What Is Penetration Testing?
Penetration testing is testing your website and applications to find problems before the hackers do.
It is conducted by trusted companies that employ some of the best hackers in the world.
It is a good thing to do, and your customers will be asking you for proof that you have done it.
Choosing who to work with can be confusing. Who are the good guys? Who are the bad guys?
Our proven list of penetration testing companies involves us shortlisting the right checked and reviewed companies for your needs. For FREE.
It’s 100% transparent and you are in control. We just take the guess work out of shortlisting.
How does it work?
Step 1: Start a conversation. This allows us to find out more about your business and what you are looking for.
Step 2: We shortlist companies based on your needs.
Step 3: We are with you every step of the way. We can sit on every call as your advocate to ensure you get the services you need, not the services they want to sell you.
We have a list of due diligence checked, customer reviewed, trusted penetration companies.
Best of all, it’s a free-to-use service.
They trust us based on our industry experience.
We shortlist multiple options, giving a good choice.
We save the customer up to 25% on going direct.
They know we are transparent and have no relationship with any one supplier.
We don’t charge to use the service – it is 100% FREE.
Penetration Testing Frequently Asked Questions (FAQ)
Yes. Companies that are LISTED on ALLOWLIST have been due diligence checked for limited company status and for insurances at the time of check. Any quoted certifications or qualifications have been checked and verified at the time of check. Each company has the potential to be rated by customers on a 5-star rating system and reviews left on the experiences with the company. Whilst no guarantees can be made, and your own due diligence should be undertaken, there is first pass assurance in place. The top 10 list of trusted pen testing suppliers can be found here.
A penetration test, colloquially known as a pen test, pentest or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system. Not to be confused with a vulnerability assessment. The test is performed to identify both weaknesses (also referred to as vulnerabilities), including the potential for unauthorized parties to gain access to the system’s features and data as well as strengths, enabling a full risk assessment to be completed. – source Wikipedia.
If you really want to make sure you’re secure, then a penetration test is the right step for your organisation. It is often a requirement of information security related standards such as PCI-DSS, ISO 27001, ISO 22301, BSI 10008, SOC2 – read more.
A penetration test should be conducted on a regular basis and at least once a year and after any significant change. It is advisable to move to a system of continual monitoring to supplement the more in-depth penetration testing as point in time penetration test will not protect against zero-day vulnerabilities and the changes to threats that can occur between tests.
Penetration tests take between 1 to 3 weeks. They are dependent on the type of pen test conducted and the complexity of the environment.
There are many types of test that can be classed as penetration testing based on a professional ethical company undergoing the actions that a malicious attacker would undertake. Testing of the public facing internet facing services is the most common, followed by the tester being provided internal credentials and testing what someone inside the network could do. Penetration testing is based on need and we see vulnerability assessment classed under pen testing as well as Network Penetration Testing, Web Application Penetration Testing, API Penetration Testing, Source Code Security Review, Mobile Application Penetration Testing, Wireless Penetration Testing, Network Device Configuration Review, Physical Security Assessment and Phishing testing. The list is not exhaustive.
An ethical hacking company with appropriate credentials will be engaged. The company will provide adequate insurance and assurances including liability against the test. Depending on the type of test the company will either be provided with log on credentials or not. The majority of testing occurs against a live environment. This presents a level of risk to the production service, but a professional company is experienced and will take every step to not disrupt production service in any way. The findings from the penetration test will be issued along with the priority of those findings. A report out meeting will be held where the results are presented and discussed. It is possible that results are returned that are called false positives. These are results that show as a problem but are in fact in this instance known and required for the service to run. The company will then remediate the findings. Depending on the level of service bought a retest maybe conducted to confirm that the gaps have been remediated.
Penetration testers use all the tools are that their disposal. There are tools that are designed specifically for penetration testing and there are tools that can be applied to a penetration testing scenario. Whilst standards will rely on certain tool sets penetration testers develop their own toolsets to meet the challenging needs of the environments and systems they will encounter.
The best way I’ve found to do this over the years is as simple as sitting down in a session with the risk owner (usually a product or project owner), their technical team, and a security representative. Make it clear that it’s the decision of the risk owner whether to remediate or not, given the potential impact and the effort, and that security and the technical team are just there to advise on risks and costs. If the risk owner isn’t comfortable being accountable due to the level of risk for a finding, and the effort to remediate is greater than can be met, then the risk should be escalated until either someone can accept it, or provide the extra resource needed. – read more.
A penetration is important because it will highlight how an attacker can attack you, where your vulnerabilities are and how to protect yourself. Technology is ever changing, and system weakness and configuration weakness can allow people to either access your information or bring your system down preventing you from doing business. A penetration test should highlight those areas that are weak and allow you to fix them.