still provide insights into areas where your security is particularly strong.
How quickly will I receive payment if you fail the challenge?
If we fail to breach your security within the agreed timeframe, we will process the £10,000 payment within 30 business days of the conclusion of the challenge. The payment method will be specified in the challenge agreement, typically via bank transfer. We proudly stand by our commitment and have never failed to honor a payout.
What makes CyberProofed different from other security companies?
Our £10,000 challenge is the most visible difference, but our approach is unique in several ways. We focus on real-world security testing rather than checkbox compliance. Our team consists of ethical hackers with extensive experience in offensive security. We provide actionable reports written in plain English that explain both technical details and business impact. Most importantly, we're outcomes-focused: our success is measured by how effectively we help you improve your security posture, not by how many vulnerabilities we find.
Can you help us fix the issues you find?
Absolutely. While the challenge itself includes detailed recommendations for remediation, we offer additional services to help implement those fixes. Our team can provide hands-on assistance with vulnerability remediation, security architecture improvements, policy development, and staff training. We also offer ongoing managed security services to help maintain your improved security posture over time. Our goal is to be a long-term security partner, not just a one-time testing provider.

Still Have Questions?

If you couldn't find the answer you were looking for, our team is happy to help. Contact us directly and we'll respond to your inquiry as soon as possible.

Contact Us