Part of our Security & Cybersecurity series
Read the complete guidePenetration Testing Guide for Businesses: Scope, Methods, and Remediation
A penetration test (pentest) simulates real-world attacks against your systems to find vulnerabilities before attackers do. Unlike automated vulnerability scanning, penetration testing involves skilled security professionals who think like attackers, chain vulnerabilities together, and test your defenses in ways automated tools cannot.
Coalfire research shows that 73 percent of penetration tests discover at least one critical vulnerability, and 42 percent find a path to complete system compromise. Yet many organizations conduct penetration tests poorly --- scoping too narrowly, selecting the wrong vendor, or failing to act on findings. This guide ensures you get maximum value from your penetration testing investment.
Types of Penetration Tests
| Type | Scope | Typical Duration | Cost Range |
|---|---|---|---|
| External network | Internet-facing systems and services | 3-5 days | $5K-$25K |
| Internal network | Systems accessible from inside the network | 3-7 days | $8K-$30K |
| Web application | Specific web applications | 3-10 days per app | $5K-$20K per app |
| Mobile application | iOS and/or Android applications | 3-7 days per platform | $5K-$15K per platform |
| Social engineering | Phishing, vishing, physical testing | 5-10 days | $5K-$20K |
| Red team | Full adversary simulation (all methods) | 2-4 weeks | $30K-$100K+ |
| Cloud security | AWS/Azure/GCP configuration and services | 3-7 days | $8K-$25K |
| API testing | API endpoints and authentication | 3-5 days | $5K-$15K |
Knowledge Levels
| Level | Description | Simulates |
|---|---|---|
| Black box | Tester has no information about the target | External attacker with no inside knowledge |
| Gray box | Tester has some information (credentials, architecture docs) | Attacker who has gained initial access |
| White box | Tester has full access to source code and architecture | Insider threat, comprehensive assessment |
Scoping Your Penetration Test
Step 1: Define Objectives
| Objective | Test Type | Priority |
|---|---|---|
| Comply with PCI DSS requirement 11.3 | External + internal network | Regulatory |
| Validate security of new application before launch | Web application | High |
| Test employee susceptibility to phishing | Social engineering | Medium |
| Full adversary simulation before board meeting | Red team | Strategic |
| Validate cloud security posture | Cloud security assessment | High |
Step 2: Define Scope
Include:
- All internet-facing IP addresses and domains
- Critical internal systems (ERP, HR, financial)
- Web applications (production URLs)
- API endpoints
- Cloud environments and services
- Authentication mechanisms
Exclude (with justification):
- Third-party hosted services you do not own
- Systems in active development (test staging instead)
- Production systems during peak business hours (schedule off-hours)
- Destructive testing (DoS, data destruction) unless specifically authorized
Step 3: Set Rules of Engagement
Document these before testing begins:
| Rule | Specification |
|---|---|
| Testing window | Weekdays 6 PM - 6 AM, weekends anytime |
| Emergency contact | [Name, Phone] if testing causes disruption |
| Off-limits systems | [List of systems never to test] |
| Data handling | Tester may access but not exfiltrate real data |
| Social engineering scope | Email phishing only, no physical access testing |
| Exploitation depth | Prove access but do not modify production data |
| Communication frequency | Daily status update, immediate notification for critical findings |
Selecting a Penetration Testing Vendor
Evaluation Criteria
| Criterion | Weight | Questions to Ask |
|---|---|---|
| Certifications | 20% | OSCP, CREST, GPEN, CEH among team members? |
| Experience | 25% | Years in business? Industry experience? Similar engagements? |
| Methodology | 20% | What methodology (OWASP, PTES, NIST)? How do they test? |
| Reporting quality | 15% | Can you see a sample report? Remediation guidance included? |
| References | 10% | Can you speak with 3 past clients? |
| Insurance | 10% | Professional liability and cyber insurance current? |
Red Flags
- Vendor proposes automated scanning only (not real penetration testing)
- No named testers with recognized certifications
- Extremely low price (<$3K for a multi-day engagement)
- No rules of engagement discussion
- Report template has no remediation guidance
- Vendor cannot explain their methodology
Understanding Your Penetration Test Report
Vulnerability Severity Ratings
| Severity | CVSS Score | Description | Remediation Timeline |
|---|---|---|---|
| Critical | 9.0-10.0 | Immediate system compromise possible | Within 48 hours |
| High | 7.0-8.9 | Significant security impact | Within 2 weeks |
| Medium | 4.0-6.9 | Moderate impact, may require specific conditions | Within 30 days |
| Low | 0.1-3.9 | Minor impact, limited exploitability | Within 90 days |
| Informational | 0 | Best practice recommendations | Next scheduled maintenance |
What a Good Report Contains
- Executive summary --- Business-risk language, not technical jargon
- Methodology --- What was tested and how
- Findings with severity, evidence, and business impact
- Remediation guidance for each finding (specific, actionable)
- Positive findings --- What you are doing well
- Strategic recommendations for security improvement
- Appendices with raw data and detailed technical evidence
Remediation Process
Step 1: Triage (Day 1-2)
- Review all findings with IT and security team
- Validate findings (confirm they are real, not false positives)
- Assign owners for each finding
- Prioritize based on severity and business risk
Step 2: Plan (Day 3-7)
| Finding | Owner | Remediation Approach | Timeline | Dependencies |
|---|---|---|---|---|
| SQL injection in login | Dev lead | Input validation + parameterized queries | 48 hours | None |
| Default admin password | IT admin | Password rotation + policy enforcement | 24 hours | None |
| Missing TLS on internal API | Platform team | Certificate deployment | 2 weeks | Cert procurement |
| Outdated server OS | IT ops | Patch scheduling | 30 days | Change window |
Step 3: Remediate (Varies)
- Fix critical and high findings immediately
- Group medium findings into the next maintenance window
- Schedule low findings for the next quarter
Step 4: Verify (Post-Remediation)
- Request a retest of critical and high findings (most vendors include limited retesting)
- Document evidence of remediation
- Update risk register
Penetration Testing Schedule
| Assessment | Frequency | Trigger |
|---|---|---|
| External network | Annually (minimum) | Also after major infrastructure changes |
| Web application | Annually + before major releases | New application launch, significant update |
| Internal network | Annually | Also after office network changes |
| Cloud security | Annually | Also after major cloud architecture changes |
| Social engineering | Bi-annually | Ongoing phishing simulations supplement this |
| Red team | Every 2 years | Board-level assurance, after major security investments |
Related Resources
- Incident Response Plan Template --- What to do when vulnerabilities are exploited
- Zero Trust Implementation Guide --- Architectural defenses
- Cloud Security Best Practices --- Cloud-specific security
- API Security and Authentication --- Securing APIs that pentests target
Penetration testing is the reality check for your security program. It reveals the gap between what you think your security posture is and what an attacker would find. Contact ECOSIRE for security assessment and penetration testing coordination.
Written by
ECOSIRE TeamTechnical Writing
The ECOSIRE technical writing team covers Odoo ERP, Shopify eCommerce, AI agents, Power BI analytics, GoHighLevel automation, and enterprise software best practices. Our guides help businesses make informed technology decisions.
ECOSIRE
Grow Your Business with ECOSIRE
Enterprise solutions across ERP, eCommerce, AI, analytics, and automation.
Related Articles
AI Fraud Detection for E-commerce: Protect Revenue Without Blocking Sales
Implement AI fraud detection that catches 95%+ of fraudulent transactions while keeping false positive rates under 2%. ML scoring, behavioral analysis, and ROI guide.
Cybersecurity for E-commerce: Protect Your Business in 2026
Complete ecommerce cybersecurity guide for 2026. PCI DSS 4.0, WAF setup, bot protection, payment fraud prevention, security headers, and incident response.
API Rate Limiting: Patterns and Best Practices
Master API rate limiting with token bucket, sliding window, and fixed counter patterns. Protect your backend with NestJS throttler, Redis, and real-world configuration examples.
More from Security & Cybersecurity
API Security 2026: Authentication & Authorization Best Practices (OWASP Aligned)
OWASP-aligned 2026 API security guide: OAuth 2.1, PASETO/JWT, passkeys, RBAC/ABAC/OPA, rate limiting, secrets management, audit logging, and the top 10 mistakes.
Cybersecurity for E-commerce: Protect Your Business in 2026
Complete ecommerce cybersecurity guide for 2026. PCI DSS 4.0, WAF setup, bot protection, payment fraud prevention, security headers, and incident response.
Cybersecurity Trends 2026-2027: Zero Trust, AI Threats, and Defense
The definitive guide to cybersecurity trends for 2026-2027—AI-powered attacks, zero trust implementation, supply chain security, and building resilient security programs.
AI Agent Security Best Practices: Protecting Autonomous Systems
Comprehensive guide to securing AI agents covering prompt injection defense, permission boundaries, data protection, audit logging, and operational security.
Cloud Security Best Practices for SMBs: Protect Your Cloud Without a Security Team
Secure your cloud infrastructure with practical best practices for IAM, data protection, monitoring, and compliance that SMBs can implement without a dedicated security team.
Cybersecurity Regulatory Requirements by Region: A Compliance Map for Global Businesses
Navigate cybersecurity regulations across US, EU, UK, APAC, and Middle East. Covers NIS2, DORA, SEC rules, critical infrastructure requirements, and compliance timelines.