A Pen Test Is Not a Vulnerability Scan
People use the terms interchangeably, but they are very different. A vulnerability scan is automated: a tool checks your systems against a database of known issues and produces a list. A penetration test is human-led: a skilled tester actively tries to exploit weaknesses, chain them together, and reach something valuable, the way a real attacker would.
A scanner tells you a door is unlocked. A pen tester walks through it, finds the safe, and shows you exactly what an intruder could take.
The Main Types
Pen tests vary by how much the tester knows and what they target.
By knowledge level:
- Black-box, the tester starts with nothing, like an outside attacker.
- Grey-box, the tester gets limited access, like a regular user or partner.
- White-box, the tester gets full source and architecture access for the deepest review.
By target:
- Network, external and internal infrastructure.
- Web and API, application logic, authentication, injection, access control.
- Mobile, the app, its storage, and its backend.
- Social engineering, phishing and human-factor testing.
The Five Phases
| Phase | What happens |
|---|---|
| 1. Reconnaissance | Gather information about targets, exposed services, and people |
| 2. Scanning and enumeration | Map the attack surface and identify likely weaknesses |
| 3. Exploitation | Actively attempt to break in and prove impact |
| 4. Post-exploitation | Escalate privileges, move laterally, assess blast radius |
| 5. Reporting | Document findings, severity, evidence, and remediation |
The report is the deliverable that matters. Everything before it is in service of a clear, prioritised set of fixes.
How to Prepare
A good engagement is set up before testing starts:
- Define scope precisely, which systems, domains, and accounts are in or out.
- Agree rules of engagement, testing windows, allowed techniques, and what is off-limits.
- Use a representative environment, ideally staging that mirrors production, with backups.
- Name points of contact, so the tester can reach you fast if something breaks or if they find a critical issue mid-test.
The single best predictor of a useful pen test is a clearly scoped engagement. Vague scope produces vague findings.
Reading the Report
Findings come ranked by severity, usually with a CVSS score, a description, reproduction steps, evidence, and remediation guidance. Triage by real-world risk, not just the number: a medium-severity flaw on an internet-facing login page can matter more than a high-severity one buried in an internal tool. Always budget for a retest so you can confirm fixes actually closed the gaps.
Findings We See Again and Again
- Broken or missing access control (users reaching data they should not).
- Outdated dependencies with known, public exploits.
- Weak authentication and missing rate limiting on login flows.
- Secrets and API keys committed to repositories or exposed in client code.
- Verbose error messages leaking internal details.
How Often Should You Test?
Annually at minimum, and additionally after any major release, infrastructure change, or before a big enterprise deal that requires it. Security is a moving target; a clean test last year says little about today.
Conclusion
A penetration test is one of the highest-signal investments in security you can make, but only if it is well scoped, acted on, and retested. The PDF is worthless if the findings never get fixed.
Planning a test or responding to a customer security requirement? Our cybersecurity practice runs pen tests and helps you remediate what they find. Talk to us to get started.
