> cat /blog/intro-to-pentesting.md_
A penetration test — often shortened to "pen test" — is a controlled, authorised simulation of a real cyber attack against your systems, applications, or people. The objective is simple: find the weaknesses before a genuine attacker does, and give you a clear, prioritised roadmap to fix them.
Unlike a checkbox compliance exercise, a pen test involves a skilled human actively trying to break in. The tester uses the same tools, techniques, and creative thinking that a real adversary would — the difference is that at the end, you get a report instead of a ransom note.
The concept has military roots. Before you defend a position, you send scouts to probe it and find the blind spots. Penetration testing applies the same logic to digital infrastructure: assume the attacker is competent, simulate their approach, and use the findings to harden your defences.
Think of a penetration test as hiring a professional locksmith to try to break into your building — with your permission — so you can find out which doors are weak before a burglar does. The locksmith doesn't just rattle the handles; they pick the locks, test the windows, and check whether the alarm actually works.
The term "penetration testing" is one of the most misused phrases in cyber security. It gets applied to everything from a 10-minute automated scan to a multi-week red team operation. This lack of precision causes real problems: organisations think they've been tested when they haven't, and they make risk decisions based on incomplete information.
Let's be explicit about what a pen test is not.
| A pen test is NOT... | Why this matters |
|---|---|
| A vulnerability scan | A scan runs automated tools against your systems and produces a list of potential issues. It doesn't verify whether those issues are actually exploitable, doesn't chain findings together, and doesn't demonstrate business impact. It's a useful starting point — but it's not a pen test. |
| A compliance tick-box | If your pen test report looks like it was generated by a tool with a logo slapped on the front, you didn't get a pen test. You got an expensive vulnerability scan. A real pen test involves manual investigation, creative thinking, and expert analysis. |
| A guarantee of security | A pen test is a point-in-time assessment conducted within a defined scope. It tells you what we found during the testing window. It doesn't — and can't — guarantee that no vulnerabilities exist. New vulnerabilities are disclosed daily. The goal is risk reduction, not risk elimination. |
| An adversarial exercise against your team | We're not trying to embarrass anyone. Pen testing is collaborative — we work with your team to improve security, not against them. Findings are shared constructively, and remediation guidance is always practical and prioritised. |
| Something you do once and forget about | Your infrastructure changes. New applications are deployed, configurations drift, and new vulnerabilities emerge. A pen test from 18 months ago tells you very little about your security posture today. Regular testing is essential. |
This is the single most important distinction in offensive security services, and it's the one most frequently blurred — sometimes through ignorance, sometimes deliberately by providers who want to charge pen test prices for vulnerability scan effort.
Both have value. Both have their place. But they are fundamentally different activities that answer different questions.
| Vulnerability Scan | Penetration Test | |
|---|---|---|
| Performed by | Automated tools (Nessus, Qualys, OpenVAS, etc.) | A skilled human tester, supported by tools |
| Depth | Broad but shallow — checks for known signatures and misconfigurations | Deep and targeted — manual investigation, creative exploitation, chained attack paths |
| Exploitation | Does not attempt to exploit findings. Reports potential vulnerabilities based on version numbers and configuration checks. | Actively attempts exploitation. Proves whether a vulnerability is real and demonstrates the actual impact. |
| Business logic | Cannot test business logic flaws (e.g. "can user A access user B's data?") | Specifically tests for logic flaws, authorisation bypasses, and workflow abuse |
| False positives | High — tools frequently flag issues that aren't actually exploitable in context | Low — findings are manually verified before being reported |
| Chained attacks | Cannot chain findings. Reports each issue in isolation. | Chains low-severity findings together to demonstrate high-impact attack paths (e.g. info disclosure + IDOR + privilege escalation = full compromise) |
| Output | Automated report — often hundreds of pages, sorted by CVSS score, with generic remediation advice | Bespoke narrative report — each finding explained with evidence, context, actual impact, and tailored remediation guidance |
| Cost | Lower — can be run frequently as part of continuous monitoring | Higher — reflects the skilled human time involved. Run periodically (annually, after major changes, etc.) |
| Analogy | A spell checker — catches known errors quickly and broadly | A professional editor — understands context, finds structural issues, and improves the whole piece |
The ideal security programme uses both. Vulnerability scanning provides continuous, broad-spectrum monitoring — catching the easy wins and newly-disclosed CVEs as they emerge. Penetration testing provides periodic, deep-dive assurance — finding the complex, context-dependent vulnerabilities that no scanner will ever catch.
If vulnerability scanners were sufficient, penetration testing as a profession wouldn't exist. But they aren't — and here's why.
Modern systems are complex. A typical web application sits on top of a stack that includes a web server, an application framework, a database, an operating system, a network, a cloud provider, an identity system, and often dozens of third-party integrations. Vulnerabilities don't just exist in individual components — they exist in the interactions between them.
A scanner can tell you that your web server is running an outdated version of Apache. It cannot tell you that a combination of a minor information disclosure, a misconfigured CORS policy, and a predictable session token structure allows an unauthenticated attacker to hijack any user's session — including the administrator's. That's the kind of finding that requires a human brain, an attacker's mindset, and a methodical approach.
Penetration testing exists because real attackers don't use just one tool. They combine reconnaissance, social engineering, technical exploitation, and patience. They chain low-severity issues into high-impact attack paths. They exploit the gap between what a system is supposed to do and what it actually does. The only way to defend against that is to simulate it.
Defenders have to protect everything. Attackers only need to find one way in. Penetration testing helps level the playing field by showing you which "one way in" is the most likely — before someone with less friendly intentions finds it first.
A professional penetration test follows a structured methodology — it's not just someone "hacking away" at your systems. The process is deliberate, documented, and repeatable.
Penetration testing isn't a monolithic service — it's a family of specialised assessments, each targeting a different layer of your environment.
| Type | What's Tested | Common Findings |
|---|---|---|
| External Infrastructure | Internet-facing servers, firewalls, VPNs, DNS, mail servers, remote access portals | Unpatched services, default credentials, exposed admin panels, SSL/TLS misconfigurations |
| Internal Infrastructure | Internal network from the perspective of a compromised workstation or rogue insider | Active Directory weaknesses, Kerberoasting, lateral movement paths, lack of segmentation |
| Web Applications | Websites, portals, APIs, single-page applications | SQL injection, XSS, IDOR, broken authentication, business logic flaws, API abuse |
| Mobile Applications | iOS and Android apps, including local storage and API communication | Insecure data storage, certificate pinning bypass, API key leakage, reverse engineering |
| Cloud Configuration | AWS, Azure, GCP environments | Over-permissive IAM, public S3 buckets, insecure serverless functions, missing logging |
| Social Engineering | Your people — via phishing, vishing, or physical pretexting | Credential harvesting, payload delivery, physical access to secure areas, tailgating |
The short answer: if you have systems connected to the internet, process customer data, or operate in a regulated industry — yes.
The longer answer: penetration testing isn't just for banks and government agencies. Any organisation that would suffer financial, operational, or reputational damage from a cyber attack benefits from understanding how an attacker would approach their environment.
| If you... | Pen testing helps you... |
|---|---|
| Handle customer personal data (GDPR) | Demonstrate "appropriate technical measures" under Article 32 and identify weaknesses before they become breaches |
| Process card payments (PCI DSS) | Meet Requirement 11.3 for regular penetration testing and validate your segmentation controls |
| Bid on government contracts | Meet or exceed Cyber Essentials Plus requirements and satisfy supplier security questionnaires |
| Operate in financial services | Satisfy FCA expectations around operational resilience and CBEST/TIBER-style threat-led testing |
| Run a SaaS or technology platform | Give your customers confidence that their data is protected, and validate your SDLC security controls |
| Are a small business that thinks "we're too small to be targeted" | Discover that size doesn't equal safety — 43% of cyber attacks target small businesses, often because their defences are weaker |
Penetration testing is a skilled, manual, creative discipline that simulates real-world cyber attacks to find vulnerabilities that automated tools miss. It exists because modern systems are complex, attackers are resourceful, and the consequences of a breach are severe.
It is not a vulnerability scan. It is not a compliance checkbox. It is not a one-time exercise. It is an essential, recurring component of any serious security programme — and when done properly, it provides a level of assurance that no amount of automated scanning can match.
If you've never had a penetration test, or if your last one was more than 12 months ago, now is a good time to start the conversation.
Every engagement starts with a free, no-obligation scoping call. We'll listen, advise honestly, and only recommend what you actually need.