Penetration tests, pentests for short, sound like a topic for banks and huge corporations. In practice ordinary SMEs reach for them more and more often, because it is the most honest way to check whether your defences really work. Instead of assuming everything is fine, you hire someone to try to break into your company in a controlled way and write down what they managed to do. I will explain what a pentest is and is not, and when it is really worth doing.
What a penetration test is
A penetration test is a controlled, planned attempt to break through defences, carried out with the company’s consent and within an agreed scope. A specialist, called an ethical hacker, plays the role of the attacker and looks for a real path to your data or systems.
The most important word is real. A pentest does not end at a list of theoretical gaps. It shows which of those gaps can actually be exploited and where that leads. The difference is like between knowing the door has a weak lock and showing that with that lock you can get inside and reach all the way to the safe.
Pentest versus vulnerability scan
These are two different things, easy to confuse, yet very different in price and value.
- A vulnerability scan is an automated tool that reviews systems and lists known weaknesses. It is cheap, fast and worth doing regularly, but it generates a long list without context.
- A penetration test is the work of a human who tries to exploit those weaknesses, combines them and checks the real effect. It is more expensive and rarer, but it tells you what really threatens you.
The most common mistake I see is confusing a scanner report with a pentest. The scanner will say you have a hundred vulnerabilities. A good pentester will say that three of them combined are enough to take over the accounting data. That second piece of information lets you make a decision.
Types of tests
Depending on how much knowledge the tester is given, we speak of three approaches.
- Black box. The tester knows nothing, just like a real attacker from outside. Closest to a real attack, but takes more time.
- Grey box. The tester gets some information, for example an ordinary user account. It checks how far someone who already has a foot in the door will get.
- White box. The tester has full knowledge of the system. Most effective at finding the maximum number of problems in a short time.
Separately, there is the scope: tests of a web application, the internal network, internet-facing infrastructure or social engineering, that is attempts to fool employees.
When it is worth running a pentest
The point is not to do it every month. There are, however, moments when it makes particular sense.
- Before launching a new application or service available from the internet.
- After larger changes in the infrastructure, a migration to the cloud or a network rebuild.
- Once a year as a standing element of caring for security, especially when you process sensitive data.
- On a client’s or a standard’s requirement. Increasingly, large contractors or ISO 27001 expect proof that tests take place.
- After an incident, to check whether the gap has actually been closed and not just patched on paper.
It is worth planning penetration testing as part of broader care for security, not a one-off action for peace of mind.
What you get at the end
The value of a pentest is in the report, not in the mere fact of carrying it out. A good report contains a few things.
- A summary for management without jargon, saying outright what the risk to the company is.
- A list of findings with priorities, from critical to minor, not an alphabetical list.
- Proof of exploitation, that is a demonstration of how exactly they managed to get in.
- Concrete remediation recommendations, which can be handed to the team to carry out.
The report itself, however, is only half the way. The value is created when the recommendations are implemented, and after some time it is worth doing a retest to confirm that the gaps have really disappeared.
Pentest versus a security audit
These terms are sometimes confused. A pentest answers the question of whether you can break in here and how. An IT security audit looks wider: at processes, policies, configurations and organisation, that is whether the company is built to limit risk. They work best together. The audit shows where the systemic gaps are, and the pentest verifies in practice what can be done through them.
Where to start
If you have never done tests, do not start with the most expensive, full black box. Start by defining what is most valuable to the company and what is exposed to the internet. That sets a sensible scope for the first test. The rest is choosing the approach and the date so as not to disrupt work.
If you want to check whether your defences hold up in practice, and not just on paper, we will help match the scope of the test to your company’s real risk. Start with a conversation about what you would most like to protect.