People often mix these up. They sound similar. Both work in security. But they do very different things.

Understanding the difference helps you get the right help. Hire the wrong one and you waste money on work you didn't need.

The Simple Difference

A cyber security consultant advises on all aspects of security. Strategy. Policies. Training. Compliance. The big picture.

A penetration tester focuses on one thing: breaking into your systems to find weak spots. They think like a hacker.

One is a strategic advisor. The other is an offensive specialist.

Quick Summary: Consultants tell you what to protect and how. Penetration testers show you where you're vulnerable by trying to break in.

What Does Each Role Do?

Cyber Security Consultant

A consultant looks at your whole security picture. Their typical work includes:

  • Assessing your overall security posture
  • Creating security policies and procedures
  • Helping meet compliance requirements
  • Training your staff on security awareness
  • Planning how to respond to incidents
  • Advising on security investments
  • Managing ongoing security programmes

They think strategically. They connect security to business goals. They help you make smart decisions about where to invest.

Penetration Tester

A penetration tester (or "pen tester") tries to hack you. With permission, of course.

Their work includes:

  • Scanning networks for vulnerabilities
  • Trying to break into your systems
  • Testing web applications for flaws
  • Attempting to exploit weaknesses
  • Reporting what they found and how they got in

They think tactically. They use the same tools and techniques that real attackers use. But instead of stealing your data, they write a report.

I've written more about what to expect from penetration testing.

Key Differences at a Glance

Aspect Consultant Penetration Tester
Focus Broad security advice Finding specific vulnerabilities
Approach Strategic and advisory Technical and offensive
Output Policies, plans, recommendations List of vulnerabilities found
Skills Risk management, compliance, communication Hacking tools, exploit development
Scope Entire security programme Specific systems or applications

Different Tools, Different Mindsets

Consultant's Toolkit

Consultants use:

  • Risk assessment frameworks
  • Policy templates
  • Compliance checklists
  • Security awareness training materials
  • Project management tools

Their main tool is knowledge. They understand regulations, standards, and best practices. They translate that into advice you can use.

Pen Tester's Toolkit

Testers use:

  • Kali Linux (hacking-focused operating system)
  • Metasploit (exploitation framework)
  • Burp Suite (web app testing)
  • Nmap (network scanning)
  • Custom scripts and exploits

Their main tool is technical skill. They know how systems work and how to break them.

Quick Tip: Think of it like medicine. A consultant is like a GP who advises on your overall health. A penetration tester is like a specialist who runs specific tests.

Which Do You Need?

It depends on where you are with security.

You Need a Consultant If:

  • You're starting from scratch with security
  • You need to meet compliance requirements
  • You want a security strategy
  • You need policies and procedures written
  • Your staff need training
  • You're not sure what you need

You Need a Penetration Tester If:

  • You have security in place and want it tested
  • You're launching a new web application
  • Compliance requires regular testing
  • You want to know if attackers could get in
  • You've made changes and need them validated

You Might Need Both If:

  • You want comprehensive security improvement
  • A consultant recommends testing
  • You're building a full security programme

Warning: Don't skip straight to pen testing. Without basic security in place, a pen test just confirms you're vulnerable. It's expensive proof of what you already know. Start with consultancy to build foundations.

How They Work Together

The best results come when they complement each other.

A typical sequence:

  1. Consultant assesses your current security
  2. You implement their recommendations
  3. Penetration tester validates the improvements
  4. Consultant helps fix issues the test found
  5. Repeat periodically

Some people do both roles. Many consultants can do basic testing. Many testers can give strategic advice. But specialists are usually better at their speciality.

Phase Who Helps What They Do
Assessment Consultant Understands your risks and gaps
Planning Consultant Creates security roadmap
Implementation You + Consultant Puts controls in place
Validation Pen Tester Tests if controls work
Improvement Consultant Fixes gaps found in testing

Costs Compared

Both charge similar rates. The difference is how long work takes.

A basic penetration test might take 2-5 days. Focused work with clear scope.

Consultant work varies more. An initial assessment might take a few days. Building a full security programme could take months of ongoing work.

Work Type Typical Duration Typical UK Cost
Basic pen test (small network) 2-3 days £2,000 - £4,000
Web app pen test 3-5 days £3,000 - £6,000
Security assessment 2-5 days £1,500 - £4,000
Security programme (ongoing) Monthly retainer £1,000 - £5,000/month

For more on costs, see my guide on Cyber Essentials pricing as a benchmark for basic security work.

Certifications to Look For

For Consultants

  • CISSP (all-round senior certification)
  • CISM (security management)
  • ISO 27001 Lead Auditor

For Penetration Testers

  • CREST (UK standard)
  • OSCP (offensive security)
  • CEH (ethical hacking)

Learn more about qualifications that matter.

Common Questions

Can one person do both roles? +

Yes, some people do. But specialists usually do better work in their area. Jack of all trades often means master of none. For important work, consider specialists in each role.

Which should I hire first? +

Usually a consultant. They help you understand your risks and build foundations. A pen test is most valuable when you have security in place and want it validated. Testing a system with no security just confirms it's insecure.

Do I need both for Cyber Essentials? +

Basic Cyber Essentials doesn't require pen testing. A consultant can help you get ready. Cyber Essentials Plus does include testing, but it's done by the certifying body, not a separate pen tester.

How often should I get a pen test? +

Annually is common. More often if you make significant changes to systems. Some regulations require specific frequencies. A consultant can advise on what's right for your situation.

What's the difference in reports? +

Consultant reports are broader: risk assessments, policy recommendations, strategic plans. Pen test reports are technical: specific vulnerabilities found, how they were exploited, exact steps to fix them. Both should be clear enough for non-technical readers.

Can a pen tester help with staff training? +

Not usually. Training is consultant territory. Some pen testers can run phishing simulations as part of their testing, which helps training. But building a full awareness programme needs a consultant.

Not Sure What You Need?

I help UK businesses figure out their security priorities. Happy to chat about where to start.

View Cyber Security Services