Pentest FAQ

What is a penetration test?

A penetration test, often called a pentest, is a simulated cyberattack performed by security professionals. The purpose is to identify and exploit weaknesses in your IT systems, applications, or infrastructure before malicious attackers can do so. The ultimate goal is not only to reveal these weaknesses but also to give you clear guidance on how to fix them and implement measures that strengthen your security in the long term.

Why should my company do a pentest?

A pentest helps uncover vulnerabilities before criminals exploit them. It verifies whether your defenses such as firewalls, monitoring systems, and patch management are working effectively. Many companies also perform pentests to meet compliance requirements such as ISO 27001, PCI DSS, or GDPR. Most importantly, a pentest protects your data, your reputation, and your customers.

Why should my company do a pentest?

A pentest helps uncover vulnerabilities before criminals exploit them. It verifies whether your defenses such as firewalls, policies, monitoring systems, and patch management are working effectively. In practice, we often discover weaknesses that customers had never thought about, as well as forgotten systems or infrastructure they did not even know was still accessible. Many companies also perform pentests to meet compliance requirements such as ISO 27001, PCI DSS, or GDPR. Most importantly, a pentest protects your data, your reputation, and your customers.

What types of pentests are there?

There are different approaches depending on your needs. A web application pentest focuses on websites, portals, and APIs. An external pentest simulates an attacker from the internet trying to access your company. An internal pentest is conducted from within your network, sometimes with access credentials, sometimes without. Mobile app pentests are performed on iOS and Android applications. Infrastructure or cloud pentests assess servers, networks, and hosted environments.

Pentests can also be carried out with different levels of information. In a black box test, the tester starts with no prior knowledge, just like a real attacker on the internet. In a white box test, the customer provides detailed information such as architecture diagrams, source code, or user accounts, which allows a deep and comprehensive assessment. A gray box test is the middle ground, where the tester receives limited information or credentials to simulate an insider threat or a semi-informed attacker.

How is a pentest different from a vulnerability scan?

A vulnerability scan is an automated process that identifies potential weaknesses, typically focusing on obvious issues such as low-hanging fruits, misconfigurations, or outdated software. While useful as a first step, it cannot reveal more subtle or complex vulnerabilities. A manual penetration test goes much deeper. Security experts actively investigate, verify, and exploit weaknesses, demonstrating their real-world impact.

We have a firewall and antivirus software. Isn't that enough?

Firewalls and antivirus software are important defenses, but they only address a subset of potential threats. Many vulnerabilities exist in applications, misconfigured systems, legacy infrastructure, or human processes that these tools cannot detect. A pentest evaluates your entire security posture, uncovering weaknesses that preventative tools alone would miss, and provides actionable guidance to fix them.

Can't my internal IT team just do this?

While internal IT teams know your systems well, they may overlook vulnerabilities due to familiarity, time constraints, or lack of offensive security experience. Professional penetration testers bring specialized skills, real-world attacker perspectives, and knowledge of the latest exploitation techniques. They can uncover hidden weaknesses, forgotten infrastructure, and complex attack paths that internal teams are unlikely to find.

Will a pentest disrupt my business operations?

Pentests are carefully planned and coordinated to minimize any risk to business operations. When we test vulnerabilities, we only create proof-of-concept (PoC) exploits, where the goal is not to cause harm but simply to demonstrate the existence of a weakness. Any potentially intrusive or risky tests are scheduled in consultation with you.

How long does a pentest take?

The duration of a pentest depends on the scope, complexity, and testing approach. A common pentest usually ranges between 4 and 15 days

What do I get at the end of the test?

After a pentest, you receive a detailed report. It includes an executive summary for management, a technical section describing each vulnerability with proof-of-concept examples, and practical recommendations for remediation. Additionally, we offer the option for follow-up assessments to verify that vulnerabilities have been properly addressed. For clients who want a more interactive experience, we can also provide live hacking demonstrations to show how vulnerabilities were exploited in a controlled and safe environment.

How often should I do a pentest?

Most companies perform a pentest at least once a year, and after significant changes to applications, infrastructure, or processes. Certain industries, such as finance, healthcare, and critical infrastructure, require more frequent testing.

Who performs the pentest?

Certified ethical hackers and penetration testers conduct the test. They use the same techniques as real attackers but within a legal framework, clear rules of engagement, and with your explicit permission.

Is a pentest required for compliance?

Yes. Several regulations require penetration testing or equivalent security assessments. PCI DSS mandates at least one pentest per year. ISO 27001 requires regular risk assessments, often covered by pentests. New regulations such as NIS2, DORA, and the Cyber Resilience Act also include stricter testing requirements for critical industries and services.

Can a pentest guarantee that my company is secure?

No. Security can never be guaranteed one hundred percent. A pentest gives you a snapshot of your security posture at a given time. It significantly reduces risk but must be combined with continuous patching, monitoring, employee awareness, and regular testing.

How much does a pentest cost?

The cost depends on scope, size, and complexity. After an initial scoping call, we provide a transparent and tailored offer.

What information do you need from us to get started?

The information required depends on the type of test and the approach chosen. For a black box test, minimal information is needed, as the tester will simulate an external attacker with no prior knowledge. For gray or white box tests, providing details such as network diagrams, architecture documentation, credentials, or application source code allows a more thorough and efficient assessment. We also ask about business-critical systems, maintenance windows, and any systems that should not be tested to ensure testing is safe and aligned with your operational requirements.

How do you rank the severity of the vulnerabilities you find?

We use a risk-based approach to rank vulnerabilities, typically with a risk matrix that considers both the likelihood of exploitation and the potential impact on your business. Vulnerabilities are categorized as low, medium, high, or critical, helping you prioritize remediation efforts. This approach ensures that the most dangerous weaknesses, such as those that could lead to data breaches or system takeover, are addressed first, while lower-risk issues are still documented and managed appropriately.

We can optionally provide CVSS (Common Vulnerability Scoring System) scores for each finding, which gives a standardized numerical rating to further clarify severity and facilitate comparison with other vulnerabilities or industry benchmarks.

Do you help us fix the vulnerabilities you find?

Yes. While the primary goal of a pentest is to identify and demonstrate vulnerabilities, we also provide detailed remediation guidance for each finding. This includes step-by-step recommendations tailored to your environment. Additionally, we can offer follow-up support to verify that fixes have been correctly implemented and, if requested, conduct workshops or live sessions to guide your IT team through the mitigation process.