Frequently Asked Questions

Penetration testing (or pen testing) is a simulated cyber attack against your computer systems, networks, or web applications to identify security vulnerabilities before malicious actors can exploit them. According to the UK National Cyber Security Centre (NCSC), penetration tests “proactively attack your systems to find weaknesses and help you understand how easy they are to exploit.”

Unlike automated vulnerability scanning, penetration testing involves skilled security professionals who think like attackers, using the same techniques and tools that criminals would use - but in a controlled, authorised manner.

The OWASP Web Security Testing Guide defines it as “a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders and/or insiders.”

According to the Penetration Testing Execution Standard (PTES), which is referenced by OWASP, penetration testing consists of seven phases:

1. Pre-engagement Interactions - Scoping, rules of engagement, and legal agreements
2. Intelligence Gathering - Collecting information about the target through reconnaissance
3. Threat Modelling - Identifying assets and potential threats
4. Vulnerability Analysis - Discovering security weaknesses in systems
5. Exploitation - Actively attempting to exploit identified vulnerabilities
6. Post-Exploitation - Determining the value of compromised systems and maintaining access
7. Reporting - Documenting findings with evidence and remediation recommendations

The NCSC emphasises that the quality of a penetration test is closely linked to the abilities of the testers, as “an exhaustive set of test cases cannot be drawn up” - making experienced, qualified professionals essential.

Penetration testing is critical for identifying security vulnerabilities before attackers can exploit them. The UK Government Service Manual states that organisations should “carry out both vulnerability assessments and penetration tests frequently as you build, not as a one-off check.”

Key reasons penetration testing matters:

• Regulatory Compliance - Required for standards including PCI DSS, ISO 27001, and strongly recommended under UK GDPR
• Risk Identification - Discovers vulnerabilities that automated tools miss
• Business Protection - The NCSC notes that “vulnerabilities could exist for long periods of time without you knowing about them” if testing isn’t conducted regularly
• Third-Party Assurance - Validates security controls actually work as intended
• Cost Reduction - Finding and fixing vulnerabilities proactively is significantly cheaper than recovering from a breach

The frequency depends on your organisation’s risk profile and regulatory requirements. The NCSC notes that “it’s not uncommon for a year or more to elapse between penetration tests,” but recommends more frequent testing for higher-risk environments.

Recommended testing frequency:

• Annually at minimum - Baseline requirement for most organisations
• After significant changes - New systems, major updates, or infrastructure changes
• Following security incidents - To verify remediation effectiveness
• Per compliance mandates - PCI DSS requires annual testing plus testing after significant changes

The UK Government Service Manual recommends following the “Secure by Design” approach, conducting security testing throughout development rather than as a final check.

For organisations handling sensitive data or critical infrastructure, quarterly testing may be appropriate.

While both identify security weaknesses, they serve different purposes. The NCSC recommends organisations “carry out both vulnerability assessments and penetration tests” as part of a comprehensive security programme.

Vulnerability Scanning:

• Automated process using software tools
• Identifies known vulnerabilities from databases
• Quick, cost-effective, and repeatable
• May generate false positives
• Good for continuous monitoring

Penetration Testing:

• Manual process by qualified security professionals
• Actively exploits vulnerabilities to prove real-world risk
• Identifies complex attack chains and business logic flaws
• Provides context-aware, prioritised recommendations
• Discovers issues automated tools cannot find

According to OWASP, automated tools are “a good starting point” but “have their own limitations and might miss important and high-risk vulnerabilities.” Professional penetration testing fills this gap by applying human expertise and creativity.

The OWASP Testing Guide and PTES recognise several types of penetration testing, each targeting different aspects of your security:

• Network Penetration Testing - Evaluates external and internal network infrastructure, firewalls, and network devices
• Web Application Testing - Assesses web applications against the OWASP Top 10 and other security flaws
• Mobile Application Testing - Examines iOS and Android applications following OWASP Mobile Security guidelines
• API Testing - Reviews API endpoints for authentication, authorisation, and data exposure issues
• Cloud Security Testing - Evaluates cloud configurations against frameworks like CIS Benchmarks
• Social Engineering - Tests human vulnerabilities through phishing simulations
• Physical Security Testing - Assesses physical access controls and security measures
• Wireless Testing - Evaluates WiFi and wireless network security

The NCSC CHECK scheme provides specific guidance for testing government and critical national infrastructure systems.

These terms describe the level of information shared with testers. The OWASP Testing Guide explains these approaches:

Black Box Testing:

• Testers have no prior knowledge of the system
• Simulates an external attacker’s perspective
• Tests detection and response capabilities
• May take longer due to reconnaissance requirements

White Box Testing:

• Testers have full access to documentation, source code, and architecture
• Most thorough approach - testers can examine all components
• Efficient use of time and resources
• Ideal for comprehensive security coverage

Grey Box Testing:

• Testers have partial information (e.g., user credentials, network diagrams)
• Balances realism with efficiency
• Simulates an insider threat or compromised user scenario
• Most common approach for business applications

The NCSC notes that the right approach depends on your objectives. White box testing typically provides the most comprehensive results, while black box testing better simulates real-world attack scenarios.

Professional penetration testing is designed to minimise disruption, but the NCSC acknowledges that “for any service provider, it is not practically feasible to guarantee the availability of your services during a test.”

Risk mitigation measures include:

• Careful scoping - Defining critical systems and testing windows in advance
• Controlled techniques - Avoiding denial-of-service attacks unless specifically authorised
• Real-time communication - Maintaining contact to pause if issues arise
• Staging environments - Testing on non-production systems where appropriate
• Data backups - Ensuring systems can be restored if needed

The CREST Code of Conduct requires member organisations to conduct testing responsibly and ethically. Professional testers understand which techniques may impact stability and will discuss risks during the scoping phase.

It’s advisable to back up critical data before testing, particularly for systems where availability is paramount.

The NCSC recommends using “a CHECK certified team or staff accredited to equivalent CHECK levels” and emphasises that “third-party penetration tests should be performed by qualified and experienced staff only.”

Recognised Accreditations:

• CREST - Council of Registered Ethical Security Testers, internationally recognised
• CHECK - NCSC-approved scheme for UK government and critical infrastructure
• Cyber Scheme - UK government-backed certification body

Individual Certifications:

• OSCP - Offensive Security Certified Professional
• CRT - CREST Registered Penetration Tester
• GPEN - GIAC Penetration Tester

CREST-certified testers must complete between 6,000 hours (registered) and 10,000 hours (certified) of professional experience, pass rigorous examinations, and re-certify every three years.

Look for providers with professional indemnity insurance, clear data handling policies, and membership in recognised industry bodies.

Penetration testing is completely legal when conducted with proper authorisation. However, testing without permission is a criminal offence under the Computer Misuse Act 1990.

Key Legal Requirements:

The Computer Misuse Act 1990 creates offences including:

• Unauthorised access to computer material (Section 1)
• Unauthorised access with intent to commit further offences (Section 2)
• Unauthorised acts with intent to impair computer operation (Section 3)

Essential Authorisation Elements:

• Written permission from the system owner specifying scope and duration
• Clear rules of engagement defining permitted testing activities
• Notification to third parties (cloud providers, hosting services) where required
• Compliance with the Data Protection Act 2018 when personal data may be accessed

The NCSC and CREST provide frameworks for ensuring testing remains within legal boundaries. Professional providers will always obtain proper written authorisation before any testing begins.

The OWASP Penetration Test Reporting Standard (OPTRS) provides guidance on comprehensive penetration test reports. Key components include:

Executive Summary:

• High-level overview for non-technical stakeholders
• Overall risk rating and key findings
• Strategic recommendations

Technical Details:

• Scope and Objectives - Systems tested and engagement goals
• Methodology - Frameworks used (e.g., OWASP, PTES, OSSTMM)
• Findings - Each vulnerability with severity ratings, CVE references where applicable, and evidence
• Exploitation Details - How vulnerabilities were exploited and potential business impact
• Remediation Guidance - Specific, actionable steps to fix each issue

Supporting Documentation:

• Timeline of testing activities
• Tools and techniques used
• Raw evidence and screenshots
• Prioritised remediation roadmap

The NCSC emphasises that reports should help organisations understand and prioritise risks, not just list technical findings.

Penetration testing costs vary based on scope, complexity, and the level of expertise required. CREST-accredited providers typically charge based on the time and expertise needed.

Key Cost Factors:

• Scope - Number and complexity of systems, applications, or networks
• Type of testing - Web applications, infrastructure, mobile, cloud, or red team engagements
• Depth - Basic assessment vs. comprehensive security review
• Compliance requirements - Some standards like PCI DSS require specific methodologies
• Retesting - Verification that vulnerabilities have been remediated

Typical UK Price Ranges:

• Small web application: £2,000-£5,000
• Medium business network: £5,000-£15,000
• Large enterprise assessment: £15,000-£50,000+
• Comprehensive red team engagement: £30,000+

The NCSC cautions against choosing providers solely on price - “the quality of a penetration test is closely linked to the abilities of the penetration testers.” Cheaper tests may miss critical vulnerabilities.