What Is a Penetration Test and Does Your Company Need One

Q: "What is a penetration test and when do companies need one"

"A penetration test (pentest) is a simulated cyberattack conducted by security professionals who attempt to exploit vulnerabilities in your systems, applications, and infrastructure. Unlike automated vulnerability scans, pentests use human creativity to chain vulnerabilities and find attack paths that scanners miss. You need a pentest when you're pursuing SOC 2 or other compliance certifications (annual pentests are effectively required), when you handle sensitive customer data, or when you're about to launch a product that will be exposed to the internet. Cost ranges from $15K-$50K depending on scope. Frequency: annually at minimum, plus after major architecture changes. The deliverable is a report ranking vulnerabilities by severity with specific remediation steps."

What is a penetration test and when do companies need one

Quick answer

A penetration test (pentest) is a simulated cyberattack conducted by security professionals who attempt to exploit vulnerabilities in your systems, applications, and infrastructure. Unlike automated vulnerability scans, pentests use human creativity to chain vulnerabilities and find attack paths that scanners miss. You need a pentest when you're pursuing SOC 2 or other compliance certifications (annual pentests are effectively required), when you handle sensitive customer data, or when you're about to launch a product that will be exposed to the internet. Cost ranges from $15K-$50K depending on scope. Frequency: annually at minimum, plus after major architecture changes. The deliverable is a report ranking vulnerabilities by severity with specific remediation steps.

Dealing with this at your company? 15 minutes usually clarifies next steps. Book a free call →

A client’s automated vulnerability scanner reported zero critical findings. Clean bill of health. Two weeks later, a penetration tester chained three medium-severity findings together — a misconfigured API endpoint, an overly permissive CORS policy, and a predictable session token pattern — to gain full administrative access to their production environment. The scanner looked at each issue in isolation and rated them medium. The human looked at them together and saw an open door.

This is why penetration tests exist. Automated tools find known vulnerabilities. Humans find the creative attack paths that turn minor issues into major breaches.

What a Penetration Test Actually Is

A penetration test is a controlled, authorized attempt to exploit vulnerabilities in your systems. A team of security professionals — ethical hackers — uses the same techniques, tools, and creativity that real attackers use, but within a defined scope and with your permission.

What it tests: Web applications (authentication, authorization, injection flaws, business logic), APIs (authentication, rate limiting, data exposure), infrastructure (network configuration, cloud permissions, server hardening), and sometimes social engineering (phishing, physical access — though this is usually a separate engagement).

What it’s not: A vulnerability scan. Scanners run automated checks against databases of known vulnerabilities. They’re useful but limited. A pentest includes automated scanning as one step, then goes further with manual testing, creative exploitation, and attack chaining.

The types:

Black box: The tester has no prior knowledge of your systems. They start from the outside, like a real attacker would. This tests your external attack surface but may miss internal vulnerabilities due to time constraints.

Gray box: The tester has some knowledge — perhaps user-level credentials, API documentation, or architecture diagrams. This is the most common and most efficient approach. It simulates a realistic attacker who has done some reconnaissance.

White box: The tester has full access — source code, architecture diagrams, admin credentials. This is the most thorough approach and is essentially a security-focused code and architecture review combined with active exploitation testing.

When You Need One

Before SOC 2 or other compliance certifications. SOC 2 Type II doesn’t explicitly require a penetration test, but auditors expect to see one. It’s listed as a common control under vulnerability management. ISO 27001, PCI DSS, and HITRUST all require regular penetration testing. For practical purposes, annual pentests are a compliance requirement.

Before launching a customer-facing product. If your application will be exposed to the internet and will handle customer data, a pentest before launch catches vulnerabilities when they’re cheapest to fix — before they’re in production with real user data.

After major architecture changes. Migrating to a new cloud provider, redesigning your authentication system, adding a new API — these changes introduce new attack surfaces. A targeted pentest of the changed components is more efficient than a full-scope test.

After a security incident. If you’ve been breached or had a near-miss, a pentest validates that the remediation was effective and identifies any related vulnerabilities the incident response may have missed.

Annually, at minimum. Even without a specific trigger, annual pentests are baseline security hygiene. Your attack surface changes as you add features, dependencies, and infrastructure. Annual testing keeps your risk profile current.

What to Expect

Scoping (1-2 weeks before). The pentest firm works with you to define scope: which systems, applications, and networks are in scope; testing window; rules of engagement (what they’re allowed to do and what’s off-limits); and communication channels for critical findings.

Testing (1-3 weeks). The testers work through the defined scope, attempting to find and exploit vulnerabilities. For critical findings — anything that could allow immediate unauthorized access to sensitive data — they’ll notify you immediately rather than waiting for the final report.

Reporting (1-2 weeks after). The deliverable is a detailed report that includes an executive summary (for non-technical stakeholders), a list of vulnerabilities ranked by severity (critical, high, medium, low, informational), detailed descriptions of each finding including how it was exploited, specific remediation recommendations for each finding, and evidence (screenshots, request/response logs) proving the vulnerability.

Remediation and retest (2-4 weeks). Fix the critical and high findings. The pentest firm typically includes a retest of remediated findings in their engagement — they verify that your fixes actually work.

How to Choose a Pentest Firm

Look for CREST, OSCP, or OSCE certifications on the individual testers (not just the company). These demonstrate hands-on exploitation skills, not just theoretical knowledge.

Ask for sample reports. A good pentest report is specific, actionable, and readable by both engineers and executives. If the sample report is vague (“improve security configurations”) rather than specific (“disable TLS 1.0 on load balancer X, reconfigure CORS to restrict origins to app.example.com”), find a different firm.

Avoid firms that only use automated tools. If the “penetration test” is just a Nessus scan with a cover letter, you’re paying pentest prices for a vulnerability scan. Ask what percentage of the testing is manual versus automated. Good firms do 60-70% manual testing.

Expect a scoping call, not a fixed-price quote. Any firm that quotes a price without understanding your environment, architecture, and objectives is selling a commodity scan, not a penetration test.

The Cost

Web application pentest: $15K-$30K. Infrastructure/network pentest: $15K-$25K. Combined (application + infrastructure): $25K-$50K. API-focused pentest: $10K-$25K. Mobile application pentest: $15K-$30K.

These are for a qualified firm with experienced testers. You can find cheaper options, but pentest quality varies enormously. A cheap pentest that misses critical findings is worse than no pentest — it gives you false confidence.

Working through this yourself?

I help scaling companies navigate exactly this kind of decision.

If you're between $2M–$50M, have real technical decisions to make, and don't have a CTO in the room — a 15-minute call usually clarifies whether there's a fit. No pitch, no deck.

Book a free 15-min call Christopher Grant · Fractional CTO · LinkedIn

← All Articles