Part of our Security & Cybersecurity series
Read the complete guidePenetration Testing Guide for Businesses: Scope, Methods, and Remediation
A penetration test (pentest) simulates real-world attacks against your systems to find vulnerabilities before attackers do. Unlike automated vulnerability scanning, penetration testing involves skilled security professionals who think like attackers, chain vulnerabilities together, and test your defenses in ways automated tools cannot.
Coalfire research shows that 73 percent of penetration tests discover at least one critical vulnerability, and 42 percent find a path to complete system compromise. Yet many organizations conduct penetration tests poorly --- scoping too narrowly, selecting the wrong vendor, or failing to act on findings. This guide ensures you get maximum value from your penetration testing investment.
Types of Penetration Tests
| Type | Scope | Typical Duration | Cost Range |
|---|---|---|---|
| External network | Internet-facing systems and services | 3-5 days | $5K-$25K |
| Internal network | Systems accessible from inside the network | 3-7 days | $8K-$30K |
| Web application | Specific web applications | 3-10 days per app | $5K-$20K per app |
| Mobile application | iOS and/or Android applications | 3-7 days per platform | $5K-$15K per platform |
| Social engineering | Phishing, vishing, physical testing | 5-10 days | $5K-$20K |
| Red team | Full adversary simulation (all methods) | 2-4 weeks | $30K-$100K+ |
| Cloud security | AWS/Azure/GCP configuration and services | 3-7 days | $8K-$25K |
| API testing | API endpoints and authentication | 3-5 days | $5K-$15K |
Knowledge Levels
| Level | Description | Simulates |
|---|---|---|
| Black box | Tester has no information about the target | External attacker with no inside knowledge |
| Gray box | Tester has some information (credentials, architecture docs) | Attacker who has gained initial access |
| White box | Tester has full access to source code and architecture | Insider threat, comprehensive assessment |
Scoping Your Penetration Test
Step 1: Define Objectives
| Objective | Test Type | Priority |
|---|---|---|
| Comply with PCI DSS requirement 11.3 | External + internal network | Regulatory |
| Validate security of new application before launch | Web application | High |
| Test employee susceptibility to phishing | Social engineering | Medium |
| Full adversary simulation before board meeting | Red team | Strategic |
| Validate cloud security posture | Cloud security assessment | High |
Step 2: Define Scope
Include:
- All internet-facing IP addresses and domains
- Critical internal systems (ERP, HR, financial)
- Web applications (production URLs)
- API endpoints
- Cloud environments and services
- Authentication mechanisms
Exclude (with justification):
- Third-party hosted services you do not own
- Systems in active development (test staging instead)
- Production systems during peak business hours (schedule off-hours)
- Destructive testing (DoS, data destruction) unless specifically authorized
Step 3: Set Rules of Engagement
Document these before testing begins:
| Rule | Specification |
|---|---|
| Testing window | Weekdays 6 PM - 6 AM, weekends anytime |
| Emergency contact | [Name, Phone] if testing causes disruption |
| Off-limits systems | [List of systems never to test] |
| Data handling | Tester may access but not exfiltrate real data |
| Social engineering scope | Email phishing only, no physical access testing |
| Exploitation depth | Prove access but do not modify production data |
| Communication frequency | Daily status update, immediate notification for critical findings |
Selecting a Penetration Testing Vendor
Evaluation Criteria
| Criterion | Weight | Questions to Ask |
|---|---|---|
| Certifications | 20% | OSCP, CREST, GPEN, CEH among team members? |
| Experience | 25% | Years in business? Industry experience? Similar engagements? |
| Methodology | 20% | What methodology (OWASP, PTES, NIST)? How do they test? |
| Reporting quality | 15% | Can you see a sample report? Remediation guidance included? |
| References | 10% | Can you speak with 3 past clients? |
| Insurance | 10% | Professional liability and cyber insurance current? |
Red Flags
- Vendor proposes automated scanning only (not real penetration testing)
- No named testers with recognized certifications
- Extremely low price (<$3K for a multi-day engagement)
- No rules of engagement discussion
- Report template has no remediation guidance
- Vendor cannot explain their methodology
Understanding Your Penetration Test Report
Vulnerability Severity Ratings
| Severity | CVSS Score | Description | Remediation Timeline |
|---|---|---|---|
| Critical | 9.0-10.0 | Immediate system compromise possible | Within 48 hours |
| High | 7.0-8.9 | Significant security impact | Within 2 weeks |
| Medium | 4.0-6.9 | Moderate impact, may require specific conditions | Within 30 days |
| Low | 0.1-3.9 | Minor impact, limited exploitability | Within 90 days |
| Informational | 0 | Best practice recommendations | Next scheduled maintenance |
What a Good Report Contains
- Executive summary --- Business-risk language, not technical jargon
- Methodology --- What was tested and how
- Findings with severity, evidence, and business impact
- Remediation guidance for each finding (specific, actionable)
- Positive findings --- What you are doing well
- Strategic recommendations for security improvement
- Appendices with raw data and detailed technical evidence
Remediation Process
Step 1: Triage (Day 1-2)
- Review all findings with IT and security team
- Validate findings (confirm they are real, not false positives)
- Assign owners for each finding
- Prioritize based on severity and business risk
Step 2: Plan (Day 3-7)
| Finding | Owner | Remediation Approach | Timeline | Dependencies |
|---|---|---|---|---|
| SQL injection in login | Dev lead | Input validation + parameterized queries | 48 hours | None |
| Default admin password | IT admin | Password rotation + policy enforcement | 24 hours | None |
| Missing TLS on internal API | Platform team | Certificate deployment | 2 weeks | Cert procurement |
| Outdated server OS | IT ops | Patch scheduling | 30 days | Change window |
Step 3: Remediate (Varies)
- Fix critical and high findings immediately
- Group medium findings into the next maintenance window
- Schedule low findings for the next quarter
Step 4: Verify (Post-Remediation)
- Request a retest of critical and high findings (most vendors include limited retesting)
- Document evidence of remediation
- Update risk register
Penetration Testing Schedule
| Assessment | Frequency | Trigger |
|---|---|---|
| External network | Annually (minimum) | Also after major infrastructure changes |
| Web application | Annually + before major releases | New application launch, significant update |
| Internal network | Annually | Also after office network changes |
| Cloud security | Annually | Also after major cloud architecture changes |
| Social engineering | Bi-annually | Ongoing phishing simulations supplement this |
| Red team | Every 2 years | Board-level assurance, after major security investments |
Related Resources
- Incident Response Plan Template --- What to do when vulnerabilities are exploited
- Zero Trust Implementation Guide --- Architectural defenses
- Cloud Security Best Practices --- Cloud-specific security
- API Security and Authentication --- Securing APIs that pentests target
Penetration testing is the reality check for your security program. It reveals the gap between what you think your security posture is and what an attacker would find. Contact ECOSIRE for security assessment and penetration testing coordination.
Written by
ECOSIRE Research and Development Team
Building enterprise-grade digital products at ECOSIRE. Sharing insights on Odoo integrations, e-commerce automation, and AI-powered business solutions.
Related Articles
AI Agent Security Best Practices: Protecting Autonomous Systems
Comprehensive guide to securing AI agents covering prompt injection defense, permission boundaries, data protection, audit logging, and operational security.
AI Fraud Detection for eCommerce: Protect Revenue Without Blocking Good Customers
Deploy AI fraud detection that catches 95%+ of fraudulent transactions while reducing false positives by 50-70%. Covers models, rules, and implementation.
Cloud Security Best Practices for SMBs: Protect Your Cloud Without a Security Team
Secure your cloud infrastructure with practical best practices for IAM, data protection, monitoring, and compliance that SMBs can implement without a dedicated security team.
More from Security & Cybersecurity
AI Agent Security Best Practices: Protecting Autonomous Systems
Comprehensive guide to securing AI agents covering prompt injection defense, permission boundaries, data protection, audit logging, and operational security.
Cloud Security Best Practices for SMBs: Protect Your Cloud Without a Security Team
Secure your cloud infrastructure with practical best practices for IAM, data protection, monitoring, and compliance that SMBs can implement without a dedicated security team.
Cybersecurity Regulatory Requirements by Region: A Compliance Map for Global Businesses
Navigate cybersecurity regulations across US, EU, UK, APAC, and Middle East. Covers NIS2, DORA, SEC rules, critical infrastructure requirements, and compliance timelines.
Endpoint Security Management: Protect Every Device in Your Organization
Implement endpoint security management with best practices for device protection, EDR deployment, patch management, and BYOD policies for modern workforces.
Incident Response Plan Template: Prepare, Detect, Respond, Recover
Build an incident response plan with our complete template covering preparation, detection, containment, eradication, recovery, and post-incident review.
Security Awareness Training Program Design: Reduce Human Risk by 70 Percent
Design a security awareness training program that reduces phishing click rates by 70 percent through engaging content, simulations, and measurable outcomes.