What is a penetration test?

A penetration test (or pentest) shows you what your systems look like from a hacker’s perspective. It’s a controlled security assessment carried out by security consultants (pentesters), who use the same methods and tools real attackers would use to hack into your systems, networks, and applications. 

Penetration testing reveals not only how strong your defences are, but also what the potential consequences could be if a malicious actor actually succeeded in breaching your infrastructure. The simulated attacks help identify any vulnerabilities and misconfigurations, which you quickly fix to reduce the chances of a (often costly) breach.

Pentesting vs Vulnerability Scanning

Pentesting and vulnerability scanning are both valuable security practices. While they’re often used interchangeably, they each serve different purposes: 

• Vulnerability scanning uses automated tools to check your systems against the huge database of known vulnerabilities. It’s fast, systematic, and useful for continuous monitoring.
• Penetration testing involves actual human security experts who explore your network, chain vulnerabilities together, and try to break in using creative, real-world techniques. It’s deeper, more thorough, and catches issues that automated scanners alone often miss. 

For more details on the differences, check out our guide on penetration testing vs vulnerability scanning. 

Why Do I Need a Penetration Test?

The main purpose of a penetration test is to expose the weaknesses in your security before a real attacker can exploit them.

A good pentest enables you to:

• Find exploitable vulnerabilities: Discover which weaknesses attackers could use, beyond theoretical risks
• Understand real impact: See what data or systems could be compromised in a breach
• Prioritise your fixes: Get ranked findings so you can focus on the most critical issues first 
• Validate your defences: Check that your security controls work under attack
• Meet compliance requirements: Fulfil mandatory testing for PCI DSS, ISO 27001, SOC 2, NHS DSPT, and more 
• Avoid breach costs: Prevent incidents that could cost you serious money in remediation, fines, and reputational damage
• Build trust: Show clients, partners, and investors you’re serious about security

Understanding how cyberattacks happen

To understand why you need a penetration test, it’s also helpful to know how cyberattacks happen.

There’s a common misconception that they work like this:

1. Your company is targeted
2. Hacker finds a vulnerability
3. Cyber criminal infiltrates your company

This sometimes happens with big-name brands, but it’s usually much more opportunistic than that. 

In reality, attackers are constantly mass-scanning the internet for known vulnerabilities – missing patches (like the Microsoft Exchange Server data breach), weak passwords, misconfigurations, etc. If your organisation has a vulnerability, you become a target. 

This is exactly why pentesting is important. Because pentesters use the same tools and methodologies as these opportunistic attackers, you get a realistic picture of whether the typical hacker could breach your network – and if they did, how much damage they could do.

 What are The Types of Penetration Testing?

Penetrating testing isn’t a one-size-fits-all. There are different penetration testing types depending on what you need to secure: 

• External network penetration testing: Tests your perimeter defences from an outside attacker’s view
• Internal network penetration testing: Simulates what an insider or someone who’s already breached your perimeter could do
• Web application penetration testing: Hunts for vulnerabilities in your web apps, like SQL injection and authentication flaws
• Mobile application penetration testing: Tests the security of your iOS and Android apps
• API penetration testing: Assess security of your application programming interfaces
• Cloud penetration testing: Examines your cloud infrastructure and configurations
• Wireless network penetration testing: Tests WiFi security and wireless controls
• Social engineering testing: Assesses vulnerabilities in your human defences through phishing and other tactics
• Physical penetration testing: Tests physical security controls and access restrictions

The right type depends on your infrastructure, what you’re trying to protect, and your compliance requirements. See our guide for a full breakdown of the types of penetration testing for your business needs.

 Penetration testing for compliance

Most compliance frameworks don’t just recommend penetration – they require it.

• PCI DSS: If you handle payment card data, you need annual penetration testing, plus testing after significant infrastructure changes.
• ISO 27001: Regular security testing is part of demonstrating continual improvement in your Information Security Management System (ISMS)
• SOC 2: Penetration testing helps prove your security controls are effective, which auditors and clients want to see
• NHS Data Security and Protection Toolkit: Mandatory annual penetration testing if you’re handling NHS data
• GDPR: While not explicitly required, penetration testing is strong evidence that you’re taking “appropriate security measures” seriously

Beyond ticking compliance boxes, a professional pentest report gives auditors concrete evidence of your security posture. It shows you’re proactively managing risk rather than just reacting to problems.

Finding and fixing vulnerabilities before they’re exploited saves you from the massive costs of a real breach – incident response, regulatory fines, legal fees, and the long-term hit to your reputation.

How Often Should Penetration Testing Be Done?

Penetration testing should be carried out annually for most organisations.

However, you should test more frequently if:

• You make significant changes to your infrastructure or applications
• You deploy new systems or services
• Your compliance framework demands it (some PCI DSS scenarios require quarterly testing)
• You’re in a high-risk sector like finance or healthcare
• You’ve had a security incident
• Your risk assessment shows elevated threats

For organisations with agile development cycles, consider building security testing into your release process, i.e., pentesting new features before they go live.

 How to scope a penetration test

Solid penetration test scoping ensures you get the comprehensive testing without blowing your budget. 

Here’s what you need to do to

• Define your objectives: Are you doing this for compliance, pre-deployment validation, or a general security health check?
• Identify what’s in scope: Be specific about which systems, applications, networks, or IP ranges should be tested
• Choose your testing approach: Black box, grey box, or white box?
• Set clear boundaries: Establish rules of engagement, including testing windows, acceptable methods, and any off-limits systems
• Consider timing: Schedule testing to minimise business disruption while still allowing realistic attack simulation
• Discuss aggression levels: How far should testers go – just identification, or full exploitation and privilege escalation?

Your provider will estimate how long thoroughly testing and reporting will take based on these factors. Clear scoping prevents surprises and ensures you get results that meet your needs.

How To Conduct a Penetration Test

Testing Approaches

A pentest can be carried out in three main ways:

Black box testing

Your tester gets no information about the target and no login credentials. This simulates an external attacker with no inside knowledge, and focuses heavily on perimeter security – how easy is it to get in?

Grey box testing

Limited information is shared, usually login credentials or basic architecture details. This represents someone who’s gained initial access or has insider knowledge

White box testing

Your pentester gets the full picture – credentials, architecture diagrams, even source code if relevant. This is the most detailed approach, examining your entire security posture rather than just the perimeter.

The Testing Process

Reconnaissance and information gathering

Your consultant starts by mapping the attack surface – identifying assets, services, and potential entry points. For a web application, for example, this means unpacking the app and its environment to understand what they’re dealing with.

Vulnerability analysis

Next, they look for weaknesses. Have you left something unpatched? Are there misconfigurations? Insecure coding practices? This phase identifies what could potentially be exploited.

Exploitation

This is where your testers actually attempt to breach your systems using the vulnerabilities they’ve found. It’s one thing to know a vulnerability exists – another to prove it can be exploited.

Post-exploitation

Once they’re in, pentesters try to escalate their privileges and see just how much functionality and data they can access. This shows you the impact of a successful breach – not just that someone got in, but what they could do once inside.

Documentation

Throughout the penetration test, your consultant tracks everything they do and the results of everything they try. Ideally, this happens in real-time, meaning you’re alerted to critical issues as soon as they’re found, not weeks later when the report arrives.

How much does a penetration test cost?

The cost of a penetration test largely depends on what you need.

Factors affecting the cost include:

• Scope and complexity – larger environments or complex applications take more time
• Testing type – a web app test typically costs less than a comprehensive network assessment, for instance
• Provider expertise – CREST-accredited consultants have premium rates
• Timeframe – rush jobs may cost extra
• Depth of testing – white box testing generally costs more due to increased thoroughness

How do I choose a pentest provider?

Despite penetration testing being a highly-skilled activity, there’s actually nothing to stop anyone with a laptop from setting themselves up as a vendor (terrifying, right?)

That’s why choosing the right provider matters. Here’s what to look for:

• Verify accreditation: Look for CREST or equivalent certifications to ensure independently validated processes.
• Check consultant expertise: Confirmed testers hold relevant certification (e.g., OSCP, OSCE, CREST, CRT)
• Review methodologies: Ensure they follow recognised frameworks like OWASP, PTES, or OSSTMM
• Assess reporting quality: Ask for sample reports that are clear, detailed, and actionable
• Consider communication: Choose providers who communicated clearly throughout the engagement
• Check insurance: Verify they have appropriate professional indemnity and cyber liability coverage
• Understand what’s included: Clarify deliverables such as reports, retests, remediation, and ongoing advice

How do I book a pentest with OnSecurity?

OnSecurity makes booking a pentest straightforward – it doesn’t need to be longer or more complicated than it needs to be.

• Get quotes in 60 seconds: Book your pentest online in just a few clicks – lengthy scoping calls required
• Built for agile: We’re designed to work with fast-moving organisations that need responsive, efficient testing
• Hourly pricing: Pay for actual testing time, not padded daily rates
• Real-time reporting: No waiting days or weeks for a report – see findings as your tester discovers them, so you can start fixing issues immediately
• Free retesting: Fix issues quickly? We’ll verify your fixes at no extra cost within one week of test completion
• CREST accredited: Independently verified expertise and methodologies you can trust

Ready to see your infrastructure from an attacker’s perspective? Get an instant penetration test quote and book your pentest with OnSecurity.