The Accessible Guide to Penetration Testing

For years, penetration testing was viewed primarily as an activity for large and complex companies. Now that it is significantly more accessible, smart (and less sophisticated) businesses are baking it into their business-as-usual activities even as early as the point of their creation.

First Published 7th September 2022

The Accessible Guide to Penetration Testing

One of our professional penetration testers, exploiting CVE-2021-44228, 2022. Colourized.

4 min read  |  Reflare Research Team

Pen testing for all

These days, it is hard to attend any tech event without people talking about their start-up. While it is always great to hear about their entrepreneurship journey and success stories, we often get security-related questions directed to us by these budding entrepreneurs. As many of these companies are in highly regulated industries, some of the most common questions (and misconceptions) thrown at us are related to penetration testing.

For many years, smaller organisations believed penetration testing was a) beyond their reach, and b) beyond their requirements. However, with the significant surge in 'digital transformation initiatives' for incumbent firms, and the seemingly unstoppable momentum of highly disruptive tech start-ups being launched, smart companies are implementing such testing earlier in the journeys. 

Yet there are still many organisations that haven't given enough consideration to what it would look like if they brought penetration testing into their fold.

Subsequently, we decided to put together a list of the most frequent penetration testing questions we get. Though the list is not exhaustive, we hope it will answer the questions that some of our readers (that's you) may have.

What is penetration testing?

Penetration testing, also known as pen testing, is a simulated cyber attack against your computer system to check for exploitable vulnerabilities. Pen tests help identify what data may be exposed in an actual attack and can help you determine how to protect your systems against various types of attacks.

Why does my company need penetration testing?

There are many reasons why a company might need penetration testing. Some of the more common reasons include:

   -  to find and fix vulnerabilities in the system before an attacker can exploit them,

   -  to assess the effectiveness of the current security measures, or

   -  to test the security team's response in the event of an attack.

What is ISO 27001, and what does it have to do with penetration testing?

ISO 27001 is an international standard that describes best practices for an information security management system (ISMS), which is a systematic approach to managing sensitive company information to remain secure. It includes people, processes, and technology.  Penetration testing is often performed as part of an ISO 27001 compliance program.

What are the differences between penetration testing and vulnerability assessment?

There are a few critical differences between penetration testing and vulnerability assessment.

Firstly, vulnerability assessment is typically carried out using automated tools, whereas penetration testing is carried out manually by experienced security testers.

Secondly, vulnerability assessment focuses on identifying vulnerabilities within a system, whereas penetration testing also includes exploiting these vulnerabilities to assess the system's security.

Finally, penetration testing is generally more expensive and time-consuming than vulnerability assessment.

You should perform both a vulnerability assessment and penetration testing to ensure the security of your system. A vulnerability assessment will identify potential security risks and vulnerabilities, while a penetration test will attempt to exploit those vulnerabilities to determine whether or not your system is vulnerable.

Should we get our engineers to perform the penetration testing or hire a third party?

There are pros and cons to both internal and third-party penetration testing. Internal penetration testing may be less expensive, but it may also be less effective. Internal testers may be familiar with the organisation's systems and procedures and may not be as objective as third-party testers.

Third-party penetration testing may be more expensive, but it may also be more effective. Third-party testers are more likely to be objective and have more expertise in penetration testing than internal testers.

We keep hearing about penetration testing scope, but what do people mean by that, and why is it important?

A penetration testing scope is the range of systems and applications that will be tested for vulnerabilities. The scope will typically be defined by the organisation requesting the penetration test.

Having a scope is necessary to define the test's parameters and ensure that all stakeholders know what is being tested. Without a scope, it would be difficult to determine which systems and applications are in scope for testing and which are out of scope.

This could lead to vulnerabilities being missed during the penetration test or systems and applications outside of the scope being tested, which could cause disruptions to business operations.

Can we perform penetration testing against our AWS infrastructure?

Yes, you can perform penetration testing against your AWS infrastructure. However, it is worth reviewing their pen testing terms and conditions before doing so to ensure that their systems and customers are not adversely affected, and that you (and your tester) will abide by their penetration testing policy.

What do we need to consider before hiring a third party?

There are a few things you should consider before hiring a third-party penetration tester:


Make sure the tester has liability insurance. This will protect you in case something goes wrong during the testing process.


Make sure the tester has a good understanding of your network and systems. The tester should be able to provide a detailed report of their findings.


Ensure the tester is willing to sign a non-disclosure agreement (NDA). This will protect your company's confidential information.

What does a penetration testing process typically look like?

The process of penetration testing typically includes four steps:

Information gathering.

Here, the tester attempts to gather as much information as possible about the target system. This may include active reconnaissance (e.g., port scanning) or passive reconnaissance (e.g., reviewing public information about the target system).

Vulnerability identification.

In this step, the tester identifies potential vulnerabilities in the target system. This may be done manually or by using automated tools.


This is where the tester exploits the identified vulnerabilities to gain access to the target system.


In this step, the tester provides a detailed report of the findings, including any vulnerabilities exploited and any sensitive data accessed.

What should we include in our penetration testing contract agreement?

In your penetration testing contract agreement, you should include:

The scope of the engagement.

This should include what systems will be tested, the types of tests that will be performed, and the time frame for the engagement.

The level of access.

Work with your team to establish the penetration tester's level of access to the systems under the test scope. This should be clearly defined to avoid any misunderstanding.

The expectation for deliverables.

Spend time predefining spicific deliverables details you want the penetration tester to provide. This should include a report of the findings and any recommendations for remediation.

The confidentiality agreement.

This should stipulate that the penetration tester will not disclose any information about the systems under test without prior written consent.

The terms and conditions of the engagement.

Ensure you consult your governance and compliance departments for their input. This should include the payment terms and any other relevant legal agreements.

What should we expect to be included in a penetration testing report?

A penetration testing report should include an executive summary, a list of findings, and a list of recommendations. The executive summary should provide an overview of the findings and recommendations. The list of findings should detail the vulnerabilities found, and the list of recommendations should guide how to remediate the vulnerabilities.

However, it would be best if you didn't lose sight of the fact that your penetration test report only points out your weaknesses at a single point in time. You are also responsible for proactively staying up to speed on emerging trends and analysis in cybersecurity.

Consider subscribing to our research newsletter to have our latest insights delivered lovingly to your inbox. 

Additionally, you can explore some of our related articles to learn more.

Subscribe by email