> cat buyers-guide.txt | grep 'what-to-ask'_
Everything you need to know before commissioning a penetration test — what to look for in a provider, what to ask during scoping, and how to turn the results into a security improvement programme.
A penetration test is a controlled, authorised simulation of a real cyber attack. A skilled security professional uses the same tools and techniques that genuine attackers employ — not to cause harm, but to identify vulnerabilities, exploit weaknesses, and demonstrate how far an attacker could progress through your environment.
Unlike automated vulnerability scanning, penetration testing is manual and creative. The tester chains findings together, tests business logic, evades detection, and demonstrates real-world attack paths. The result is evidence of what an attacker could actually achieve — not just a list of potential issues.
A vulnerability scan is automated — it runs a tool, produces a list, and stops. A penetration test is manual — a skilled human actively attempts to exploit weaknesses, chain findings together, and demonstrate real business impact. One identifies potential issues. The other proves what an attacker can do with them.
Active Directory, network services, lateral movement, privilege escalation. The foundational test for most organisations — and typically where the most critical chains are found.
Internet-facing services, firewalls, VPNs, mail servers, DNS. Tests the perimeter that real attackers probe first.
Authentication, authorisation, input validation, session management, and business logic. OWASP Top 10 and beyond — testing the applications your customers interact with.
IAM policies, storage permissions, network controls, serverless functions, and container security in AWS, Azure, and GCP.
Phishing, pretexting, and vishing — testing the human layer of security with realistic scenarios, not recycled simulation templates.
Client-side security, API communication, data storage, and authentication in iOS and Android applications.
The pen test market ranges from automated vulnerability scans repackaged at commodity prices to genuine adversarial assessments by experienced practitioners. Both are called "penetration tests." Only one improves your security. Here's how to tell the difference.
Ask the provider to describe their methodology. 70–80% of the engagement should be manual testing. Automated tools are used for initial discovery — not as the primary assessment method. Look for recognised frameworks: OWASP for web applications, OSSTMM or PTES for infrastructure.
Request a redacted sample report — the single most informative artefact in the evaluation. Look for an attack narrative (not just a finding list), contextualised remediation (not just "apply patches"), scope limitations honestly stated, and effective controls acknowledged alongside the failures.
Ask who will conduct the test — by name. Review certifications (OSCP, OSCE, OSEP, CREST CRT/CCT demonstrate practical skill), years of experience, and specialisation match. A company's reputation is built on its best work — your engagement is delivered by a specific individual.
Agree protocols before the engagement: daily status updates, critical finding notification, scope boundary escalation, and a post-engagement debrief. A provider who tests in silence for ten days and delivers a PDF is missing the communication that makes findings actionable.
The provider is quoting a standard package — not an engagement tailored to your environment.
Likely automated scanning presented as penetration testing — the engagement will be too shallow to find real issues.
You're buying blind. A provider who produces high-quality reports will share one confidently.
They may be subcontracting to parties you haven't vetted, or staffing with whoever is available.
If the proposal describes the engagement entirely in terms of automated tools, the engagement may not include genuine penetration testing.
"We guarantee critical findings" or "guaranteed clean report" — legitimate providers can't guarantee what they'll find.
These three assessment types serve different purposes at different maturity levels. Understanding the distinction prevents buying the wrong assessment for your organisation's current needs.
| Dimension | Pen Test | Red Team | Purple Team |
|---|---|---|---|
| Objective | Find vulnerabilities | Test detection & response | Improve detection collaboratively |
| Blue team aware? | Typically yes | No — must be genuine | Yes — fully participating |
| Duration | 5–15 days | 2–6 weeks | 1–5 days per session |
| When appropriate | First — establish baseline | After core remediation | Mature detection capability |
| Typical cost | £8k–£30k | £25k–£80k+ | £8k–£20k per session |
The full 12-chapter guide as a professionally formatted PDF — including the pre-engagement checklist, provider evaluation framework, and roadmap template.
Your data is processed securely and never shared with third parties.
Every engagement starts with a free, no-obligation scoping conversation. We'll discuss your objectives, your environment, and your concerns — then design an engagement that produces genuine improvement.