Penetration Testing: What to Expect
A penetration test (pentest) is an authorised, simulated cyberattack on your systems conducted by security professionals. The goal is to find vulnerabilities before malicious attackers do. This article explains how penetration testing works and what to expect.
Types of Penetration Test
- Black box: The tester has no prior knowledge of the system — simulates an external attacker
- Grey box: The tester has partial knowledge (e.g. a user account, some documentation) — simulates an insider threat or attacker with some reconnaissance
- White box: The tester has full access to source code, architecture documentation, and credentials — most thorough, finds the most vulnerabilities
What Gets Tested
- Web application security (OWASP Top 10 and beyond)
- API security
- Infrastructure and network security
- Authentication and session management
- Access control and privilege escalation
Scoping
Before any pentest, a scope document defines exactly what systems are in scope, what is out of scope, what testing methods are permitted, and the testing window (dates/times). Testing outside the agreed scope is not permitted — unauthorised access is illegal regardless of intent.
The Report
After testing, you receive a report with: an executive summary (suitable for non-technical stakeholders), a technical findings section (each vulnerability with description, severity, evidence, and remediation guidance), and a risk-rated prioritised remediation plan.
After the Test
Critical and high-severity findings should be remediated within agreed SLAs. We recommend a retest after remediation to confirm vulnerabilities are resolved.